Hack May Stem From Known Wallet Addressing Vulnerability
A hacker stole $160 million in digital assets from cryptocurrency trading firm Wintermute, its chief executive said Tuesday in an appeal for hackers to restore the funds that also contained a message that the company remains solvent.
Any lender inclined to recall a loan will be paid in full, tweeted CEO Evgeny Gaevoy.
The hack affected the London-based market maker’s decentralized finance operation but not its centralized finance or over-the-counter operations, Gaevoy said. The company has more than twice the stolen amount on hand in equity, he added.
Wintermute supplies liquidity to cryptocurrency trading by holding digital assets in internet-connect wallets and tapping into them when necessary to ensure the execution of large deals. The company is among the largest market makers and is backed by Lightspeed Venture Partners and Pantera Capital.
“We are (still) open to treat this as a white hat, so if you are the attacker – get in touch,” Gaevoy tweeted.
Cybercriminals have found decentralized finance platforms especially attractive places for theft. One industry estimate says cybercrime involving decentralized finance accounts for three quarters of major cryptocurrency hacks.
Profanity Bug the Source of Leak?
Blockchain investigator ZachXBT shared details of the hacker’s wallet.
Mudit Gupta, chief information security officer at Ethereum cryptocurrency transaction scaler Polygon, analyzed tokens being transferred to the attacker’s address and said the hack may be a hot wallet compromise due to a vulnerability created by a wallet addressing tool called Profanity. The bug was publicly disclosed Thursday by 1inch Network.
The vulnerability, which stems from how Profanity hashes wallet public keys to generate a blockchain address, allows attackers to recover the private encryption key necessary to drain a wallet of funds, 1inch Network disclosed. “It looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions,” the company warned.
In a blog post, Gupta said it appears that Wintermute removed all Ethereum cryptocurrency from a wallet that may have been generated using Profanity. But, he adds, “They forgot to remove this address as an admin from their vault.”