$160M Wintermute Hack Becomes Fifth Largest DeFi Exploit of 2022

Please fol­low and like us:
Pin Share

Win­ter­mute CEO, Evge­ny Gaevoy has con­firmed that the mul­ti-mil­lion-dol­lar Win­ter­mute hack may has been linked to a crit­i­cal bug in the Ethereum van­i­ty address-gen­er­at­ing tool called Profanity.

Win­ter­mute, a cryp­to asset algo­rith­mic mar­ket mak­er, was on Tues­day hit by $160 mil­lion in its DeFi oper­a­tions, accord­ing to founder and CEO Evge­ny Gaevoy. More than 90 assets of dif­fer­ent val­ues were stolen, he said.

The hack comes a few days after 1inch flagged Pro­fan­i­ty-gen­er­at­ed address­es as high risk. 

Pro­fan­i­ty is a tool that lets Ethereum users cre­ate “van­i­ty address­es” – per­son­al­ized wal­let address­es that con­tain human-read­able mes­sages, which make trans­fers easier.

Profanity bug leads to wallet breach

Binance CEO, Chang­peng Zhao post­ed on Twit­ter that the Win­ter­mute exploit looked “like Pro­fan­i­ty-relat­ed” but did not explain how. 

“If you used van­i­ty address­es in the past, you might want to move those funds to a dif­fer­ent wal­let,” he cautioned.

Poly­gon chief infor­ma­tion secu­ri­ty offi­cer Mudit Gup­ta cor­rob­o­rat­ed the alle­ga­tions with evidence. 

“I took a quick look and my best guess is that it was a hot wal­let com­pro­mise due to the Pro­fan­i­ty bug that was pub­licly dis­closed a few weeks ago,” Gup­ta said in a blog post.

“The vault only allows admins to do these trans­fers and Wintermute’s hot wal­let is an admin, as expect­ed. There­fore, the con­tracts worked as expect­ed but the admin address itself was like­ly com­pro­mised,” he said, adding:

“The admin address is a van­i­ty address (starts with a bunch of zeroes) which might have been gen­er­at­ed using the famous but bug­gy van­i­ty address gen­er­at­ing tool called Profanity.”

Cryp­to secu­ri­ty com­pa­ny Cer­tik also explained how the attack was car­ried out. “The exploiter used a priv­i­leged func­tion with the pri­vate key leak to spec­i­fy that the swap con­tract was the attack­er-con­trolled con­tract,” the blog post read.

Van­i­ty address­es are sup­posed to be impos­si­ble to repli­cate but hack­ers have found a way to reverse cal­cu­late these codes, access­ing mil­lions of dollars.

Win­ter­mute CEO, Evge­ny Gaevoy lat­er con­firmed that hack was linked to Pro­fan­i­ty. Evge­ny was break­ing down the inci­dent. “The attack was like­ly linked to the Pro­fan­i­ty-type exploit of our DeFi trad­ing wal­let. We did use Pro­fan­i­ty and an inter­nal tool to gen­er­ate address­es with many zeroes in front. Our rea­son behind this was gas opti­miza­tion, not “van­i­ty” he stat­ed in a Twit­ter thread.

Warning ignored?

Wintermute’s hack comes a few days after DEX aggre­ga­tor 1inch Net­work issued a warn­ing that peo­ple whose accounts are con­nect­ed to Pro­fan­i­ty were not safe. The firm dis­cov­ered a vul­ner­a­bil­i­ty in the pop­u­lar van­i­ty address tool, which put mil­lions of dol­lars in user mon­ey at risk.

“Trans­fer all of your assets to a dif­fer­ent wal­let as soon as pos­si­ble,” 1inch warned at the time. “If you used Pro­fan­i­ty to get a van­i­ty smart con­tract address, make sure to change the own­ers of that smart contract.”

Evge­ny Gaevoy, the Win­ter­mute CEO, con­firmed late Tues­day “the attack was like­ly linked to the Pro­fan­i­ty-type exploit of our DeFi trad­ing wallet.”

He said “we did use Pro­fan­i­ty and an inter­nal tool to gen­er­ate address­es with many zeroes in front. Our rea­son behind this was gas opti­miza­tion, not ‘van­i­ty’. The DEX has since “moved to a more secure key gen­er­a­tion script.”

“As we learned about the Pro­fan­i­ty exploit last week, we accel­er­at­ed the ‘old key’ retire­ment,” Gaevoy averred.

The devel­op­er behind Pro­fan­i­ty, known on Github as “joh­guse”, admit­ted that the tool was in its cur­rent form very risky.

“I strong­ly advise against using this tool in its cur­rent state. The code will not receive any updates and I’ve left it in an uncom­pi­l­able state. Use some­thing else!” joh­guse wrote on Github.

The Win­ter­mute attack is not the first time codes have been manip­u­lat­ed to steal user funds. Ear­li­er this month, hack­ers stole more than $3.3 mil­lion in ETH from sev­er­al Pro­fan­i­ty-relat­ed wal­let address­es using the same method, accord­ing to cryp­to sleuth ZachXBT.

The $160 mil­lion Win­ter­mute exploit makes it only the fifth largest DeFi hack in 2022. The exploit falls behind sev­er­al key exploits this year, most notably, the $550 mil­lion Ronin Bridge hack from March this year. 

For Be[In]Crypto’s lat­est Bit­coin (BTC) analy­sis, click here.


All the infor­ma­tion con­tained on our web­site is pub­lished in good faith and for gen­er­al infor­ma­tion pur­pos­es only. Any action the read­er takes upon the infor­ma­tion found on our web­site is strict­ly at their own risk.

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published.