Similar to externally owned accounts, contracts on Ethereum maintain a nonce, which is increased when they spawn new contracts with either
CREATE2. Both addresses can be predicted from either (address, nonce) or (address, salt, initcode).
This safe was created using
createProxy(masterCopy, data) which uses
CREATE that only depends on the Factory address and its nonce value. The attacker can manipulate both the master copy and data parameters, assigning themselves as the owner. This is not possible for safes created with
CREATE2 since they use the initializer (which includes the owner set) as a salt which affects the resulting address.
We can calculate that Wintermute’s safe was created at nonce 8884, and since it’s a fresh Factory, the attacker had to create all the preceding safes first. To pull this off, they created a contract which initializes 162 safes at a time, which they called 62 times, increasing the Factory’s nonce to 10,054.
This has allowed them to grab Optimism addresses for a lot of safes existing on mainnet, including a safe matching Wintermute’s address.