OASIS Application Wallet Software Exploited
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Oasis, a frontend for the MakerDAO project, aimed to provide a trusted entry point for users to deploy their capital in DeFi. Users could borrow Dai or buy additional collateral to increase their exposure to crypto by opening a Maker Vault and depositing 25+ crypto collaterals. However, Oasis faced controversy when a previously unknown vulnerability in the design of its admin multisig access allowed the retrieval of assets stolen in the February 2022 Wormhole bridge exploit. Following a court order, Oasis cooperated in the retrieval using the multisig and a court-authorized third party. The incident sparked concerns about the platform's upgradability and its potential implications for decentralized finance. Oasis responded by making its automation contracts fully decentralized and immutable, removing the ability to upgrade any associated contracts. The platform has also ultimately rebranded themselves as Summer Finance (summer.fi).
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11]
About OASIS.App
"Borrow Dai and Multiply your exposure to crypto. Open a Maker Vault, deposit 25+ crypto collaterals. Either borrow Dai or buy additional collateral to increase your exposure. Connect a wallet to start."
"Oasis mission is to provide the best and most trusted entry point to deploy your capital. We are building Oasis.app to let our users benefit from all of the potential in DeFi. Our team is made of passionate thinkers and builders."
"Oasis is a frontend for the MakerDAO project, which was originally started as part of MakerDAO but later spun into a separate entity, though it still appears to enjoy preferred status by MakerDAO."
"why were some upgradeable in the first place? Well this is a simple answer - we pride ourselves at Oasis on great UX and trust, and ultimately users want to know that 1) when they set something" "like automation up, they trust that it will always work for them, and 2) they are doing this to optimise or protect their funds - they don't want lose their assets due to a bug or another hacker stealing them. So yes, we had certain contracts that were upgradeable, such as" "the exchange contract, so that if a bug was discovered in say 1inch, which we use to perform the swaps for automation, or perhaps a third party could pass in something that caused a risk to user funds, that we would be able to move quickly and remove this risk to users."
"Our team first became aware of the possibility to assist in the retrieval of the assets after a Whitehat group reached out to the team on the evening of Thursday 16th February 2023, that showed it would be possible to retrieve the assets and provided a Proof of Concept on how it could be achieved. What occurred on 21st February 2023 was only possible due to a previously unknown vulnerability in the design of the admin multisig access. We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us. It should be noted that at no point, in the past or present, have user assets been at risk of being accessed by any unauthorised party."
"On 21st February 2023, we received an order from the High Court of England and Wales to take all necessary steps that would result in the retrieval of certain assets involved with the wallet address associated with the Wormhole Exploit on the 2nd February 2022. This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party"
"The stolen funds in question were the proceeds of the February 2022 Wormhole bridge exploit, in which attackers stole 120,000 wETH (then ~$326 million; now $192 million). After the hack, Wormhole's parent company Jump Crypto plugged the hole left by the hack with their own funds. Since then, the attackers have been moving the funds throughout the cryptocurrency ecosystem, even taking out a highly-leveraged position on in Lido-staked Ether last month."
"We can also confirm the assets were immediately passed onto a wallet controlled by the authorised third party, as required by the court order. We retain no control or access to these assets."
"We are thankful to the Whitehat group for their intervention, which represents an example of how important the community is in our space at this stage. Our mission keeps being to be the most trusted place to deploy and manage your capital in DeFi."
"Ultimately, Jump was able to recover around $140 million via their "counter-exploit". While many celebrated the recovery, some were concerned about the precedent of a so-called defi platform changing a smart contract to remove funds from a wallet at the direction of a court. Some described the upgradability as a "backdoor"."
"Speaking of music industry rugs promoted by “celebrities” check out $OASIS"
"If they'd do it for Jump, what does that say about possible coercion via state actors?" wrote one trader on Twitter."
"Are they so incompetent they cant make a proper multi-sig wallet or was this a deliberate backdoor. Either way you shouldn't be using anything made by this company."
