The clock is ticking for the Wintermute hacker to return $160 million in stolen funds, after which the London-based company will take legal action.
“We want to cooperate with you and resolve this matter immediately. Accept the terms of the bounty and return the funds within 24 hours before Sep. 22 UST by 23:59 while we can still consider this a white-hat event for a 10% bounty as offered. If the stolen funds are not returned by the deadline, you will force us to remove our bounty offer and white-hat label; we will then proceed accordingly with the appropriate authorities and avenues,” the company said.
At press time, the hacker had not responded, according to Etherscan.
Human error resulted in the hack
On the day of the hack, Wintermute CEO Evgeny Gaevoy said that the hacker exploited weaknesses in a domain service called Profanity, which takes the long strings of letters and numbers used in a wallet address and turns them into so-called “vanity addresses.” Vanity addresses are personalized human-readable wallet addresses that make transactions on Ethereum simpler. The hacker was able to generate all the combinations of keys or passwords for a single vanity address, enabling them to peek into the account balances of the address. Wintermute used one of Profanity’s additional features to reduce transaction costs.
Profanity’s vulnerabilities were first highlighted in a Sep. 15, 2022 blog post by 1inch, a decentralized exchange aggregator. Wintermute responded by blacklisting Profanity accounts to prevent their liquidation but missed one through human error. The profanity account was linked to the company’s decentralized finance wallet. The hacker then exploited that single account to drain $120 million worth of stablecoins, $20 million of bitcoin and ether, and $20 million in other currencies.
Binance CEO Changpeng “CZ” Zhao had earlier commented that the Wintermute hack looked related to Profanity. “If you used vanity addresses in the past, you might want to move those funds to a different wallet,” he tweeted.
We took a calculated risk, says Wintermute CEO
Wintermute could not use proven crypto security practices such as hardware wallets or so-called “multi-sig” methods that require multiple parties to digitally sign transactions since it engages in automated trading, where transactions need to be signed in real-time. To compensate, the company chose to develop proprietary tools and security protocols.
“Ultimately, that’s the risk we took. It was calculated,” said Gaevoy. “It didn’t work out this year.
Regarding the identity of the hacker, Gaevoy said that he has some ideas on the hacker’s identity that is being internally and externally investigated. The hack is the fifth largest DeFi hack in 2022.