$160M Wintermute Hack Becomes Fifth Largest DeFi Exploit of 2022

Wintermute CEO, Evgeny Gaevoy has confirmed that the multi-million-dollar Wintermute hack may has been linked to a critical bug in the Ethereum vanity address-generating tool called Profanity.

Wintermute, a crypto asset algorithmic market maker, was on Tuesday hit by $160 million in its DeFi operations, according to founder and CEO Evgeny Gaevoy. More than 90 assets of different values were stolen, he said.

The hack comes a few days after 1inch flagged Profanity-generated addresses as high risk.

Profanity is a tool that lets Ethereum users create “vanity addresses” – personalized wallet addresses that contain human-readable messages, which make transfers easier.

Profanity bug leads to wallet breach

Binance CEO, Changpeng Zhao posted on Twitter that the Wintermute exploit looked “like Profanity-related” but did not explain how.

“If you used vanity addresses in the past, you might want to move those funds to a different wallet,” he cautioned.

Polygon chief information security officer Mudit Gupta corroborated the allegations with evidence.

“I took a quick look and my best guess is that it was a hot wallet compromise due to the Profanity bug that was publicly disclosed a few weeks ago,” Gupta said in a blog post.

“The vault only allows admins to do these transfers and Wintermute’s hot wallet is an admin, as expected. Therefore, the contracts worked as expected but the admin address itself was likely compromised,” he said, adding:

“The admin address is a vanity address (starts with a bunch of zeroes) which might have been generated using the famous but buggy vanity address generating tool called Profanity.”

Crypto security company Certik also explained how the attack was carried out. “The exploiter used a privileged function with the private key leak to specify that the swap contract was the attacker-controlled contract,” the blog post read.

Vanity addresses are supposed to be impossible to replicate but hackers have found a way to reverse calculate these codes, accessing millions of dollars.

Wintermute CEO, Evgeny Gaevoy later confirmed that hack was linked to Profanity. Evgeny was breaking down the incident. “The attack was likely linked to the Profanity-type exploit of our DeFi trading wallet. We did use Profanity and an internal tool to generate addresses with many zeroes in front. Our reason behind this was gas optimization, not “vanity” he stated in a Twitter thread.

Warning ignored?

Wintermute’s hack comes a few days after DEX aggregator 1inch Network issued a warning that people whose accounts are connected to Profanity were not safe. The firm discovered a vulnerability in the popular vanity address tool, which put millions of dollars in user money at risk.

“Transfer all of your assets to a different wallet as soon as possible,” 1inch warned at the time. “If you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”

Evgeny Gaevoy, the Wintermute CEO, confirmed late Tuesday “the attack was likely linked to the Profanity-type exploit of our DeFi trading wallet.”

He said “we did use Profanity and an internal tool to generate addresses with many zeroes in front. Our reason behind this was gas optimization, not ‘vanity’. The DEX has since “moved to a more secure key generation script.”

“As we learned about the Profanity exploit last week, we accelerated the ‘old key’ retirement,” Gaevoy averred.

The developer behind Profanity, known on Github as “johguse”, admitted that the tool was in its current form very risky.

“I strongly advise against using this tool in its current state. The code will not receive any updates and I’ve left it in an uncompilable state. Use something else!” johguse wrote on Github.

The Wintermute attack is not the first time codes have been manipulated to steal user funds. Earlier this month, hackers stole more than $3.3 million in ETH from several Profanity-related wallet addresses using the same method, according to crypto sleuth ZachXBT.

The $160 million Wintermute exploit makes it only the fifth largest DeFi hack in 2022. The exploit falls behind several key exploits this year, most notably, the $550 million Ronin Bridge hack from March this year.

#PeckShieldAlert Wintermute has lost ~$160M, making it come to #5 on our 2022 DeFi exploit leaderboard
In this incident, exploiters immediately put the most stables into 3CRV pool to avoid blacklisting, while ~50% of Top 10 exploiters transferred to Mixer before Tornado sanction pic.twitter.com/RxMPOIypSz

— PeckShieldAlert (@PeckShieldAlert) September 21, 2022

For Be[In]Crypto’s latest Bitcoin (BTC) analysis, click here.

The post $160M Wintermute Hack Becomes Fifth Largest DeFi Exploit of 2022 appeared first on BeInCrypto.

Related Posts

‘Trading Like a Lehman Moment’ — Credit Suisse, Deutsche Bank Suffer From Distressed Valuations as the Banks’ Credit Default Insurance Nears 2008 Levels

It’s been more than a decade since the financial crisis in 2007-2008 when Lehman Brothers, the fourth largest investment bank in the U.S., collapsed and filed bankruptcy….

These Crypto Executives Have Stepped Down Since the Market Crash in May

Change is in the air as the crypto space continues to see top executives step down from their roles amid the market crisis that stemmed from the…

Bitcoin Price Analysis: Sideways Action Continues, Breakout Could Lead Huge Move

Bitcoin has yet to make a decisive move in any direction as the primary cryptocurrency continues to wrestle with the $18K support level. A bearish breakout below…

Aequinox Token Sale Session Now Available on P2PB2B Exchange

On the P2PB2B exchange, the Aequinox token sale session has already begun. Until October 8, you can purchase the tokens and sign up for the project’s community….

How to Purchase NFTs on Coinbase NFT Marketplace

Unlike cryptocurrencies, NFTs can’t be purchased on any open crypto market; you can either create one yourself by minting it on a blockchain or purchase it on…

OpenSea Recorded $144.5M in Revenue in Q3, With Creators Benefitting 76% of Funds

OpenSea earned $144.5 million in fees from users, with most of the money going to creators, according to Token Terminal. In a tweet, Token Terminal disclosed that…

Generated by Feedzy