Sep 2022 - Wintermute Profanity Private Key Breach - $160m (Global)
"We make markets in digital assets liquid and efficient. Wintermute is a leading global algorithmic trading firm in digital assets. We create liquid and efficient markets on centralized and decentralized trading platforms and off-exchange."
"Wintermute is a leading algorithmic trading firm that is focused on the innovative digital asset markets and is building the future of finance while also empowering its employees to act like owners and achieve more than it’s possible elsewhere.
Our Mission is to enable, empower and advance the truly decentralized world for more transparent, fair and efficient markets and products"
"Wintermute is a new generation algorithmic trading firm that uniquely merges [t]echnological sophistication and best practices from traditional capital markets, [t]he culture and speed of a hyper-growth technology startup[, and t]he cutting edge innovation of a blockchain-native company[.]"
"Wintermute is providing liquidity on over 50 exchanges and trading platforms." "Founded in 2017, Wintermute trades billions of dollars across crypto market daily as it provides liquidity across multiple venues. [In September 2022] it was named as the official DeFi market maker for the Tron network."
"A major challenge facing the UK-based crypto market maker is repaying millions of dollars in debt. It owes over $200 million to several counterparties in the decentralized finance (DeFi) space, which makes the situation murkier. However, CEO Gaevoy has claimed that the firm isn't defunct and remains solvent.3"
"In another another, the company reassured all its partners, saying, “We are able to return any or all outstanding loans if requested, although we would greatly appreciate if these are not recalled.''4"
"Wintermute had been using Profanity not to create easy-to-remember names for digital accounts, but to lower its trading transaction costs, since that’s another feature of Profanity’s service, Gaevoy says. When Wintermute learned of the vulnerability last week, they took steps to technologically “blacklist” their Profanity accounts, shielding them from being liquidated. However, due to their own “human error,” one of the 10 accounts didn’t get blacklisted, according to Gaevoy, which probably resulted in the $160 million heist."
"These trading accounts were part of Wintermute’s “decentralized finance” or DeFi business, where it makes rapid trades on decentralized exchanges like Uniswap and Sushi Swap that aren’t controlled by a single entity. Since the DeFi ecosystem is young, highly experimental and designed to be more openly accessible than traditional finance, it doesn’t have the same safeguards that centralized exchanges like Coinbase has. “You don’t have any circuit breakers. You don’t have any two-factor authentication to help store your keys,” Gaevoy says."
"When the Profanity Hack came to public awareness, Wintermute did take steps to remove all ether from the hot wallet, however they failed to remove the address as an admin from their vault. What likely happened is that the hot wallet’s private key was compromised and used to drain the vault."
"Cryptocurrency market maker Wintermute has lost $160 million in a hack relating to its decentralized finance (DeFi) operation, according to a tweet from the company's founder and CEO, Evgeny Gaevoy." "Gaevoy or Wintermute did not [initially] disclose when the hack took place or the how the attackers were able to succeed, and whether it has alerted law enforcement." "Founder and CEO Evgeny Gaevoy says he learned of the hack a few minutes after it took place, around 6:00 AM London time. An hour later, he announced the theft on Twitter without saying how it happened." "$118.4M funds were stolen, with the majority being stablecoins, along with 671 WBTC (~$13M) and 6,928 ETH ($9.4M) and a variety of other tokens."
"Short communication on the ongoing Wintermute hack"
"We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected"
"We are solvent with twice over that amount in equity left"
"If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after"
"Out of 90 assets that has been hacked only two have been for notional over $1 million (and none more than $2.5M), so there shouldn’t be a major selloff of any sort. We will communicate with both affected teams asap"
"If you are a lender to Wintermute, again, we are solvent, but if you feel safer to recall the loan, we can absolutely do that"
"We are (still) open to treat this a s a white hat, so if you are the attacker – get in touch"
"Gaevoy and Wintermute did not reveal how the hackers were able to succeed, or whether law enforcement was notified. However, to speed up the damage control process, the firm has offered a 10% bounty on funds taken to the hacker. Gaevoy said the hacker should keep $16 million and refund the balance to an address he made public"
"The Wintermute CEO has some leads on who the hacker might be, and he’s investigating them “both internally and with the use of external partners.” He’s hoping that the hacker will become a “white hat” who returns most of the funds, and he’s now offering a 10% bounty, or $16 million, if the hacker gives back the remaining $144 million. He tweeted that Wintermute “would prefer to resolve this in a simple way, but the window of opportunity to do so is closing fast due to the high profile of this exploit.”"
