The infrastructure company Web3 Live Crypto and the decentralized finance platform (DeFi) Oasis.app have conducted a “counter-exploit” on the Wormhole protocol hacker, with which the duo was able to generate $ 225 million in digital assets and transfer them to a secure wallet.
The Wormhole attack occurred in February 2022 and saw approximately $321 million worth of Wrapped ETH (wETH) siphoned off through a vulnerability in the protocol’s token bridge.
Hackers have started transferring stolen funds through various Ethereum-based decentralized applications (dApps), and through Oasis, they recently opened the Wrapped Staked ETH (wstETH) vault on January 23, and the Rocket Pool ETH (rETH) vault. on February 11.
In a blog post on February 24, the Oasis.app team confirmed that a counter-exploit had occurred, stating that it had “received an order from the High Court of England and Wales” to seize certain assets associated with “addresses linked. to the Wormhole Exploit.”
The team stated that the takeover was initiated through “Oasis Multisig and a court-authorized third party,” identified as Jump Crypto in a previous report from Blockworks Research.
The transaction history of the two vaults shows that 120,695 wsETH and 3,213 rETH were moved by Oasis on February 21 and placed in a wallet under the control of Crypto Live. Hackers also owe about $78 million in DAI stablecoin MakerDao that they took.
“We can also confirm that the assets were sent directly to a wallet controlled by an authorized third party, as requested by the court. We have no control or access to these assets,” the blog post read.
Referring to the negative implications of Oasis being able to take crypto assets from users’ vaults, the team asserted that it was “only possible due to a previously unknown vulnerability in the admin multisig access design.”
related: DeFi Security: How trustless bridges can help protect users
The post states that the vulnerability was highlighted by white hat hackers earlier this month.
“We emphasize that this access exists for the sole purpose of protecting user assets in the event of a potential attack, and will allow us to move quickly to patch vulnerabilities disclosed to us. It should be noted that at no point, in the past or present, have user assets risk of being accessed by unauthorized parties.
— foobar (@0xfoobar) February 24, 2023