Web3 infrastructure firm Jump Crypto and decentralized finance (DeFi) platform Oasis.app performed a “counter exploit” on the Wormhole protocol hacker, with the duo able to recover $225 million worth of digital assets and transfer them to a secure wallet.
The Wormhole attack occurred in February 2022 and saw roughly $321 million worth of Wrapped ETH (wETH). through vulnerability in the protocol token bridge.
Hacker ever since moved around the stolen funds through various Decentralized applications based on Ethereum (dApps) and via Oasis recently opened the Wrapped Staked ETH (wstETH) vault on January 23rd and the Rocket Pool ETH (rETH) vault on February 11th.
In the February 24 blog postthe Oasis.app team confirmed that the exploit had taken place, stating that they had “received an order from the High Court of England and Wales” to retrieve certain assets that were linked to “an address associated with the Wormhole exploit”.
The team said the search was initiated through “Oasis Multisig and a court-authorized third party,” identified as Jump Crypto in a previous report from Blockworks Research.
Transaction history of both vaults denotes that 120,695 wsETH and 3,213 rETH were moved by Oasis on February 21 and placed in wallets under the control of Jump Crypto. The hacker also owed around $78 million in MakerDao’s stablecoin DAI, which was recovered.
“We can also confirm that the assets were immediately transferred to a wallet controlled by an authorized third party as required by the court order. We have no control or access to these assets,” the blog post said.
Referring to the negative implications of Oasis being able to mine crypto assets from its user vaults, the team emphasized that this was “only possible due to a previously unknown vulnerability in the design of the admin multisig access.”
Related: DeFi Security: How Trustless Bridges Can Help Protect Users
The post said the vulnerability was brought to the attention of white hat hackers earlier this month.
“We emphasize that this approach was here with the sole intention of protecting user assets in the event of any potential attack and would allow us to quickly patch any vulnerability that was brought to our attention. It should be noted that at no time, past or present, have User Assets been at risk of access by any unauthorized party.”
— foobar (@0xfoobar) February 24, 2023
