SlowMist: Key to the Theft of 20 Million OP Tokens — Transaction Replay (Released in 2022)

SlowMist
4 min readMay 9, 2023

--

Background

On June 9, Optimism and Wintermute both issued announcements, disclosing an incident of 20 million OP tokens being lost to the community. Optimism entrusted Wintermute to provide liquidity services for OP in the secondary market, while providing 20 million OP tokens to Wintermute. To receive these tokens, Wintermute provided Optimism with a multi-signature address. After Optimism tested two transactions and Wintermute confirmed their correctness, Optimism transferred the 20 million OP tokens to that address. However, after Optimism completed the transfer, Wintermute discovered that they could not control these tokens, because the multi-signature address they provided was only temporarily deployed on the Ethereum mainnet and had not been deployed on the Optimism network. Wintermute immediately initiated remedial measures, but attackers had already noticed the vulnerability and managed to deploy the multi-signature address on the Optimism network before Wintermute, successfully taking control of the 20 million tokens. The question arises, why did this vulnerability occur?

Prerequisite Knowledge

First, it is necessary to determine whether the transaction signature complies with the [EIP155] standard. A signature that complies with the [EIP155] standard will hash nine RLP encoded elements (nonce, gasprice, gas, to, value, data, chainid, 0, 0), including the chainid, so the v value of the signature compliant with the [EIP155] standard is {0,1} + chainid * 2 + 35. For signatures that do not comply with the [EIP155] standard, only six elements (nonce, gasprice, gas, to, value, data) are hashed. Therefore, the v value of the signature is {0,1} + 27. Different chains define different chainids, which will result in different v values. According to ECDSA, we know that even if the r and s values are the same, the public key generated by the signature will be different when the v value is different. Therefore, transactions that comply with the [EIP155] standard cannot be successfully replayed on other chains.

It is worth noting that the [EIP2718] introduced a new transaction format, 0x02 || RLP([chain_id, nonce, max_priority_fee_per_gas, max_fee_per_gas, gas_limit, destination, amount, data, access_list, signature_y_parity, signature_r, signature_s]), during the Ethereum London upgrade. Chainid is now encoded separately and is no longer included in the signature v value. The signature v value only serves as a simple parity check. Therefore, the v value obtained from the current transaction signature becomes 0 or 1.

Transaction Replay

After understanding the above transaction signature construction, we can clearly know that a signature with a v value of 27 or 28 can be replayed on different chains. How can we replay transactions on different chains? It is no different from sending transactions. Just send the raw transaction content on another chain.

Taking the theft of 20 million OP tokens from Wintermute as an example, the attacker replayed the transaction of deploying the Gnosis Safe Factory contract in this incident. Here, we attempt to replay the transaction with nonce 3 of Gnosis Safe Deployer 3.

One relatively simple method is to first obtain the original transaction through Etherscan:

Then, simply send it through the Optimistic eth_sendRawTransaction [RPC] interface.

If the original transaction content cannot be obtained directly, we can first obtain the transaction content through the eth_getTransactionByHash [RPC] interface.

Then, we can obtain the raw transaction content by encoding the transaction content in RLP format:

Then, the transaction can be sent using the Optimistic eth_sendRawTransaction [RPC] interface.

Reference:

https://eips.ethereum.org/EIPS/eip-155

https://eips.ethereum.org/EIPS/eip-2718

https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

https://github.com/ethereum/go-ethereum/blob/master/core/types/transaction_signing.go

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.