"Gaevoy explained to Forbes that, although the investigation is still ongoing, the hack likely originated with a service called Profanity, which generates “vanity addresses” for digital cryptocurrency accounts to make them easier to work with. Otherwise, crypto accounts are roughly 30-character strings of varied letters and numbers. Last week, a blog post by another crypto firm revealed a security vulnerability with Profanity’s code. The gist of the problem: someone with enough computing power can generate all the possible keys or passwords created for a Profanity vanity address. Then they can scan the associated accounts to see how much money they hold and steal the funds."
"for the most secure cryptographic practices, a cryptographic pseudorandom number generator (CPRNG) seeded with a random value is used to create random values, such as private keys. Profanity, however, seeded its CPRNG with a 32-bit number. Thus, an attacker with significant compute resources was able to brute-force their way through Profanity address’ possible seed values and recreate the private keys. In Wintermute’s case, both their DeFi vault contract, as well as their hot wallet are likely to be vanity addresses."
"Thankfully, after the initial Profanity vulnerability was discovered, all affected binaries in the Profanity github repo were removed by its creator in order to prevent further unsafe use of the tool. But what about the next tool or software update? To learn more about securely creating and managing your blockchain account private keys, reach out to our Web3 security experts at halborn@protonmail.com."
"Despite the new $160 million hole in its balance sheet, Gaevoy says Wintermute is on sound financial footing, with more than $350 million in equity. “We are one of the very few crypto-native proprietary trading firms that can actually take this punch,” the CEO says. For a couple hours after the hack, the company paused its OTC trading desk, where it facilitates large trades between other parties. But that has resumed to its normal operation."
"Despite a long investigation, no single individual or entity has been linked or traced to this breach." "There are many theories online as to who may have been behind this hack. Prominent cyber sleuth James Edwards has alleged that due to the analysis, smart contract code, and some dubious transactions, the hack may have been an inside job. Any and all theories on the matter are simply conjecture, as no concrete evidence has been discovered as of yet."
"[The] hacker who stole over $160 million from trading firm Wintermute has become the largest liquidity provider in a Curve Finance trading pool after depositing the funds there last year. The hacker’s stolen funds now account for 28% of the $409 million backing Curve’s 3pool, a popular decentralised trading pool that lets users swap between stablecoins Tether, Circle’s USDC, and MakerDAO’s DAI.
“All Curve pools are absolutely permissionless, so no one can stop anyone from depositing,” Michael Egorov, founder of Curve Finance, told DL News. Launched in 2020, Curve is DeFi’s biggest decentralised exchange, with its contracts holding over $5 billion worth of crypto across 12 different blockchains."
Further Analysis
Cryptocurrency market maker Wintermute is a leading algorithmic trading firm specializing in digital assets, committed to advancing decentralized finance (DeFi) and blockchain innovation. Wintermute suffered a hack resulting in a loss of $160 million. The attack exploited a vulnerability related to a service called Profanity, which generated vanity addresses for cryptocurrency accounts, making them more user-friendly. Wintermute's hot wallet's private key was compromised, leading to the theft. Wintermute CEO Evgeny Gaevoy initially offered a 10% bounty on the stolen funds. Despite the substantial financial setback, Wintermute asserted its financial stability, with over $350 million in equity. The company briefly paused its over-the-counter (OTC) trading desk but soon resumed normal operations. Interestingly, the hacker who stole the funds from Wintermute deposited them into a Curve Finance trading pool, becoming the largest liquidity provider with 28% of the pool's $409 million backing. The hack's origin remains uncertain, with various theories circulating, including the possibility of an inside job.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Transit Finance Swap Exploit Thefts > > < < OpenSea Fake ConeHeads Collection
Sources/Further Reading
The Crypto World Is on Edge After a String of Hacks - The New York Times (Dec 31)
Wintermute (Dec 31)
About - Wintermute (Dec 31)
Crypto Market Maker Wintermute Hacked for $160M, OTC Services Unaffected (Dec 31)
@EvgenyGaevoy Twitter (Dec 31)
@zachxbt Twitter (Dec 31)
Crypto Market Maker Wintermute Hacked for $160M (Dec 31)
How Crypto Trading Firm Wintermute Was Hacked For $160 Million (Dec 31)
Explained: The Wintermute Hack (September 2022) (Dec 31)
The Wintermute Hack Explained (Dec 31)
Curve.fi DAI/USDC/USDT Token Contract and Distribution Chart
(Dec 31)
Wintermute hacker turns $160m heist into top liquidity position on Curve Finance – DL News (Dec 31)
TechCrunch fait partie de la famille de marques Yahoo (Dec 31)
An Analysis of Wintermute’s USD$160 Million Hacking - Numen (Dec 31)
Ethereum Transactions Information | Etherscan
(Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|