winter mutea “market maker” or cryptocurrency market maker, fell victim to a large-scale hack. In a post on Twitter on September 20, 2022, Evgeny Gaevoy, CEO of the London-based company, announced the disappearance of $160 million of crypto assets.
We were hacked for about $160 million in our defi business. Cefi and OTC business not affected
— wishing cynic (@EvgenyGaevoy) September 20, 2022
The official clarified that the hack only involved operations related to decentralized finance. Traditional financial and Over The Counter (OTC) transactions are not affected. He further specifies that: Winter mute remains solvent. The company is committed to resuming normal operations in the coming days. Wintermute insists that the rest of the money in his possession is safe.
Wintermute is one of the leading market makers in the industry. The company is responsible for provide liquidity exchange platforms, decentralized or centralized, such as Binance or Coinbase. The British company currently works with some fifty big names in the industry. Recently, Wintermute even became the official market maker of the TRON ecosystem.
At the end of the attack, the hackers transferred some of the money ($47.7 million) to a digital wallet. The rest of the stolen assets were sent to: CurveFinance, an important decentralized financial protocol. The platform, based on the Ethereum blockchain, provides stablecoin holders to provide liquidity to receive revenue.
On the same theme: Amazon will participate in the creation of the digital euro, the future European alternative to cryptocurrencies
An Ethereum Address Generator Error
A few hours after the events, Wintermute returned to the conditions of the attack. According to Evgeny Gaevoy, the hackers exploited a security vulnerability in Vulgar language, an address generator on the Ethereum blockchain. The tool allows users to customize their public address by choosing a defined prefix or suffix. These personalized addresses are titled “vanity addresses”. In general, the addresses on the blockchain are generated quite randomly from the private key.
The infringement was: identified a few days before the attack by 1inch, another decentralized exchange that relies on Ethereum. 1inch teams discovered a vulnerability while generating a personalized address. By exploiting the flaw, it is possible to find the private key, the equivalent of a password or passcode, of the address of a digital wallet. De facto, an attacker can gain control over the money stored in a wallet without the owner’s knowledge.
🚨 RUN YOU Fools 🚨
⚠️ Spoiler: Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all your assets to another wallet ASAP!
— 1inch network (@1inch) September 15, 2022
The 1inch researchers explain that they were able to “guess” the private keys of a range of addresses thanks to a simple brutal attack. The attack was carried out using the computing power of a graphics card. This is exactly what would have happened during the Wintermute attack.
Apparently the market maker has ” uses profanity and an internal tool to generate addresses ». The last modified addresses are from June 2022. When the Wintermute teams learned of the 1inch discovery, they accelerated the removal of Blasphemous addresses to move to a more secure build script.
Unfortunately, human error caused an error in the process. Although the money was moved to a more secure address, the old address still had permission to sign smart contracts.
“As advanced as our technologies are, most vulnerabilities are the result of human error”explains Evgeny Gaevoy.
Ethereum addresses at the mercy of hackers
According to computer security expert ZachXBT, the vulnerability was exploited before the Wintermute hack. The mistake would have made it possible to deviate over $3.3 million on September 16, 2022. Several addresses were transferred. The money was transferred to a wallet belonging to an unknown hacker. For its part, 1inch claims that many addresses generated by Profanity have been hacked in this way. Hundreds of millions of dollars are currently at stake.
” Your money is not safe if your wallet address is generated with the Profanity tool. Transfer all your assets to another wallet ASAP! »recommend 1inch.
Tal Be’ery, another cybersecurity expert, believes that 1inch indirectly forced the hackers to carry out their attack. On Twitter, the researcher thinks that ” attackers tried to find as many private keys as possible » when 1inch published its report. In an emergency, the hackers then rushed to collect cryptocurrencies stored on the already compromised wallets.
It appears that the attackers sat on this vulnerability and tried to find as many private keys as possible from vulnerable profanity generated vanity addresses before the vulnerability became known.
Once publicly exposed by @1 inchattackers were paid in minutes from multiple vanity addresses https://t.co/0qefhYdMBU
—Tal Beery (@TalBeerySec) September 18, 2022
Before the Wintermute attack, johguse, the developer behind Profanity, had already… Internet users are advised not to use the tool open source. On Github, he specifies that the project ” discontinued a few years ago”. No update will fill the error identified by 1 inch. johguse recommends using a different solution to generate personalized addresses.
Note that this error is not related to the functioning of the Ethereum blockchain. While ETH addresses are at risk, the vulnerability introduced by a third-party solution. The recent Ethereum update, and the move to Proof of Stake, has nothing to do with the Wintermute hack.
To get back the money stolen during the hack, Evgeny Gaevoy offered: a 10% bonus for pirates. If the stolen money is returned, Wintermute will offer the equivalent of $16 million in cryptocurrency. The CEO clarifies that the company will not lay off employees, change its strategy, raise additional funds or stop its decentralized financial activities. Despite this setback, the company remains true to its roadmap.
Yet Another Decentralized Financial Hack
This is far from the first hack to mark the crypto ecosystem. Last month, Celer Network’s Cbridge bridge was hacked. The attackers made off with $240,000. There is also the Nomad hack, which resulted in the theft of $190 million, Ronin ($624 million), Poly Network ($611 million), and Wormhole ($326 million).
According to a study by Chainalysis, a specialist in blockchain analysis, number of hacks increased by 60% between January and July 2022 compared to the same period in 2021. Using loopholes, criminals seized $1.9 billion in crypto assets in six months.