Jump Crypto collaborates with Oasis to successfully recover 120,000 ETH stolen from Wormhole in 2022

Author: JON RICE & DAN SMITH

Translator: Odaily Planet Daily Translator | Nian Yin Si Tang

In a collaborative effort between Jump Crypto and Oasis, the hacker who attacked Wormhole in February 2022 seems to have become the "attacked."

Just over a year ago (February 3, 2022), the Wormhole cross-chain bridge was hacked, becoming one of the largest security incidents in the crypto industry. Approximately 120,000 ETH were stolen, worth up to $325 million at the time.

Subsequently, Jump Crypto announced a commitment of 120,000 ETH to compensate for the losses incurred by Wormhole, supporting the continued development of Wormhole. Jump Crypto stated that they believe in the future of multi-chain and consider Wormhole an essential infrastructure for the future, thus they will continue to support Wormhole and help it grow.

Jump Crypto, based in Chicago, is the cryptocurrency division of Jump Trading and participated in the development of the Wormhole protocol.

At the time, Wormhole offered the hacker a $10 million bug bounty and a white hat agreement in exchange for returning the funds. However, this seems to have never happened.

Dave Olsen, President and Chief Investment Officer of Jump Trading Group, told Bloomberg a month later: "We are in close consultation with government resources and private resources. Many of these are experts in tracking such criminals. We will continue to fight for this. So, this is not something we will be distracted from next month or next year; this is a permanent effort."

According to on-chain analysis by Blockworks Research, Jump ultimately won this battle. Just three days ago, it seems that these funds have been recovered.

Jump Crypto declined to comment on the investigation results, and Oasis did not respond to requests for comment.

However, Oasis issued a statement after this article was published, stating:

"On February 21, 2023, we received an order from the High Court of England and Wales requiring us to take all necessary measures to recover certain assets related to the wallet addresses involved in the Wormhole attack on February 2, 2022. This action was undertaken under court order using Oasis Multisig and a court-authorized third party as required by law.

We can also confirm that, in accordance with the court order, these assets were immediately transferred to a wallet controlled by an authorized third party. We do not retain control or access to these assets."

Blockworks Research analyst Dan Smith detailed this process:

"The transaction history indicates that Jump Crypto and Oasis collaborated to counter-exploit an upgradable Oasis contract to recover the stolen funds from the original Wormhole attackers' treasury.

The attacker continuously transferred the stolen funds through various Ethereum applications. They recently opened two Oasis treasuries and established leveraged long positions on two ETH staking derivatives. Importantly, both treasuries utilized automated services provided by Oasis.

This counter-exploit operation involved several wallets. Each address was defined and named for use throughout the analysis:

• Oasis Multisig: 4 out of 12 multisigs that own the Oasis proxy contract.

• Holder: Currently holds the recovered funds, seemingly belonging to Jump.

• Sender: Responsible for executing the counter-exploit, seemingly belonging to Jump.

The process began on February 21, when the Sender was added as a signer of the Oasis Multisig. The Sender executed five transactions to advance the counter-exploit and was subsequently removed as a signer of the Oasis Multisig.

Most of the fund recovery process was executed in the third transaction from the Sender to the Oasis Multisig. To quickly summarize this transaction, the Sender "leveraged" the Oasis contract, allowing it to transfer collateral and debt from the attackers' treasury to the Sender's own treasury.

After gaining control of the attackers' treasury, a wallet identified by several analytics firms as belonging to Jump Crypto sent 80 million DAI to the Sender. These DAI were used to repay the outstanding loans of that treasury and withdrew $218 million in collateral. The recovered collateral was then sent to the Holder, where the funds currently reside.

It remains unclear whether the Sender and Holder belong to Oasis or Jump. However, the basic assumption is that Jump has control over these addresses since Jump repaid the debt to withdraw the collateral. Neither Jump nor Oasis has confirmed this.

Thus, Jump seems to have successfully countered the Wormhole attackers and recovered the ETH stolen from them a year ago. Excluding the portion of funds used to repay DAI to recover the collateral, the net gain from this counter-exploit is approximately $140 million."

Cross-chain bridge attacks have resulted in some of the largest thefts in the crypto industry, including the Ronin hack, which led to a loss of $540 million, later believed to be perpetrated by the North Korean hacker group Lazarus.

However, transparent, open, permissionless public blockchains are proving to be the "secret weapon" in combating financial crime.

The ethical and even legal issues surrounding attacking hackers may spark debate in the future. But for now, Jump Crypto seems to have gained an additional $140 million compared to last week.

Meanwhile, a hacker may be quietly regretting missing the opportunity to receive a $10 million bug bounty and a "get out of jail free" card.