Watch Latest Shows & Videos on Our Official YouTube Channel – BLOCKBYTES

Facebook Twitter Youtube Instagram Tiktok Linkedin Spotify
Blockbytes
  • Home
  • Shows
    • Across The Chains
    • Beyond the Block
    • Featured By Blockbytes
    • The Workflow
    • Byte Sized Videos
    • Quickflip Polygon
    • Legacy Content
  • Articles
    • News
    • Getting Started
    • Project Overviews
    • DeFi
    • NFTs
    • Networks
      • Polygon
      • Iota + Shimmer
      • Fantom
      • Aurora
  • BlockBytes Weekly
  • Meet the Team
    • About Us
    • Contact
Reading: Crypto Casefiles: Wintermute Hack
Share

  • bitcoinBitcoin(BTC)$16,787.14
  • ethereumEthereum(ETH)$1,210.10
  • tetherTether(USDT)$1.00
  • usd-coinUSD Coin(USDC)$1.00
  • binancecoinBNB(BNB)$247.45
  • binance-usdBinance USD(BUSD)$1.00
  • rippleXRP(XRP)$0.344393
  • dogecoinDogecoin(DOGE)$0.073311
  • cardanoCardano(ADA)$0.250973
  • matic-networkPolygon(MATIC)$0.79

Aa
Blockbytes
  • Home
  • Shows
  • Articles
  • BlockBytes Weekly
  • Meet the Team
Search
  • Home
  • Shows
    • Across The Chains
    • Beyond the Block
    • Featured By Blockbytes
    • The Workflow
    • Byte Sized Videos
    • Quickflip Polygon
    • Legacy Content
  • Articles
    • News
    • Getting Started
    • Project Overviews
    • DeFi
    • NFTs
    • Networks
  • BlockBytes Weekly
  • Meet the Team
    • About Us
    • Contact
Have an existing account? Sign In
Follow US
Facebook Twitter Youtube Instagram Tiktok Linkedin Spotify
Blockbytes > Blog > Editor's Picks > Crypto Casefiles: Wintermute Hack
Editor's PicksHacks/Exploits

Crypto Casefiles: Wintermute Hack

Brick Frog
Last updated: 2023/03/10 at 12:43 AM
Brick Frog Published February 13, 2023
Share
Wintermute exploit
Wintermute exploit

Welcome back to another Crypto Casefiles. In this installment, we’ll cover the hack suffered by Wintermute and how Profanity and vanity led to a $160 million dollar exploit with more than 90 assets of different values stolen. 

Contents
The Set UpThe ExploitThe Getaway What can we learn from this?
TargetDateAmount StolenType of Attack
Wintermute20/09/2022$160 millionPrivate Key Compromised

The Set Up

Wintermute is a crypto asset algorithmic trading firm for digital assets and cryptocurrencies. According to their website, they create liquid and efficient markets on over 50 centralized and decentralized trading platforms and off-exchange.

The firm suffered a slightly embarrassing mishap earlier in the year when it accidentally sent $15 million of Optimism tokens to the wrong address. Luckily for Wintermute, the tokens were eventually returned by the recipient. 

The Profanity tool is a vanity wallet address generator. Vanity wallets are custom-made crypto addresses that contain a memorable string of characters for easy identification. For example, a person might create a vanity address that contains their initials. The Profanity tool allows for the creation of personalized vanity addresses. Profanity also lowers trading transaction costs for accounts using their addresses, which is the primary reason that the service was being used by Wintermute.

Less than a week before the hack occurred, 1inch published a medium article detailing an apparent attack avenue for users of the vanity-generating tool. The gist of the problem: someone with enough computing power can generate all the possible keys or passwords created for a Profanity vanity address. Then they can scan the associated accounts to see how much money they hold and steal the funds.

Profanity has already been an ongoing part of the news cycle that month, with this wallet taking advantage of a weakness in the wallet’s key generation process to access and drain $3.3M+ in tokens from various users’ wallets. 

The Exploit

On September 20th, 2022, Evgeny Gaevoy, the founder and chief executive of Wintermute, disclosed in a series of tweets that the firm’s decentralized finance operations had been hacked.

