Jump Crypto, the cryptocurrency arm of Jump Trading Group, recently faced one of the toughest puzzles a business can face: let a hacker get away with nearly $195 million worth of stolen Ethereum, or trade private smart contracts to unlock a refund?
The company ultimately chose the latter and implemented a counter-exploitation to empty two vaults of the Oasis vault, which is known to contain 120,000 ETH per packet.
The “counter-exploit,” as it is called, used updatable proxy models in the Oasis network to fundamentally change the underlying logic of the smart contract. This caused the hacker's vault to send funds to a new third-party wallet. This updated logic used the same limited-loss trigger that was activated by the hacker himself and granted access to the AutomationBot's storage. Jump and Oasis were then able to work together to "upgrade" the trigger to move the stolen money.
While the cashback is seen as a boon for the company, the idea that a DeFi platform could program a backdoor to move user funds could do significant reputational damage to both Jump Crypto and Oasis. If these companies can fool the wallets holding their assets, they end up controlling the assets and the network. Both parties seem to be aware of this and say very little publicly about the refund.
However, Oasis confirmed in a four-paragraph press release that the reseller's wallet funds were "immediately transferred to a wallet controlled by an authorized third party." This is possible due to a previously unknown vulnerability in the multi-admin login design. A white hat group working on resource recovery reportedly brought the previously unknown vulnerability to the firm's attention.
Jump Crypto has not confirmed its involvement in returning the stolen funds. Instead, almost everything we know about the recovery comes from public ledger data and blockchain forensics by Blockworks research analyst Dan Smith.
“Transaction history shows that Jump Crypto and Oasis worked together to prevent exploits of the renewed Oasis contract and protect funds stolen from the original Wormhole Exploiter vaults,” Smith wrote in his forensic report.
The Oasis press release notes that the reboot was based on a court order that could literally be taken as the network having its hands tied. However, given the reserved attitude of many cryptocurrency users towards government interference in the private funds of cryptocurrency users, this in itself is a mine.
Jump and Oasis are far from the only DeFi platforms that have suffered a major attack in the past year. It is estimated that at least $3.6 billion was stolen from the DeFi industry as a whole in 2022, raising questions about the inherent security of decentralized protocols and the potential use of withdrawals, as well as the ethics of such options.
The past two years have seen a steady rise in DeFi platforms on centralized exchanges. Whether the hacks or enhanced smart contracts will shake consumer confidence in the sector remains to be seen.
I have reached out to Oasis and Jump Crypto for comment and have received no response.