$140 000 000 USD

FEBRUARY 2023

GLOBAL

OASIS.APP

DESCRIPTION OF EVENTS

"Borrow Dai and Multiply your exposure to crypto. Open a Maker Vault, deposit 25+ crypto collaterals. Either borrow Dai or buy additional collateral to increase your exposure. Connect a wallet to start."

 

"Oasis mission is to provide the best and most trusted entry point to deploy your capital. We are building Oasis.app to let our users benefit from all of the potential in DeFi. Our team is made of passionate thinkers and builders."

 

"Oasis is a frontend for the MakerDAO project, which was originally started as part of MakerDAO but later spun into a separate entity, though it still appears to enjoy preferred status by MakerDAO."

 

"why were some upgradeable in the first place? Well this is a simple answer - we pride ourselves at Oasis on great UX and trust, and ultimately users want to know that 1) when they set something" "like automation up, they trust that it will always work for them, and 2) they are doing this to optimise or protect their funds - they don't want lose their assets due to a bug or another hacker stealing them. So yes, we had certain contracts that were upgradeable, such as" "the exchange contract, so that if a bug was discovered in say 1inch, which we use to perform the swaps for automation, or perhaps a third party could pass in something that caused a risk to user funds, that we would be able to move quickly and remove this risk to users."

 

"Our team first became aware of the possibility to assist in the retrieval of the assets after a Whitehat group reached out to the team on the evening of Thursday 16th February 2023, that showed it would be possible to retrieve the assets and provided a Proof of Concept on how it could be achieved. What occurred on 21st February 2023 was only possible due to a previously unknown vulnerability in the design of the admin multisig access. We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us. It should be noted that at no point, in the past or present, have user assets been at risk of being accessed by any unauthorised party."

 

"On 21st February 2023, we received an order from the High Court of England and Wales to take all necessary steps that would result in the retrieval of certain assets involved with the wallet address associated with the Wormhole Exploit on the 2nd February 2022. This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party"

 

"The stolen funds in question were the proceeds of the February 2022 Wormhole bridge exploit, in which attackers stole 120,000 wETH (then ~$326 million; now $192 million). After the hack, Wormhole's parent company Jump Crypto plugged the hole left by the hack with their own funds. Since then, the attackers have been moving the funds throughout the cryptocurrency ecosystem, even taking out a highly-leveraged position on in Lido-staked Ether last month."

 

"We can also confirm the assets were immediately passed onto a wallet controlled by the authorised third party, as required by the court order. We retain no control or access to these assets."

 

"We are thankful to the Whitehat group for their intervention, which represents an example of how important the community is in our space at this stage. Our mission keeps being to be the most trusted place to deploy and manage your capital in DeFi."

 

"Ultimately, Jump was able to recover around $140 million via their "counter-exploit". While many celebrated the recovery, some were concerned about the precedent of a so-called defi platform changing a smart contract to remove funds from a wallet at the direction of a court. Some described the upgradability as a "backdoor"."

 

"Speaking of music industry rugs promoted by “celebrities” check out $OASIS"

 

"If they'd do it for Jump, what does that say about possible coercion via state actors?" wrote one trader on Twitter."

 

"Are they so incompetent they cant make a proper multi-sig wallet or was this a deliberate backdoor. Either way you shouldn't be using anything made by this company."

 

"Oasis released a defensive statement, writing that their cooperation in the recovery was "only possible due to a previously unknown vulnerability in the design of the admin multisig access", and that "we will be making no further comment at this time"."

 

"We have now removed the ability to upgrade any of the contracts associated with Oasis Automation. This has been done by setting the authorized address to the 0x0, instead of the Oasis Multisig."

 

"Our Automation contracts are now fully decentralized and IMMUTABLE."

 

"I want to give an update on the incident involving http://Oasis.app and the wormhole exploiter that occurred on Feb 21st. I'm aware we have been quite silent on the matter, but I would like to take the opportunity to clarify a few things."

 

"This means we can no longer upgrade any of the contracts, and as such, there is no way for the multisig (or any address/contract) to perform any operations similar to the one that happened a few weeks ago again."

 

"I want to reiterate something very clearly though, that was ignored heavily on the original statement; it was never our intention, or knowledge, that we could actually perform such an operation using the upgradable contracts the way that they were used. Yes we were aware"

 

"that we allowed some of our contracts to be upgradeable (more on this later), but not all of them - and the ones which were not upgradeable had multiple checks in place, as well as the users automation parameters, which we strongly believed prevented the type of operation."

 

"what we were not aware of until Feb 16th was that the checks left open the possibility to perform the action that occurred AND still pass the immutable checks that were in place."

 

"It was a set of actions using a number of functions that we just didn't foresee. And because the main contracts that contain the checks were not upgradeable, it meant it was also not possible to just add these checks in now."

 

"So we have taken the only route we saw possible in making the 'Counter-Exploit' operation not possible again, and that is removing any ability to upgrade any of the contracts moving forward. So from now, all of the" "Oasis Automation contracts are fully immutable."

 

"Your funds, your choice: put your capital to work while staying in full control, with no exceptions"

Oasis, a frontend for the MakerDAO project, aimed to provide a trusted entry point for users to deploy their capital in DeFi. Users could borrow Dai or buy additional collateral to increase their exposure to crypto by opening a Maker Vault and depositing 25+ crypto collaterals. However, Oasis faced controversy when a previously unknown vulnerability in the design of its admin multisig access allowed the retrieval of assets stolen in the February 2022 Wormhole bridge exploit. Following a court order, Oasis cooperated in the retrieval using the multisig and a court-authorized third party. The incident sparked concerns about the platform's upgradability and its potential implications for decentralized finance. Oasis responded by making its automation contracts fully decentralized and immutable, removing the ability to upgrade any associated contracts. The platform has also ultimately rebranded themselves as Summer Finance (summer.fi).

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.