{"id":67451,"date":"2022-09-20T20:24:48","date_gmt":"2022-09-20T17:24:48","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=67451"},"modified":"2025-09-07T06:40:30","modified_gmt":"2025-09-07T03:40:30","slug":"experts-tie-wintermutes-160-million-hack-to-vanity-address-generator-vulnerability","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/experts-tie-wintermutes-160-million-hack-to-vanity-address-generator-vulnerability\/","title":{"rendered":"Experts tie Wintermute&#8217;s $160 million hack to vanity-address generator vulnerability"},"content":{"rendered":"<p>The $160 million theft from market maker Wintermute was carried out by an attacker who exploited a vulnerability in the Profanity tool. This conclusion was reached by Mudit Gupta, Polygon&#8217;s head of information security.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Posting etherscan links got me ghostbanned so had to delete those tweets. You can find the whole content on my blog \u2014 <a href=\"https:\/\/t.co\/o6eV5TSXDn\">https:\/\/t.co\/o6eV5TSXDn<\/a><\/p>\n<p>\u2014 Mudit Gupta (@Mudit__Gupta) <a href=\"https:\/\/twitter.com\/Mudit__Gupta\/status\/1572199260615245826?ref_src=twsrc%5Etfw\">September 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The Profanity tool allowed the generation of readable Ethereum addresses (vanity addresses) containing words, names or phrases. Work on the tool was abandoned several years ago, but wallets created with it are functioning today.<\/p>\n<p>The incident with the theft of assets at Wintermute<a href=\"https:\/\/forklog.com\/en\/news\/hackers-stole-160-million-from-wintermute\"> took place on September 20<\/a>. The market maker remained solvent.<\/p>\n<p>The CEO of the platform, Evgeny Gaevoy, stressed that the attack targeted DeFi operations. The hacker drained the Ethereum vault built on smart contracts.<\/p>\n<p>According to Gupta, thanks to the vulnerability, the attacker was able to derive the private keys of the vault administrator&#8217;s address. It began with the prefix \u201c0x0000000\u201d, characteristic of vanity addresses.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>&#8220;The vault allows these transfers to be performed only by administrators, and Wintermute&#8217;s hot wallet, as expected, performed that role. [\u2026] The address was likely compromised,&#8221;<\/em> explained the specialist.<\/p>\n<\/blockquote>\n<p>The expert suggested that the firm&#8217;s staff transferred all Ethereum from the vanity-address wallet before the breach. Perhaps as a precaution in light of the disclosure of the discovered<a href=\"https:\/\/forklog.com\/en\/news\/hackers-stole-about-3-3-million-through-vulnerability-in-profanity-ethereum-address-generator\"> vulnerability of the Profanity tool<\/a>. At the same time, the market maker did not change the administrator rights, he added.<\/p>\n<p>SlowMist specialists reached similar conclusions.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>&#8220;$160 million was stolen from Wintermute, likely due to using a wallet generated by the Profanity service (starting with 0x0000000),&#8221;<\/em> they stressed.<\/p>\n<\/blockquote>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8SlowMist Security Alert\ud83d\udea8<\/p>\n<p>$160 Million Stolen from <a href=\"https:\/\/twitter.com\/wintermute_t?ref_src=twsrc%5Etfw\">@wintermute_t<\/a> likely due to using the Profanity tool to create a wallet (starting with 0x0000000).<\/p>\n<p>\u2014 SlowMist (@SlowMist_Team) <a href=\"https:\/\/twitter.com\/SlowMist_Team\/status\/1572180126707896320?ref_src=twsrc%5Etfw\">September 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Experts found that $114 million of the stolen $160 million was moved to Curve Finance.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Using <a href=\"https:\/\/twitter.com\/DeBankDeFi?ref_src=twsrc%5Etfw\">@DeBankDeFi<\/a> , we can see the hacker\u2019s already earning some yield on ~114M by depositing it into <a href=\"https:\/\/twitter.com\/CurveFinance?ref_src=twsrc%5Etfw\">@CurveFinance<\/a> liquidity pool. <a href=\"https:\/\/t.co\/G2qiN0smXa\">pic.twitter.com\/G2qiN0smXa<\/a><\/p>\n<p>\u2014 SlowMist (@SlowMist_Team) <a href=\"https:\/\/twitter.com\/SlowMist_Team\/status\/1572187251928334344?ref_src=twsrc%5Etfw\">September 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In a discussion with The Block, Gupta suggested that Wintermute used a vanity address because of efficiency in executing transactions. Gaevoy confirmed this guess, noting gas savings.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">In our case was not vanity, did it for gas savings<\/p>\n<p>\u2014 wishful cynic (@EvgenyGaevoy) <a href=\"https:\/\/twitter.com\/EvgenyGaevoy\/status\/1572181989242937345?ref_src=twsrc%5Etfw\">September 20, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Earlier, in September 2022, Ethereum developer P\u00e9ter Szil\u00e1gyi described a vulnerability through which <a href=\"https:\/\/forklog.com\/en\/news\/avalanche-vulnerability-could-have-caused-a-network-wide-outage\"> an attacker could disable the Avalanche network <\/a>.<\/p>\n<p>Read ForkLog&#8217;s bitcoin news on our Telegram \u2014 cryptocurrency news, rates and analytics.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The thief who stole $160 million from market maker Wintermute exploited a vulnerability in the Profanity tool, according to Polygon&#8217;s head of information security, Mudit Gupta.<\/p>\n","protected":false},"author":1,"featured_media":67452,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1154,1149],"class_list":["post-67451","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-crimes","tag-wintermute"],"aioseo_notices":[],"amp_enabled":true,"views":"42","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/67451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=67451"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/67451\/revisions"}],"predecessor-version":[{"id":67453,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/67451\/revisions\/67453"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/67452"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=67451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=67451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=67451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}