Short communication on the ongoing Wintermute hack

— wishful cynic (@EvgenyGaevoy) September 20, 2022

Gaevoy did not provide details about how the hacker managed to steal the funds but some crypto-experts suggest as a plausible scenario that the attacker likely exploited a bug in Profanity

The Wintermute attack was likely enabled by a defect in Profanity’s algorithm. In a departure from the usual smart contract exploits, this defect allowed an attacker to directly target compromised private keys of Wintermute users.

For the most secure cryptographic practices, a cryptographic pseudorandom number generator (CPRNG) seeded with a random value is used to create random values, such as private keys. Profanity, however, seeded its CPRNG with a 32-bit number. Thus, an attacker with significant compute resources was able to brute-force their way through Profanity address’ possible seed values and recreate the private keys. In Wintermute’s case, both their DeFi vault contract, as well as their hot wallet are likely to be vanity addresses.

While around $160 million has been appropriated by the hacker, Gaevoy noted that “out of 90 assets that has been hacked only two have been for notional over $1 million (and none more than $2.5M),” and that as a result there shouldn’t be a “major selloff” of assets.

The Getaway 

The hacker quickly put the stolen assets to use by first transferring $114M assets to the 3crv pool to earn rewards. They then headed to Uniswap and burnt 650,000 WINU tokens and found the time the mint a Radbro NFT. The funds remain in the attacker’s wallet and the 3crv pool to this day.

To speed up the damage control process, Wintermute had offered a 10% bounty on funds taken to the hacker. Gaevoy said the hacker should keep $16 million and refund the balance to a Wintermute address. The bounty remains unclaimed. 

Some blockchain sleuths have claimed that the hack was an inside job but Wintermute has refuted the allegations which it described as coming from “an unsubstantiated rumor from a Medium page that has factual and technical inaccuracies associated with the claims made”.

Despite the new $160 million hole in its balance sheet, Gaevoy says Wintermute is on sound financial footing, with more than $350 million in equity. For a couple of hours after the hack, the company paused its OTC trading desk, where it facilitates large trades between other parties. But that has resumed its normal operation.

What can we learn from this?

Some tried and true security practices in crypto, such as using external hardware wallets or multi-sig applications that need to be digitally signed by multiple parties before a transaction is approved, can’t be used for the type of automated trading Wintermute does. 

“You need to sign transactions on the fly, within seconds,” says Gaevoy. So they had to invent their own tech tools and security protocols. “Ultimately, that’s the risk we took. It was calculated.” 

“It didn’t work out this year,” he admits.

In this particular case, convenience became more important than security which led to a multi-million dollar exploit that would have bankrupted most crypto firms.

You Might Also Like

The Latest Crypto Bank Closure – Signature Bank joins SVB and Silvergate Bank

The First Domino – The End of Silvergate Bank

Starkware’s Suite of Solutions: Exploring the STARK Future

Iron Bank vs Alpha Homora – Protocol Exploits Protocol

TAGGED: Hacks

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share this Article
Facebook Twitter Email Copy Link Print
Previous Article SBF reviewing Bills Complete FTX Creditor List Released
Next Article Equalizer Exploring Equalizer
- Subscribe Us-
Ad image
Popular News
Arbitrum Top 5
Five Arbitrum Projects to Watch in 2023
Thena
THE Thena Overview
Signature Bank
The Latest Crypto Bank Closure – Signature Bank joins SVB and Silvergate Bank
Silvergate
The First Domino – The End of Silvergate Bank
USDC DEPEG
USDC DEPEG: CIRCLE’S ROLLERCOASTER OF A WEEKEND

Latest News

Arbitrum Top 5
FeaturedNetworks

Five Arbitrum Projects to Watch in 2023

March 24, 2023
Thena
Project Overviews

THE Thena Overview

March 24, 2023
Signature Bank
Editor's PicksNews

The Latest Crypto Bank Closure – Signature Bank joins SVB and Silvergate Bank

March 14, 2023
Silvergate
Editor's PicksNews

The First Domino – The End of Silvergate Bank

March 14, 2023

Stay Connected

Twitter Youtube

Subscribe

Removed from reading list

Undo
Welcome Back!

Sign in to your account

Register Lost your password?