Executive Summary
Table of Contents
On Sep 20, 2022, the cryptocurrency market maker Wintermute experienced a significant security breach, resulting in approximately $160 million theft.
This report provides a comprehensive analysis of the incident, including its background, causes, impact, and the actions Wintermute took in response.
About Wintermute
Wintermute, founded in 2017, is a renowned global algorithmic market maker specializing in providing liquidity to centralized and decentralized trading platforms.
It has gained recognition as a key liquidity provider on various cryptocurrency exchanges, including Binance, FTX, and Kraken, decentralized finance (DeFi) platforms like Dydx and Uniswap and Crypto ETP of ETC Group
Since Sep 2022, Wintermute became the official market maker and strategic partner for the Tron blockchain network.
Wintermute in one of the largest players in the market and as of Q2 2023, it is working with more than 1000 counterparties.
Since May of 2022, it has executed over 8.4M total OTC trades, which also includes its single biggest trade which exceeded $1 billion.
Incident Overview
On Sep 20, 2022, Wintermute fell victim to a security breach that resulted in a substantial loss of around $160 million. Founder and CEO Evgeny Gaevoy confirmed the breach through a tweet, specifying that the funds were associated with Wintermute’s DeFi operations.
Importantly, the breach did not impact Wintermute’s centralized exchange or over-the-counter services, and the company assured users of the safety of their remaining funds.
Root Cause Analysis
The breach was traced back to a vulnerability in a service utilized by Wintermute called “Profanity.”
Profanity aimed to simplify complex cryptocurrency addresses by creating “vanity addresses.”
Due to the vulnerability in Profanity, it was possible for anybody with access to substantial computing power could generate every possible key or password created for any Profanity vanity address and also scan the accounts associated with it to know the amount of money they held.
As a result, malicious actors could generate keys and passwords for these vanity addresses to get unauthorized access to accounts and steal funds.
As per an estimate, by using around a thousand GPUs for 50 days, it was possible to brute-force private keys of every 7-character vanity address.
The author of Profanity had abandoned the project a few years ago, and due to lack of further development, this security flaw was never patched.
Wintermute attempted to mitigate the risk by blacklisting accounts using Profanity addresses. However, a human error within the Wintermute team resulted in one of the 10 accounts not being blacklisted, which is believed to be the avenue through which the $160 million was stolen.
It is believed that Wintermute had been using Profanity with the primary goal of reducing its trading transaction costs and not for simplifying complex names for accounts, which are generally 30-character-long combinations of varied letters and numbers.
Investigation and Analysis
Despite an extensive investigation, authorities have been unable to identify or trace any single individual or entity responsible for the Wintermute breach.
Initially, Evgeny Gaevoy, the CEO of Wintermute, expressed a willingness to treat the incident as a “white hat” event. This approach involves compensating a hacker for identifying and rectifying vulnerabilities within a system.
Gaevoy tweeted an address where the hacker could return 90% of the stolen funds, with the remaining 10% as a bounty. Unfortunately, no funds were returned, leaving the identity and motives of the hacker shrouded in mystery.
Numerous theories have circulated online regarding the possible perpetrators of the hack. Prominent cyber sleuth James Edwards suggested that based on analysis, smart contract code, and suspicious transactions, the hack might have been an inside job. However, it is essential to note that these theories remain speculative, as no concrete evidence has been discovered thus far.
Following the attack, Evgeny Gaevoy took to Twitter to provide updates. He disclosed that Wintermute’s DeFi operations had been compromised, but the company’s CeFi (Centralized Finance) and OTC (Over-the-Counter) offerings remained secure and unaffected.
Although, due to the exploit, Wintermute owed a debt of $200 million to several DeFi platforms, CEO Gaevoy reassured users that Wintermute remained financially solvent, with more than double the $160 million lost in the breach still available in equity. He also emphasized Wintermute’s commitment to honor loan recalls if users wished to exercise that option.
Stolen Assets and Transactions
In an official tweet, the Founder and CEO, Evgeny Gaevoy provided the breakup of the stolen funds. In this $160m exploit, the hacker took away about:
- $120 million worth of Wintermute’s “stablecoins” including USDC and USDT
- $20 million worth of Bitcoins and ether
- Other insignificant cryptocurrencies worth $20 million
As part of the on-chain analysis, it was observed that the hacker transferred over $160 million worth of assets from 90 different sources to their wallet address: 0xe74b28c2eAe8679e3cCc3a94d5d0dE83CCB84705.
The hacker conducted various transactions to obscure the origins of the stolen assets:
- Converted 9,470,755 BUSD to 9,467,293 DAI using Curve.Fi.
- Converted 3,246,604 TrueUSD to 3,246,041.4025 DAI using an unnamed smart contract.
- Converted 61,350,986 USDC to 111,953,508 using LP 3pool Curve.
- Converted 23,609,070 DAI to 29,461,553 USDT using Curve.Fi.
- Converted 350,000 WINU to 35 wETH using Uniswap V2.
- Unwrapped 6,919.6925 wETH to ETH.
These transactions indicate an attempt by the hacker to mix and diversify the stolen assets, likely as part of an effort to launder the funds. Additionally, the hacker’s actions extended to the purchase of non-fungible tokens (NFTs), which further complicates the tracing of the stolen funds.
Furthermore, it is noteworthy that an incoming transaction of 9.9435 Ether was detected from a Tornado Cash address that had been flagged on Aug 8, 2022. It suggests that the hacker may have employed privacy-focused tools to obscure their activities and maintain anonymity.
The hacker’s wallet possessed diverse assets, including nearly $13 million in Wrapped Bitcoin (WBTC), $9.3 million in Ethereum (ETH), and various other tokens.
Most stolen funds, amounting to $114 million in stablecoins, were transferred to Curve Finance to evade detection. By mingling with a pool of similar tokens worth $869 million, it became considerably more challenging for the asset issuers to freeze the stolen assets.
Aftermath and Recovery
Wintermute reassured its user base that the company’s financial stability remained intact, with over $350 million in equity, exceeding the amount lost in the breach. Additionally, users were given the option to recall their loans with the company to enhance their security.
Wintermute temporarily halted normal trading operations on its DeFi platform immediately after the breach for a brief period but later resumed operations.
It is worth noting that Wintermute had previously encountered an incident earlier in the year involving the accidental transfer of $15 million worth of optimism (OP) tokens, which the recipient eventually returned.
Conclusion
The Wintermute crypto exchange hack of September 2022 highlighted the vulnerabilities inherent in the cryptocurrency ecosystem. While the hacker’s identity remains elusive, Wintermute demonstrated resilience and financial stability, reassuring users of the safety of their remaining funds and offering an option to recall loans for added peace of mind.
As the investigation continues, the cryptocurrency community emphasizes the importance of robust security measures in the evolving landscape of decentralized finance.