Hack Traced to Bug in Wallet Addressing Tool
The chief executive of cryptocurrency trading firm Wintermute renewed his plea to the cyberthief who stole $160 million to return the digital assets, writing that the hacker could keep 10% of the pilfered amount.
The hack affected the London-based market maker’s decentralized finance operation, CEO Evgeny Gaevoy acknowledged earlier this week while stressing the company’s solvency (see: Hacker Plunders $160M From Crypto Market Maker Wintermute).
In a follow-up set of tweets, Gaevoy asserted the company has multiple leads on the responsible party. Wintermute “would prefer to resolve this in a simple way, but the window of opportunity to do so is closing fast due to the high profile of this exploit,” he wrote.
“To make it easy, we propose for you to transfer all of the funds taken through the exploit, save for $16M,” Gaevoy said, and posted a wallet address. Hacked cryptocurrency platforms often ask for stolen funds to be returned and sometimes even get them, as in the case of a hacker who in 2021 returned $610 million stolen from the Poly Network. “I am not very interested in money,” the hacker claimed.
Wintermute supplies liquidity to cryptocurrency trading by holding digital assets in internet-connect wallets and tapping into them when necessary to ensure the execution of large deals. The company is among the largest cryptocurrency market makers. Its centralized finance exchange and over-the-counter trading operations were halted for some time as a risk management precaution but fully resumed Tuesday afternoon on Universal Coordinated Time, the company said. The liquidity provision services for blockchain projects are also functioning normally, it added.
Gaevoy supplied additional details about the hack, saying it was linked to a vulnerability created by a wallet addressing tool called Profanity. The bug was publicly disclosed on Sept. 15 by 1inch Network. It stems from how Profanity hashes wallet public keys to generate a blockchain address and allows attackers to recover the private encryption key necessary to drain a wallet of funds.
Gaevoy says the company last used the Profanity tool to generate wallet addresses in June and accelerated retirement of the encryption keys, but along the line it made an error he attributes to a human rather than to an automated process.
“As advanced as our tech may be, most of the exploits come from human errors, Gaevoy wrote, adding that Wintermule continuously invests in “processes to minimize human impact.”