[UPDATED] Statement Regarding The Transactions From The Oasis Multisig on 21st Feb 2023

[UPDATED] Statement Regarding The Transactions From The Oasis Multisig on 21st Feb 2023

On 21st February 2023, we received an order from the High Court of England and Wales to take all necessary steps that would result in the retrieval of certain assets involved with the wallet address associated with the Wormhole Exploit on the 2nd February 2022. This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party

We can also confirm the assets were immediately passed onto a wallet controlled by the authorised third party, as required by the court order. We retain no control or access to these assets.

Our team first became aware of the possibility to assist in the retrieval of the assets after a Whitehat group reached out to the team on the evening of Thursday 16th February 2023, that showed it would be possible to retrieve the assets and provided a Proof of Concept on how it could be achieved. What occurred on 21st February 2023 was only possible due to a previously unknown vulnerability in the design of the admin multisig access. We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us. It should be noted that at no point, in the past or present, have user assets been at risk of being accessed by any unauthorised party.

We are thankful to the Whitehat group for their intervention, which represents an example of how important the community is in our space at this stage. Our mission keeps being to be the most trusted place to deploy and manage your capital in DeFi.

For any enquiries, please contact press@oasis.app, however it should be noted that we will be making no further comment at this time.

[Update] March 9, 2023.

Our Automation contracts are now fully decentralized and IMMUTABLE.

We have now removed the ability to upgrade any of the contracts associated with Oasis Automation. This has been done by setting the authorized address to the 0x0, instead of the Oasis Multisig.

https://etherscan.io/tx/0x563a8cedc73c605316296f45d25de89ed647176ef536fbbdd8a78534b38cd590

For all the details, read this thread by Chris B:

https://twitter.com/chrisbducky/status/1633889732882227207


Getting help

If you have any questions regarding Summer.fi in general, you contact us at support@summer.fi or on our social media.

Summer.fi

Summer Blog

Twitter

Discord