Was the $160M Wintermute Hack an Inside Job?

Please fol­low and like us:
Pin Share

  • An exter­nal hack­er wouldn’t have the knowl­edge required for con­tract exe­cu­tion, Edwards alleged
  • Win­ter­mute must clar­i­fy how the attack­er had the nec­es­sary sig­na­ture required, he said

The $160 mil­lion hack of mar­ket mak­er Win­ter­mute might have been an inside job, accord­ing to one blockchain analyst.

The liq­uid­i­ty provider, among the largest ded­i­cat­ed to cryp­to mar­ket mak­ing, was alleged­ly hacked due to a recent­ly dis­cov­ered “van­i­ty address” vul­ner­a­bil­i­ty in its DeFi (decen­tral­ized finance) oper­a­tions. CEO Evge­ny Gaevoy, who said the firm remained sol­vent, asked the hack­er to get in touch and offered a 10% boun­ty if the funds were returned.

But a new the­o­ry by James Edwards, who goes by the name Libre­hash on Medi­um, claims the hack could be pinned down to Wintermute’s own team.

In a blog post­ed on Mon­day, Edwards said the pre­vail­ing the­o­ry main­tains that an exter­nal­ly owned address (EOA) behind the “com­pro­mised” Win­ter­mute wal­let was itself com­pro­mised because of a vul­ner­a­bil­i­ty in a van­i­ty address gen­er­a­tor tool. 

But he dis­put­ed that the­o­ry after ana­lyz­ing the smart con­tract and its inter­ac­tions, con­clud­ing that the knowl­edge required to go through with the hack rules out the pos­si­bil­i­ty that the hack­er was ran­dom or external. 

Edwards not­ed that the smart con­tract at issue has “no uploaded, ver­i­fied code,” which makes it dif­fi­cult for exter­nal par­ties to con­firm the exter­nal hack­er the­o­ry and rais­es the issue of transparency. 

“The rel­e­vant trans­ac­tions ini­ti­at­ed by the EOA make it clear that the hack­er was like­ly an inter­nal mem­ber of the Win­ter­mute team,” he wrote.

Fur­ther, on con­duct­ing an Ether­scan analy­sis, he said the com­pro­mised smart con­tract received two deposits from Krak­en and Binance’s hot wal­lets. “It’s safe to assume that such a trans­fer must have been ini­ti­at­ed from team-con­trolled exchange accounts,” he said.

Less than a minute after the com­pro­mised Win­ter­mute smart con­tract received over 13 mil­lion in Teth­er (the total amount of that token), the funds were sent from the wal­let man­u­al­ly to a con­tract sup­pos­ed­ly con­trolled by the hacker.

“We know the team was aware the smart con­tract had been com­pro­mised at this point. So why ini­ti­ate these two with­drawals direct­ly to the com­pro­mised smart con­tract smack in the mid­dle of the hack?” he said on Twit­ter.

Edwards believes the Win­ter­mute team should pro­vide an expla­na­tion of how the attack­er would have the nec­es­sary sig­na­ture for con­tract exe­cu­tion and know which func­tions to call, since there’s no con­tract source code pub­lished. He sug­gest­ed only some­one with inti­mate knowl­edge would have the capac­i­ty to do so. 

Edwards is not a pro­fes­sion­al cyber­se­cu­ri­ty ana­lyst and his blog on the Win­ter­mute hack appears to be his debut Medi­um post. But he’s pre­vi­ous­ly put out Twit­ter threads ana­lyz­ing pos­si­ble mon­ey laun­der­ing on var­i­ous cryp­to projects. 

The large scale theft was anoth­er blem­ish on the record of the indus­try as it would hurt the con­fi­dence of Trad­Fi (tra­di­tion­al finance) insti­tu­tions look­ing to enter the space, accord­ing to Mar­cus Sotiri­ou, ana­lyst at Glob­al­Block. “As Win­ter­mute was one of the biggest liq­uid­i­ty providers in the indus­try, they may be forced to remove liq­uid­i­ty in order to mit­i­gate fur­ther risk from their loss,” he said.

Win­ter­mute didn’t return Block­works’ request for com­ment by press time.

Get the day’s top cryp­to news and insights deliv­ered to your inbox every evening. Sub­scribe to Block­works’ free newslet­ter now.

  • Shali­ni Nagarajan



    Shali­ni is a cryp­to reporter from Ban­ga­lore, India who cov­ers devel­op­ments in the mar­ket, reg­u­la­tion, mar­ket struc­ture, and advice from insti­tu­tion­al experts. Pri­or to Block­works, she worked as a mar­kets reporter at Insid­er and a cor­re­spon­dent at Reuters News. She holds some bit­coin and ether. Reach her at [email pro­tect­ed]

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published.