$160M Wintermute Hack Becomes Fifth Largest DeFi Exploit of 2022

Wintermute exploit

Wintermute CEO, Evgeny Gaevoy has confirmed that the multi-million-dollar Wintermute hack was linked to a critical bug in the Ethereum vanity address-generating tool called Profanity.

Wintermute, a crypto asset algorithmic market maker, was on Tuesday hit for $160 million in its DeFi operations, Gaevoy said. More than 90 assets of different values were stolen, he added.

The hack comes a few days after 1inch flagged Profanity-generated addresses as high risk.

Profanity is a tool that lets Ethereum users create “vanity addresses” – personalized wallet addresses that contain human-readable messages, which make transfers easier.

Profanity bug leads to wallet breach

Earlier, Binance CEO, Changpeng Zhao posted on Twitter that the Wintermute exploit looked “like Profanity-related” but did not explain how.

“If you used vanity addresses in the past, you might want to move those funds to a different wallet,” he cautioned.

Polygon chief information security officer Mudit Gupta corroborated the allegations with evidence.

“I took a quick look and my best guess is that it was a hot wallet compromise due to the Profanity bug that was publicly disclosed a few weeks ago,” Gupta said in a blog post.

“The vault only allows admins to do these transfers and Wintermute’s hot wallet is an admin, as expected. Therefore, the contracts worked as expected but the admin address itself was likely compromised,” he said, adding:

“The admin address is a vanity address (starts with a bunch of zeroes) which might have been generated using the famous but buggy vanity address generating tool called Profanity.”

Crypto security company Certik also explained how the attack was carried out. “The exploiter used a privileged function with the private key leak to specify that the swap contract was the attacker-controlled contract,” the blog post read.

Vanity addresses are supposed to be impossible to replicate but hackers have found a way to reverse calculate these codes, accessing millions of dollars.

Wintermute CEO, Evgeny Gaevoy later confirmed that the hack was linked to Profanity. Evgeny broke down the incident.

“The attack was likely linked to the Profanity-type exploit of our DeFi trading wallet. We did use Profanity and an internal tool to generate addresses with many zeroes in front. Our reason behind this was gas optimization, not “vanity” he stated in a Twitter thread.

The DEX has since “moved to a more secure key generation script.” “As we learned about the Profanity exploit last week, we accelerated the ‘old key’ retirement,” Gaevoy averred.

Warning ignored?

Wintermute’s hack comes a few days after DEX aggregator 1inch Network issued a warning that people whose accounts are connected to Profanity were not safe. The firm discovered a vulnerability in the popular vanity address tool, which put millions of dollars in user money at risk.

“Transfer all of your assets to a different wallet as soon as possible,” 1inch warned at the time. “If you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”

The developer behind Profanity, known on Github as “johguse”, admitted that the tool was in its current form very risky.

“I strongly advise against using this tool in its current state. The code will not receive any updates and I’ve left it in an uncompilable state. Use something else!” johguse wrote on Github.

The Wintermute attack is not the first time codes have been manipulated to steal user funds. Earlier this month, hackers stole more than $3.3 million in ETH from several Profanity-related wallet addresses using the same method, according to crypto sleuth ZachXBT.

The $160 million Wintermute exploit makes it only the fifth largest DeFi hack in 2022. The exploit falls behind several key exploits this year, most notably, the $550 million Ronin Bridge hack from March this year.

For Be[In]Crypto’s latest Bitcoin (BTC) analysis, click here.

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.