"Oasis released a defensive statement, writing that their cooperation in the recovery was "only possible due to a previously unknown vulnerability in the design of the admin multisig access", and that "we will be making no further comment at this time"."
"We have now removed the ability to upgrade any of the contracts associated with Oasis Automation. This has been done by setting the authorized address to the 0x0, instead of the Oasis Multisig."
"Our Automation contracts are now fully decentralized and IMMUTABLE."
"I want to give an update on the incident involving http://Oasis.app and the wormhole exploiter that occurred on Feb 21st. I'm aware we have been quite silent on the matter, but I would like to take the opportunity to clarify a few things."
"This means we can no longer upgrade any of the contracts, and as such, there is no way for the multisig (or any address/contract) to perform any operations similar to the one that happened a few weeks ago again."
"I want to reiterate something very clearly though, that was ignored heavily on the original statement; it was never our intention, or knowledge, that we could actually perform such an operation using the upgradable contracts the way that they were used. Yes we were aware"
"that we allowed some of our contracts to be upgradeable (more on this later), but not all of them - and the ones which were not upgradeable had multiple checks in place, as well as the users automation parameters, which we strongly believed prevented the type of operation."
"what we were not aware of until Feb 16th was that the checks left open the possibility to perform the action that occurred AND still pass the immutable checks that were in place."
"It was a set of actions using a number of functions that we just didn't foresee. And because the main contracts that contain the checks were not upgradeable, it meant it was also not possible to just add these checks in now."
"So we have taken the only route we saw possible in making the 'Counter-Exploit' operation not possible again, and that is removing any ability to upgrade any of the contracts moving forward. So from now, all of the" "Oasis Automation contracts are fully immutable."
"Your funds, your choice: put your capital to work while staying in full control, with no exceptions"
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| February 16th, 2023 | Whitehat Group Report | A whitehat group reaches out to the OASIS wallet to provide a Proof of Concept for extracting funds from a wallet on the OASIS blockchain. |
| February 21st, 2023 | Court Order Received | The OASIS network reports that they received the court order on February 21st. |
| February 24th, 2023 2:22:53 PM MST | Blog Post About Order | The blog post is made about the transaction which was executed to freeze and return the funds associated with the Wormhole exploit. |
| February 24th, 2023 4:26:34 PM MST | CoinDesk Article Published | CoinDesk publishes an article on the exploit and court order. |
| February 24th, 2023 4:53:27 PM MST | Reddit Discussion | Reddit discussion begins which doesn't reflect well on the service. "Are they so incompetent they cant make a proper multi-sig wallet or was this a deliberate backdoor. Either way you shouldn't be using anything made by this company." |
| March 9th, 2023 7:54:47 AM MST | Upgradeability Removed | The Oasis application upgradeability has been removed by setting the wallet which controls the upgrade to 0x0. |
| March 9th, 2023 10:57:00 AM MST | Clarification And Patch | The CEO Chris B reports that they have now made the contract fully immutible and provided the on-chain transaction. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $140,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://mobile.twitter.com/funominalle/status/1506557173522137090 (Jan 13, 2023)
- ↑ Oasis.app (Nov 23, 2023)
- ↑ [UPDATED] Statement Regarding The Transactions From The Oasis Multisig on 21st Feb 2023 - Oasis Blog (Nov 23, 2023)
- ↑ Statement Regarding The Transactions From The Oasis Multisig on 21st Feb 2023 - Oasis Blog (Nov 23, 2023)
- ↑ The best place to Borrow and Earn in DeFi (Nov 23, 2023)
- ↑ @chrisbducky Twitter (Nov 23, 2023)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Nov 23, 2023)
- ↑ About Us (Nov 23, 2023)
- ↑ Per a court order, Oasis rewrites the rules for Jump Crypto to recover stolen assets (Nov 23, 2023)
- ↑ Oasis Exploits Its Own Wallet Software to Seize Crypto Stolen in Wormhole Hack (Nov 23, 2023)
- ↑ Oasis Exploits its Own Wallet Software to Seize Crypto Stolen in Wormhole Hack : CryptoCurrency (Nov 23, 2023)