One crypto-sleuth has claimed that the $160 million hack on algorithmic market maker Wintermute last week was an “inside job.” Needless to say, this has now sparked a brand-new crypto-conspiracy theory across crypto-circles.
On September 20, a hacker used a flaw in a Wintermute smart contract to steal over 70 different tokens, including $61.4 million in USD Coin (USDC), $29.5 million in Tether (USDT), and 671 Wrapped Bitcoin (wBTC), which was then valued about $13 million.
Wintermute’s CEO Evgeny Gaevoy acknowledged on Twitter that its Decentralized Finance (DeFi) activities were being hampered by an “ongoing attack.” However, he added that its centralized finance and over-the-counter trading operations were untouched.
An inside job?
The sleuth – Librehash – claimed that the hack was carried out by an internal party because of how Wintermute’s smart contracts were interacted with and ultimately abused. He said,
“The relevant transactions initiated by the EOA [externally owned address] make it clear that the hacker was likely an internal member of the Wintermute team.”
Here, it’s worth pointing out that James Edwards, the author of the analysis, is a lesser-known cybersecurity researcher/analyst. Although neither Wintermute nor any other cybersecurity specialists are yet to respond, his research is his first publication on Medium.
According to Edwards’ assertion in the essay, the EOA “that made the call on the ‘compromised’ Wintermute smart contract was itself compromised by the team’s usage of a defective internet vanity address creation service.”
Edwards continued by claiming that the Wintermute smart contract in question does not have any “uploaded, validated code.” This makes it harder for the general public to verify the current external hacker theory and raise questions about transparency.
“This, in itself, is an issue in terms of transparency on behalf of the project. One would expect any smart contract responsible for the management of user/customer funds that’s been deployed onto a blockchain to be publicly verified to allow the general public an opportunity to examine and audit the unflattened Solidity code.”.
Questions on specific transfers
He also challenged a specific transfer that took place during the attack, noting that it “shows the transfer of 13.48M USDT from the Wintermute smart contract address to the 0x0248 smart contract (allegedly created and managed by the Wintermute hacker).”
To address a corrupted smart contract, Wintermute allegedly transferred more than $13 million in Tether USD (USDT) from two distinct exchanges, according to the transaction history highlighted by Edwards on Etherscan.
“Why would the team send $13 million worth of funds to a smart contract they *knew* was compromised? From TWO different exchanges?” he questioned.
A ‘White-Hat’ operation?
Commenting on the hack, CEO Gaevoy said, “There will be a disruption in our services today and potentially for the next few days and will get back to normal after.”
The company, which offers liquidity in the crypto-coin realm and transacts billions of dollars a day, is still financially healthy, he continued. It has “double that amount in equity left” and monies for customers with Wintermute market maker agreements are safe, the exec added.
Wintermute is treating the attack as a “white hat” operation. This implies that if the attacker contacts the business, they’re willing to drop the charges and may even agree to let the thief keep some of the money they took in exchange for returning the remainder.