Well-known vulnerability in private keys likely exploited in $160M Wintermute hack

Blockchain cybersecurity company Certik has said a vulnerable private key was attacked in the Wintermute hack. A vulnerability in private keys generated by the Profanity app was likely exploited. The vulnerability has been known since at least January.

The U.K.-based algorithmic crypto market maker announced the hack on Tuesday and said over-the-counter and centralized finance operations were not affected. About $162.5 million worth of cryptocurrencies were taken. “We are solvent with twice over that amount in equity left,” Wintermute CEO Evgeny Gaevoy said in a tweet.

Certik said in a blog post that the hack was due to a leaked or brute-forced private key, and not a smart contract vulnerability:

“The exploiter used a privileged function with the private key leak to specify that the swap contract was the attacker controlled contract.”

The company added that a vulnerability in the popular Profanity vanity address generator was probably at fault in the hack.

Certik noted that decentralized exchange 1inch Network disclosed the apparent Profanity vulnerability in a Sept. 13 blogpost and subsequent warning on Twitter. 1inch users spotted the vulnerability after a suspicious airdrop took place in June. 1inch said on its blog:

“Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.”

The vulnerability was blamed for the hacking of $3.3 million on Sept. 13. GitHub users spotted the issue in January 2022, leading the developer to abandon the project and then archive it on Sept. 15.

A private key is derived from a user’s seed phrase, which is a list of 12–24 words associated with a wallet that allows a user to recover the cryptocurrency in a wallet, even if the wallet is lost or deleted.

Related: Polygon CSO blames Web2 security gaps for recent spate of hacks

According to Certik, around $273.9 million has been lost this year due to compromised private keys, making the method “one of the largest attack vectors.” The Wintermute attack is by far the largest, with the Harmony Protocol hack in June coming in second at $97 million.