The $160 million theft from market maker Wintermute was carried out by an attacker who exploited a vulnerability in the Profanity tool. This conclusion was reached by Mudit Gupta, Polygon’s head of information security.
Posting etherscan links got me ghostbanned so had to delete those tweets. You can find the whole content on my blog — https://t.co/o6eV5TSXDn
— Mudit Gupta (@Mudit__Gupta) September 20, 2022
The Profanity tool allowed the generation of readable Ethereum addresses (vanity addresses) containing words, names or phrases. Work on the tool was abandoned several years ago, but wallets created with it are functioning today.
The incident with the theft of assets at Wintermute took place on September 20. The market maker remained solvent.
The CEO of the platform, Evgeny Gaevoy, stressed that the attack targeted DeFi operations. The hacker drained the Ethereum vault built on smart contracts.
According to Gupta, thanks to the vulnerability, the attacker was able to derive the private keys of the vault administrator’s address. It began with the prefix “0x0000000”, characteristic of vanity addresses.
“The vault allows these transfers to be performed only by administrators, and Wintermute’s hot wallet, as expected, performed that role. […] The address was likely compromised,” explained the specialist.
The expert suggested that the firm’s staff transferred all Ethereum from the vanity-address wallet before the breach. Perhaps as a precaution in light of the disclosure of the discovered vulnerability of the Profanity tool. At the same time, the market maker did not change the administrator rights, he added.
SlowMist specialists reached similar conclusions.
“$160 million was stolen from Wintermute, likely due to using a wallet generated by the Profanity service (starting with 0x0000000),” they stressed.
🚨SlowMist Security Alert🚨
$160 Million Stolen from @wintermute_t likely due to using the Profanity tool to create a wallet (starting with 0x0000000).
— SlowMist (@SlowMist_Team) September 20, 2022
Experts found that $114 million of the stolen $160 million was moved to Curve Finance.
Using @DeBankDeFi , we can see the hacker’s already earning some yield on ~114M by depositing it into @CurveFinance liquidity pool. pic.twitter.com/G2qiN0smXa
— SlowMist (@SlowMist_Team) September 20, 2022
In a discussion with The Block, Gupta suggested that Wintermute used a vanity address because of efficiency in executing transactions. Gaevoy confirmed this guess, noting gas savings.
In our case was not vanity, did it for gas savings
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Earlier, in September 2022, Ethereum developer Péter Szilágyi described a vulnerability through which an attacker could disable the Avalanche network .
Read ForkLog’s bitcoin news on our Telegram — cryptocurrency news, rates and analytics.