Well-known vulnerability in private keys likely exploited in $160M Wintermute hack

The vulnerability in private keys generated by the popular Profanity vanity key generator was noted in January and has already been implicated in at least one major hack.

Blockchain cybersecurity company Certik has said a vulnerable private key was attacked in the Wintermute hack. A vulnerability in private keys generated by the Profanity app was likely exploited. The vulnerability has been known since at least January.

The U.K.-based algorithmic crypto market maker announced the hack on Tuesday and said over-the-counter and centralized finance operations were not affected. About $162.5 million worth of cryptocurrencies were taken. “We are solvent with twice over that amount in equity left,” Wintermute CEO Evgeny Gaevoy said in a tweet.

Certik said in a blog post that the hack was due to a leaked or brute-forced private key, and not a smart contract vulnerability:

“The exploiter used a privileged function with the private key leak to specify that the swap contract was the attacker controlled contract.”

The company added that a vulnerability in the popular Profanity vanity address generator was probably at fault in the hack.

Certik noted that decentralized exchange 1inch Network disclosed the apparent Profanity vulnerability in a Sept. 13 blogpost and subsequent warning on Twitter. 1inch users spotted the vulnerability after a suspicious airdrop took place in June. 1inch said on its blog:

“Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.”

The vulnerability was blamed for the hacking of $3.3 million on Sept. 13. GitHub users spotted the issue in January 2022, leading the developer to abandon the project and then archive it on Sept. 15.


⚠️ Spoiler: Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP!

➡️ Read more: https://t.co/oczK6tlEqG#Ethereum #crypto #vulnerability #1inch

— 1inch Network (@1inch) September 15, 2022

A private key is derived from a user’s seed phrase, which is a list of 12–24 words associated with a wallet that allows a user to recover the cryptocurrency in a wallet, even if the wallet is lost or deleted.

Related: Polygon CSO blames Web2 security gaps for recent spate of hacks

According to Certik, around $273.9 million has been lost this year due to compromised private keys, making the method “one of the largest attack vectors.” The Wintermute attack is by far the largest, with the Harmony Protocol hack in June coming in second at $97 million.

Related Posts

Crypto Biz: NYDIG stacks sats, Elon buys Twitter

Amid the bear market, positive signs of crypto adoption continue to emerge. Also, Elon Musk is finally moving ahead with plans to acquire Twitter. For all the…

Bitcoin price finally made a move, and fireworks are sure to follow

New crypto market trends are starting to emerge now that Bitcoin and equities markets move closer to make-or-break levels, which will determine the markets’ direction. This week,…

How The Cardano Foundation Supported Launch Of This Hybrid NFT Project

The Cardano Foundation announced its support for the launch of a new non-fungible token (NFT) collection that will bridge the physical world with the digital. Created by…

FTT Spiked to 3-Week High as Visa, FTX Revealed Crypto Debit Card

The financial services corporation – Visa – collaborated with the cryptocurrency exchange – FTX – to offer debit cards in 40 countries across the globe. The cards…

Pace Gallery Announces Latest Artblocks NFT Drop

New York-based contemporary gallery Pace Gallery has announced a new development in its partnership with Artblocks. Launching on October 10, 2022, the new project is an NFT…

When Will Terra Victims Be Compensated?

It has been almost five months since Terra collapsed, and UST users are yet to be compensated as promised. The Luna Foundation Guard announced today that victims…

Generated by Feedzy