Oasis, a website that allows users to easily access the Maker protocol, DeFi’s oldest and largest lending protocol, is working to patch a vulnerability that allowed for the recovery of some $150M in stolen crypto.
The finality of a crypto transaction is widely considered one of several barriers to mass adoption — and simultaneously one of the biggest strengths of the technology. A transfer of crypto from one wallet to another cannot be reversed, and crypto kept in a self-custody wallet typically cannot be touched by anyone but the wallet’s rightful owner.
It means no crypto ever leaves a user’s wallet without their permission. In the event a user is tricked into granting that permission, however, they are left with no recourse.
In an exclusive interview, CEO Chris Bradbury told The Defiant that Oasis’ business model would collapse if the company were to maintain its ability to move crypto from a user’s vault without their explicit approval.
News of the reverse exploit first broke on Friday. Oasis and Jump Crypto managed to recover some $150M in crypto that was stolen last year from Wormhole, a protocol which lets users bridge assets between Solana and other blockchains.
The $320M hack was the second-largest in DeFi history at the time. But Jump Crypto, a market maker heavily invested in the Solana ecosystem, stepped in with a bailout by replacing the 120,000 ETH the hacker had stolen from Wormhole.
Wormhole, a bridge which facilitates asset transfers across seven different blockchain, got hacked on Feb. 2 to the tune of over $320M as a hacker minted 120,000 worth of a version of wrapped Ethereum on Solana. One day later, the funds are back.
More recently, the hacker opened two Oasis vaults in order to create a leveraged long position on a pair of ETH staking derivatives.
About two weeks ago, an ethical hacking group approached Oasis with some surprising news – they had found a way to take that money out of the hacker’s vaults. The reverse exploit would rely on a vulnerability they had found in Oasis’s ability to upgrade the smart contracts that manage said vaults.
Traditionally, software is a work in progress – even once a piece of software is “finished,” it is continuously upgraded, to make it more performant or secure. Think, for example, of the major operating system updates Apple asks iPhone users to download each year, and the many mini-updates it ships in between.
Upgradeable Smart Contracts
But the ability to upgrade smart contracts is controversial within the crypto industry. Any upgradeable software can be changed to benefit the user — or for the benefit of the company, the government, or some other third party.
Bradbury said upgradeability had been built into Oasis to allow the company to fix any vulnerabilities and protect user funds.
Ironically, a flaw in that part of Oasis’ software made it possible for a third party to access user funds — with Oasis’ permission. At no point could a third party exploit a user’s vault single-handedly, Bradbury stressed.
“That is impossible, and never has been possible, that a third party could access those funds,” he told The Defiant.
When presented with the proof-of-concept, he could hardly believe it.
“Our first reaction to it was like, ‘Oh, no, that’s not possible,’” he said.
The first trial run failed. Several days later, however, Oasis became confident they could recover the stolen money. It still declined to act.
Bradbury suggested Jump had sought a court order that forced Oasis’ hand. When the hacker first opened a pair of Oasis vaults, Jump asked Oasis whether anything could be done to get at the money, Bradbury said. Jump was told that it was impossible. But he went back to the company after he learned of the potential counter-exploit.
“We did not make the decision to do this,” he said. “We couldn’t be judge, jury or anything like that. We only acted on the order of the High Court.”
When the assets were withdrawn from the hacker’s vaults, they were quickly sent to a “court-authorized third party,” Oasis said in a news release on Friday. Bradbury told The Defiant that the third party was not Jump, per se, but an “affiliate of Jump.”
Reaction to the news last week was swift.
“As much as I love the Wormhole hacker getting pwned, what I don’t love is that MakerDAO’s Oasis Automation has a backdoor that let them seize assets from a user based on a court order,” tweeted Adam Cochran, a prominent DeFi participant. “What happens when US courts demand they seize from U.S. users in the future?”
Vulnerability To Be Patched
The vulnerability that made the counter-exploit possible will be patched, possibly within the next couple of days, Bradbury said. To maintain that power would be counter to Oasis’ own ethos, he added.
“If it was by design, and we were aware of it before, I’d have much more agreement and maybe sympathy to those comments,” he said. “Our entire strategy revolves around us not having access to user funds.”
But he made clear the issue of upgradeability isn’t so black and white.
“Upgradeability, it isn’t DeFi, but at the same time, if you want to get mass adoption, you need to protect your users in some way,” he said. “When we talk about getting the next million users or billion users, almost all of them aren’t going to want their money to be lost through exploits that can be avoidable.”