Wintermute, a London-based cryptocurrency firm that trades billions of dollars’ worth of digital assets daily, lost $160 million in a hack early on Tuesday. Founder and CEO Evgeny Gaevoy says he learned of the hack a few minutes after it took place, around 6:00 AM London time.
An hour later, he announced the theft on Twitter without saying how it happened. All told, the hacker stole about $120 million worth of Wintermute’s “stable coins” including USDC and USDT, $20 million worth of its bitcoin and ether and another $20 million worth of lesser-known cryptocurrencies.
Gaevoy explained to Forbes that, although the investigation is still ongoing, the hack likely originated with a service called Profanity, which generates “vanity addresses” for digital cryptocurrency accounts to make them easier to work with. Otherwise, crypto accounts are roughly 30-character strings of varied letters and numbers.
Last week, a blog post by another crypto firm revealed a security vulnerability with Profanity’s code. The gist of the problem: someone with enough computing power can generate all the possible keys or passwords created for a Profanity vanity address. Then they can scan the associated accounts to see how much money they hold and steal the funds.
Wintermute had been using Profanity not to create easy-to-remember names for digital accounts, but to lower its trading transaction costs, since that’s another feature of Profanity’s service, Gaevoy says. When Wintermute learned of the vulnerability last week, they took steps to technologically “blacklist” their Profanity accounts, shielding them from being liquidated.
However, due to their own “human error,” one of the 10 accounts didn’t get blacklisted, according to Gaevoy, which probably resulted in the $160 million heist. These trading accounts were part of Wintermute’s “decentralized finance” or DeFi business, where it makes rapid trades on decentralized exchanges like Uniswap and Sushi Swap that aren’t controlled by a single entity.
Since the DeFi ecosystem is young, highly experimental and designed to be more openly accessible than traditional finance, it doesn’t have the same safeguards that centralized exchanges like Coinbase has. “You don’t have any circuit breakers. You don’t have any two-factor authentication to help store your keys,” Gaevoy says.
In 2021, DeFi hacks totaled $1.3 billion, according to research by security firm Certik. Analytics firm Chainalysis estimates that North Korea-linked groups stole $1 billion from DeFi protocols in the first eight months of 2022. Some tried and true security practices in crypto, such as using external hardware wallets or “multi-sig” applications that need to be digitally signed by multiple parties before a transaction is approved, can’t be used for the type of automated trading Wintermute does.
“You need to sign transactions on the fly, within seconds,” says Gaevoy. So they had to invent their own tech tools and security protocols. “Ultimately, that’s the risk we took. It was calculated.” DeFi has been a flourishing part of Wintermute’s business in prior years. “It didn’t work out this year,” he admits.
The Wintermute CEO has some leads on who the hacker might be, and he’s investigating them “both internally and with the use of external partners.” He’s hoping that the hacker will become a “white hat” who returns most of the funds, and he’s now offering a 10% bounty, or $16 million, if the hacker gives back the remaining $144 million. He tweeted that Wintermute “would prefer to resolve this in a simple way, but the window of opportunity to do so is closing fast due to the high profile of this exploit.”
Despite the new $160 million hole in its balance sheet, Gaevoy says Wintermute is on sound financial footing, with more than $350 million in equity. “We are one of the very few crypto-native proprietary trading firms that can actually take this punch,” the CEO says. For a couple hours after the hack, the company paused its OTC trading desk, where it facilitates large trades between other parties. But that has resumed to its normal operation.
Critics by Chayanika Deka
“The 1inch contributors checked the richest vanity addresses on popular networks and came to the conclusion that most of them were not created by the Profanity tool. But Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.”
According to 1inch, Profanity happens to be a popular and “highly efficient” tool with which users are able to create millions of addresses per second. However, the procedure used by Profanity to generate the addresses was not flawless either and was susceptible to attacks.
The security disclosure report published by 1inch last week also noted that the vulnerability may have enabled hackers to “secretly” steal millions of dollars from Profanity users’ wallets for years. The contributors are currently trying to determine all the compromised vanity addresses.
Soon after the warning, blockchain investigator ZachXBT notified the attack draining over $3 million in funds. Fortunately, his tweet helped a user save $1.2 million in crypto and NFTs from the hacker who had access to their wallet.
According to Tal Be’ery, ZenGo’s security lead and chief technology officer, the malicious entities could have been “sitting” on the vulnerability in an attempt to get their hands on as many private keys as possible of bug-ridden Profanity-generated vanity addresses before the vulnerability was detected. However, they cashed out after it was publicly exposed by 1inch.
Meanwhile, one of the Profanity developers, who goes by the pseudonym ‘johguse’ on Github, said that they have already “abandoned” the project a few years ago. The comment regarding the same read
“This project was abandoned by me a couple of years ago. Fundamental security issues in the generation of private keys have been brought to my attention. I strongly advise against using this tool in its current state. This repository will soon be further updated with additional information regarding this critical issue.”