Posts

Wintermute Hacked - Loss of $160 Million

avatar of @kevinnag58
25
kevinnag58
@kevinnag58
·
·
0 views
·
3 min read

Most crypto investors probably never heard of Wintermute Trading before the Sept. 20 $160 million hack, but that does not reduce their significance within the cryptocurrency ecosystem. The London-based algorithmic trading and crypto lending firm also provides liquidity to some of the largest exchanges and blockchain projects. As a crypto-native trading firm, meaning digital assets have been its core since its inception in July 2017, Wintermute’s expertise in the sector is attested by $25 million in funding from global venture capital investors like Fidelity Investments, Pantera Capital and Blockchain.com Ventures.

[Pechman, M. The impact of the Wintermute hack could have been worse than 3AC, Voyager and Celsius — Here is why. (Accessed September 22, 2022)].

"Wintermute, a cryptocurrency market maker based in the United Kingdom, became the latest victim of decentralized finance (DeFi) hacks, losing approximately $160 million, according to Evgeny Gaevoy, the company’s founder and CEO" [Hall, J. $160M stolen from crypto market maker Wintermute. (Accessed September 22, 2022)].

Photo Source

"Gaevoy added that there will be a slight disruption in its service over the next few days but the company will do its best to resolve the situation at the earliest. He further explained that 90 different assets were stolen with only two of the hits were worth between $1 million and $2.5 million. The takings from the remaining 88 were worth under $1 million each" [Subhasish. Crypto Market Maker Wintermute Attacked; Loses $160M. (Accessed September 22, 2022)].

"Polygon’s chief information security officer Mudit Gupta posted a tweet storm and blog post about the hack early Tuesday, saying he suspected that it was “a hot wallet compromise" [Williams, C. Wintermute Loses $160M in Latest DeFi Hack. (Accessed September 22, 2022)]:

Wintermute’s Tokens being transferred to the attacker

The attack started with https://etherscan.io/tx/0xeecba26d5eb7939257e5b3e646e4bc597b73e256a89cb84a6dfc58de250d8a38 where Wintermute’s hot wallet (https://etherscan.io/address/0x0000000fe6a514a32abdcdfcc076c85243de899b) started calling their vault contract (https://etherscan.io/address/0x00000000ae347930bd1e7b0f35588b92280f9e75) to transfer tokens out to the hacker’s contract (https://etherscan.io/address/0x0248f752802b2cfb4373cc0c3bc3964429385c26)

The vault only allows admins to do these transfers and Wintermute’s hot wallet is an admin, as expected. Therefore, the contracts worked as expected but the admin address itself was likely compromised.

The admin address is a vanity address (starts with a bunch of zeroes) which might have been generated using the famous but buggy vanity address generating tool called Profanity. Profanity has a critical bug that was disclosed by 1inch a few days ago.

Around the time that the disclosure happened, wintermute removed all ether from this admin address (https://etherscan.io/tx/0x93716f3e3a9e3f47dec05b4df511e07e53b3e4695e84cd4f05f5d83188f3552a) which suggests that they realized it might have been vulnerable. However, they forgot to remove this address as an admin from their vault.

The attacker funded this address using their own ether (https://etherscan.io/tx/0x93eadb28e6b50e7ed14348a14cfc3c9f09618dace9c20d3f39ab3d5828e3fd21) and then used this address to pull off the heist. All of it suggests that the attacker exploited the bug in Profanity to recover the private key of this hot wallet.

[Gupta, M. Wintermute muted in crypto winter. (Accessed September 22, 2022)].

"Blockchain expert ZachXBT has managed to locate the hacker’s wallet, which held $13 million in Wrapped Bitcoin (WBTC), over $9 million worth of ETH, and $38 million in addition to other ERC-20 tokens as of Tuesday. Additionally, a significant chunk of the stolen funds – $114 million in USDC and USDT stablecoins – have been transferred to Curve Finance’s flagship 3Crv liquidity pool" [Deka, C. Crypto Market Maker Wintermute Hackers Drain $160M, Profanity Bug Suspected. (Accessed September 22, 2022)].

"In the short tweet thread, Gaevoy, a Dutch national suggested that the hack could be treated as a white-hat hack. The perpetrator may contact Wintermute to share the vulnerabilities they discovered to avoid repeat hacks in the future. White hat hacks are common in crypto. Exchanges, market markers and sometimes companies reward hackers bounties in the form of cash or job positions" [Hall, supra].

The Wintermute hack, detailed above, in no way should be compared to the failures experienced by 3AC, Voyager and Celsus:

Whether one considers liquidity providers to be villains or heroes, their importance to the crypto industry cannot be underestimated. The current hack could have been due to mistakes exclusive to Wintermute, and for this reason, they haven’t turned manifest as an additional risk for other market makers. Traders should not compare the failure of 3AC, Voyager and Celsus to the threat of a liquidity vacuum that is driven by the exodus of the remaining arbitrage desks. There is no indication that widespread risk has emerged at the moment, but until a detailed post-mortem is issued and similar risks eliminated, traders should keep a close eye on the markets.

[Pechman, supra].

Posted Using LeoFinance Beta