Wintermute Attacked, $160M Snatched
Algorithmic market maker in digital assets – Wintermute – has been hacked. Hackers used a vulnerability in the wallet used for DeFi proprietary trading operations and stole $160M.
Algorithmic market maker in digital assets – Wintermute – has been hacked. Hackers used a vulnerability in the wallet used for DeFi proprietary trading operations and stole $160M.
Wintermute is a company founded by Evgeny Gaevoy. It is an algorithmic trading firm that is focused on the innovative digital asset markets. Wintermute's mission is to enable, empower and advance a truly decentralized world for more transparent, fair and efficient markets and products.
On September 20, Wintermute ran into trouble. The wallet that was used for DeFi proprietary trading operations was attacked by hackers. And this became possible because of a mistake by an employee.
The crypto community found out about the attack on Twitter from CEO & founder of Wintermute – Evgeny Gaevoy. During the attack, Evgeny started a thread in which he began to explain to people what was going on.
Short communication on the ongoing Wintermute hack
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Basically, the thread consisted of brief information that a hack had occurred.
We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Also, various users posted messages for Wintermute lenders stating that the funds of those who have an MM agreement with Wintermute are safe and that the company’s operations have been temporarily affected. As an assurance, Wintermute users can retrieve their loans if they wish.
If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after
— wishful cynic (@EvgenyGaevoy) September 20, 2022
If you are a lender to Wintermute, again, we are solvent, but if you feel safer to recall the loan, we can absolutely do that
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Evgeny also wrote that employees hope that the attack was carried out by a “white hat” hacker. Therefore, he asked the hacker to contact Wintermute.
We are (still) open to treat this a s a white hat, so if you are the attacker – get in touch
— wishful cynic (@EvgenyGaevoy) September 20, 2022
About an hour later, Evgeny opened a new thread, which contained details of the attack. Evgeny said that the hacker attacked a “wallet used for DeFi proprietary trading operations.”
1. Attack vector
— wishful cynic (@EvgenyGaevoy) September 20, 2022
The attack was in relation to our wallet used for DeFi proprietary trading operations, which are completely separate and independent from our CeFi and OTC operations
At the same time, Evgeny noted that the attack did not affect “internal systems in both Cefi and Defi.”
Our internal systems in both Cefi and Defi are not affected, as well as any internal or counterparty data
— wishful cynic (@EvgenyGaevoy) September 20, 2022
According to Evgeny Gaevoy, hackers could use “Profanity-type exploit.” Wintermute use Profanity to generate addresses with a lot of zeros in front. Wintermute found out about the exploit a week before the attack and began to switch to a new system quickly.
Last time we generated addresses this way was in June. We have since moved to a more secure key generation script. As we learned about the Profanity exploit last week, we accelerated the “old key” retirement
— wishful cynic (@EvgenyGaevoy) September 20, 2022
But, during the switch, a mistake occurred caused by human error. It is quite possible that it served as a vulnerability that hackers took advantage of.
And then, due to an internal (human) error, a wrong function has been called and we blacklisted the router instead of the operator (contract that signs)
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Evgeny also promised the hacker 10% of the stolen funds if the monies were returned. But, there has been no response yet.
To the hacker, we offer a 10% bounty on funds taken. To make it easy, we propose for you to transfer all of the funds taken through the exploit, save for $16M USDC, to:
— wishful cynic (@EvgenyGaevoy) September 20, 2022
0x4f3a120E72C76c22ae802D129F599BFDbc31cb81
Despite the attack, Evgeny maintains a positive attitude and confidence in the future development of the company. Also, Evgeny promised that there will be no layoffs and no revision of strategy.
And this is what we are planning to do. No lay-offs. No strategy changes. No emergency fundraise. Not giving up on defi.
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Keep moving forward through this bear market with the rest of you
We wish you, dear readers, to remain confident in the future, no matter what. And we continue to observe.