DeFi venture OptiFi permanently locks up $661,000 of assets in code snafu
Look who misunderstood the consequences a Solana close command
OptiFi, a decentralized options exchange using the Solana blockchain, inadvertently disabled its mainnet service with a misunderstood command and locked up some $661,000 worth of USDC 'digital dollar' tokens.
The cryptocurrency assets cannot be recovered, OptiFi said, so the plan is to manually refund affected users. Isn't technology marvelous.
"On 29th August around 0600 UTC, we had an update to our Solana program code, so our deployer tried to upgrade the OptiFi program on Solana mainnet," the crypto entity said in its postmortem analysis of the incident.
"However we accidentally used the ‘solana program close’ command, resulting in our OptiFi program on mainnet being unfortunately closed. All users' funds and open positions on OptiFi locked in PDAs, $661K in total (AMM vault, user account…) and it’s not recoverable at the moment of writing."
Essentially, this command closed an OptiFi financial program with a specific identifier and "all the users’ margin accounts, USDC tokens, option tokens, and AMMs USDC vaults are locked in where they are, because they are using PDAs [program derived accounts], which are bound to [the closed identifier]."
The irreversibility of cryptocurrency transactions – a key selling point for some – turns out to be not such a benefit for those unfairly deprived of funds.
Fortunately, for outsiders at least, 95 percent of the lost funds are said to belong to an OptiFi team member. So the entity is on the hook – voluntarily rather than due to any legal obligation – for only about $33,000.
OptiFi doesn't provide much detail about who's running things. In its documentation, the entity claims, "The core team behind OptiFi is composed of experienced entrepreneurs, including a crypto fund manager, a risk and hedging solutions expert, quant traders and seasoned Solana devs across US, Europe, and Asia."
The biz neglects to actually identify any of these ostensibly experienced entrepreneurs on its website. Its founder goes by the pseudonym Pentameal and claims to have previously managed $50 million in crypto assets out of Hong Kong.
- Crypto sleuths pin $100 million Harmony theft on Lazarus Group
- Plot to defeat crypto meltdown: Solend votes to seize, liquidate whale account
- DeFi credit scores: Coming soon to a blockchain near you
- Star loses $500,000 NFT after crooks exploit Rarible market
OptiFi's incident report includes a "Lessoned we learned harshly" [sic] section, to reassure any remaining customers that this sort of thing won't reoccur. The mea culpa is rendered in all caps, and further amplified with bold characters, to underscore the magnitude of the entity's contrition.
It says, "EVERY DEPLOYMENT NEEDS A RIGOROUS PROCESS AND SINGLE POINT FAILURE CAN BE AVOIDED. PLEASE DON’T RUSH LIKE WHAT WE DID, ESPECIALLY FOR DEFI PROJECTS."
OptiFi also presents a request to those responsible for the Solana command line tool: "There are tutorials about how to close programs and buffer accounts on Solana’s official doc website, but it doesn’t mention the potential risks of doing so. Thus, we suggest Solana officials add descriptions in the solana docs to warn the result of closing the program."
Perhaps given the recurring nature of DeFi footguns and the persistent shoddiness of software, every single interaction with crypto systems should produce the prompt, "Are you sure you want to do this?" ®