Post-mortem Analysis of 20 Million OP Tokens Stolen: Contract Multisig VS MPC
06/10/2022
Last updated
06/10/2022
Last updated
By Kane & Blackk
On June 9, Optimism disclosed that an attacker had stolen 20 million of its OP tokens. The Optimism Foundation partnered with Wintermute for liquidity provisioning services and allocated 20 million of its OP tokens to them. To receive the tokens, Wintermute had to provide a multi-signature EVM address on Optimism, but the contract provided was only active on Ethereum.
It was later discovered that Wintermute could not access the tokens as an attacker had already taken control of the 20 million tokens by deploying a multisig to that address on the Optimism network.
At the time of writing, the attacker has only returned 17 million OP tokens to Optimism.
The cause of this incident can be contributed to the following factors:
The transaction sent by the Gnosis developers that deployed the Proxy Factory 1.1.1 in 2019 did not comply with the EIP-155 specification. This allowed anyone to deploy Proxy Factory 1.1.1 through a replay attack on any EVM network. The attacker was able to exploit this because the contract address can now be the same as the proxy factory on the Ethereum mainnet.
Wintermute mistakenly assumed their multi-sig contract address is the same on Optimism as well as Ethereum. So only a tiny amount was sent as a test and failed to test for critical transfer operation.
Gnosis and other multisig contract wallets provide a solution to multi-party asset management by enabling multi-sig contracts on EVM chains. They offer an ideal option for fund management and enterprises, but it has several drawbacks as well:
Multisig wallet addresses differ from an EOA address. While the private key of an EOA address corresponds to the same address on different EVM chains, this does not apply to multisig wallets on different chains. When Gnosis created a proxy wallet, it failed to consider security concerns such as the wallet's inability to create the same proxy address on different EVM chains.
The contract wallet can only be used after it's deployed on the corresponding EVM chain. Management policies such as personal signatures and signature thresholds must be configured at least once on the corresponding blockchains. All these configurations can become tedious and costly due to each one being associated with a fee.
The transaction fee depends on the complexity of the policy. The more parties involved in management, the more Gas fee it consumes.
Since multisig mechanisms are based on EVM contracts and are limited in their capabilities, it fails to provide the perfect solution. To make up for the drawbacks of multisig contracts, Safeheron advises adopting MPC for multi-party asset management.
Safeheron adopts MPC signature algorithm and implements multisig mechanism (MPC-ECDSA, MPC-Ed25519, MPC-BLS) at the level of the off-chain signature algorithm. We're able to build a safer and more effective asset management tool based on MPC & TEE technologies.
Our MPC wallet has the following features:
MPC private key shards are highly secure with the advantages of being available but invisible throughout the process of generation, signature, refreshing, and verification.
MPC wallet addresses are EOA addresses, which are more versatile and have full control of the same address on any other EVM chains.
Our MPC wallet can multiple parties manage assets across multi networks, including EVM and non-EVM chains such as BTC, TRON, etc.
Policies will only need to be configured once; afterward, they will be implemented across different EVM and non-EVM chains, making them safer and more efficient.
MPC wallet is more cost-effective. Since off-chain multisig are transactions initiated by the EOA address, up to 90% of the transaction fee can be saved compared to multisig contracts.
Additional, Safeheron provides numerous security checks during the transaction process, such as:
AML checks for target addresses and source addresses
WYSIWYS( What You See Is What You Sign) -Users can see exactly what they’re signing before they sign it.
Transfer addresses require the approval of multiple parties and can only be initiated after being whitelisted.
Receive alerts on whether the target address is a contract.
...
Through this incident, we like to remind wallet users and service providers the following:
When choosing a wallet or building a wallet system, ensure it supports the EIP - 155 specification, or it could lead to serious security risks such as replay attacks.
The target address must be thoroughly examined before receiving any large amount, and its legitimacy can be confirmed by sending a small amount as a test transaction. After receiving the funds, be sure to verify you have complete control of the wallet by transferring the fund out.
When potential security risks are discovered, the transfer or control of assets should be completed right away to avoid potential loss of funds.