Wintermute CEO, Evgeny Gaevoy has confirmed that the multi-million-dollar Wintermute hack was linked to a critical bug in the Ethereum vanity address-generating tool called Profanity.
Profanity is a tool that lets Ethereum users create “vanity addresses” – personalized wallet addresses that contain human-readable messages, which make transfers easier.
Profanity bug leads to wallet breach
“If you used vanity addresses in the past, you might want to move those funds to a different wallet,” he cautioned.
Polygon chief information security officer Mudit Gupta corroborated the allegations with evidence.
“I took a quick look and my best guess is that it was a hot wallet compromise due to the Profanity bug that was publicly disclosed a few weeks ago,” Gupta said in a blog post.
“The vault only allows admins to do these transfers and Wintermute’s hot wallet is an admin, as expected. Therefore, the contracts worked as expected but the admin address itself was likely compromised,” he said, adding:
“The admin address is a vanity address (starts with a bunch of zeroes) which might have been generated using the famous but buggy vanity address generating tool called Profanity.”
Crypto security company Certik also explained how the attack was carried out. “The exploiter used a privileged function with the private key leak to specify that the swap contract was the attacker-controlled contract,” the blog post read.
Vanity addresses are supposed to be impossible to replicate but hackers have found a way to reverse calculate these codes, accessing millions of dollars.
Wintermute CEO, Evgeny Gaevoy later confirmed that the hack was linked to Profanity. Evgeny broke down the incident.
“The attack was likely linked to the Profanity-type exploit of our DeFi trading wallet. We did use Profanity and an internal tool to generate addresses with many zeroes in front. Our reason behind this was gas optimization, not “vanity” he stated in a Twitter thread.
The DEX has since “moved to a more secure key generation script.” “As we learned about the Profanity exploit last week, we accelerated the ‘old key’ retirement,” Gaevoy averred.
Wintermute’s hack comes a few days after DEX aggregator 1inch Network issued a warning that people whose accounts are connected to Profanity were not safe. The firm discovered a vulnerability in the popular vanity address tool, which put millions of dollars in user money at risk.
“Transfer all of your assets to a different wallet as soon as possible,” 1inch warned at the time. “If you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”
The developer behind Profanity, known on Github as “johguse”, admitted that the tool was in its current form very risky.
“I strongly advise against using this tool in its current state. The code will not receive any updates and I’ve left it in an uncompilable state. Use something else!” johguse wrote on Github.
The Wintermute attack is not the first time codes have been manipulated to steal user funds. Earlier this month, hackers stole more than $3.3 million in ETH from several Profanity-related wallet addresses using the same method, according to crypto sleuth ZachXBT.
The $160 million Wintermute exploit makes it only the fifth largest DeFi hack in 2022. The exploit falls behind several key exploits this year, most notably, the $550 million Ronin Bridge hack from March this year.