Wintermute Profanity Private Key Breach

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Wintermule Website

Cryptocurrency market maker Wintermute is a leading algorithmic trading firm specializing in digital assets, committed to advancing decentralized finance (DeFi) and blockchain innovation. Wintermute suffered a hack resulting in a loss of $160 million. The attack exploited a vulnerability related to a service called Profanity, which generated vanity addresses for cryptocurrency accounts, making them more user-friendly. Wintermute's hot wallet's private key was compromised, leading to the theft. Wintermute CEO Evgeny Gaevoy initially offered a 10% bounty on the stolen funds. Despite the substantial financial setback, Wintermute asserted its financial stability, with over $350 million in equity. The company briefly paused its over-the-counter (OTC) trading desk but soon resumed normal operations. Interestingly, the hacker who stole the funds from Wintermute deposited them into a Curve Finance trading pool, becoming the largest liquidity provider with 28% of the pool's $409 million backing. The hack's origin remains uncertain, with various theories circulating, including the possibility of an inside job.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About Wintermute

"We make markets in digital assets liquid and efficient. Wintermute is a leading global algorithmic trading firm in digital assets. We create liquid and efficient markets on centralized and decentralized trading platforms and off-exchange."

"Wintermute is a leading algorithmic trading firm that is focused on the innovative digital asset markets and is building the future of finance while also empowering its employees to act like owners and achieve more than it’s possible elsewhere.

Our Mission is to enable, empower and advance the truly decentralized world for more transparent, fair and efficient markets and products"

"Wintermute is a new generation algorithmic trading firm that uniquely merges [t]echnological sophistication and best practices from traditional capital markets, [t]he culture and speed of a hyper-growth technology startup[, and t]he cutting edge innovation of a blockchain-native company[.]"

"Wintermute is providing liquidity on over 50 exchanges and trading platforms." "Founded in 2017, Wintermute trades billions of dollars across crypto market daily as it provides liquidity across multiple venues. [In September 2022] it was named as the official DeFi market maker for the Tron network."

"A major challenge facing the UK-based crypto market maker is repaying millions of dollars in debt. It owes over $200 million to several counterparties in the decentralized finance (DeFi) space, which makes the situation murkier. However, CEO Gaevoy has claimed that the firm isn't defunct and remains solvent.3"

"In another another, the company reassured all its partners, saying, “We are able to return any or all outstanding loans if requested, although we would greatly appreciate if these are not recalled.4"

"Wintermute had been using Profanity not to create easy-to-remember names for digital accounts, but to lower its trading transaction costs, since that’s another feature of Profanity’s service, Gaevoy says. When Wintermute learned of the vulnerability last week, they took steps to technologically “blacklist” their Profanity accounts, shielding them from being liquidated. However, due to their own “human error,” one of the 10 accounts didn’t get blacklisted, according to Gaevoy, which probably resulted in the $160 million heist."

"These trading accounts were part of Wintermute’s “decentralized finance” or DeFi business, where it makes rapid trades on decentralized exchanges like Uniswap and Sushi Swap that aren’t controlled by a single entity. Since the DeFi ecosystem is young, highly experimental and designed to be more openly accessible than traditional finance, it doesn’t have the same safeguards that centralized exchanges like Coinbase has. “You don’t have any circuit breakers. You don’t have any two-factor authentication to help store your keys,” Gaevoy says."

"When the Profanity Hack came to public awareness, Wintermute did take steps to remove all ether from the hot wallet, however they failed to remove the address as an admin from their vault. What likely happened is that the hot wallet’s private key was compromised and used to drain the vault."

"Cryptocurrency market maker Wintermute has lost $160 million in a hack relating to its decentralized finance (DeFi) operation, according to a tweet from the company's founder and CEO, Evgeny Gaevoy." "Gaevoy or Wintermute did not [initially] disclose when the hack took place or the how the attackers were able to succeed, and whether it has alerted law enforcement." "Founder and CEO Evgeny Gaevoy says he learned of the hack a few minutes after it took place, around 6:00 AM London time. An hour later, he announced the theft on Twitter without saying how it happened." "$118.4M funds were stolen, with the majority being stablecoins, along with 671 WBTC (~$13M) and 6,928 ETH ($9.4M) and a variety of other tokens."

"Short communication on the ongoing Wintermute hack"

"We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected"

"We are solvent with twice over that amount in equity left"

"If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after"

"Out of 90 assets that has been hacked only two have been for notional over $1 million (and none more than $2.5M), so there shouldn’t be a major selloff of any sort. We will communicate with both affected teams asap"

"If you are a lender to Wintermute, again, we are solvent, but if you feel safer to recall the loan, we can absolutely do that"

"We are (still) open to treat this a s a white hat, so if you are the attacker – get in touch"

"Gaevoy and Wintermute did not reveal how the hackers were able to succeed, or whether law enforcement was notified. However, to speed up the damage control process, the firm has offered a 10% bounty on funds taken to the hacker. Gaevoy said the hacker should keep $16 million and refund the balance to an address he made public"

"The Wintermute CEO has some leads on who the hacker might be, and he’s investigating them “both internally and with the use of external partners.” He’s hoping that the hacker will become a “white hat” who returns most of the funds, and he’s now offering a 10% bounty, or $16 million, if the hacker gives back the remaining $144 million. He tweeted that Wintermute “would prefer to resolve this in a simple way, but the window of opportunity to do so is closing fast due to the high profile of this exploit.”"

"Gaevoy explained to Forbes that, although the investigation is still ongoing, the hack likely originated with a service called Profanity, which generates “vanity addresses” for digital cryptocurrency accounts to make them easier to work with. Otherwise, crypto accounts are roughly 30-character strings of varied letters and numbers. Last week, a blog post by another crypto firm revealed a security vulnerability with Profanity’s code. The gist of the problem: someone with enough computing power can generate all the possible keys or passwords created for a Profanity vanity address. Then they can scan the associated accounts to see how much money they hold and steal the funds."

"for the most secure cryptographic practices, a cryptographic pseudorandom number generator (CPRNG) seeded with a random value is used to create random values, such as private keys. Profanity, however, seeded its CPRNG with a 32-bit number. Thus, an attacker with significant compute resources was able to brute-force their way through Profanity address’ possible seed values and recreate the private keys. In Wintermute’s case, both their DeFi vault contract, as well as their hot wallet are likely to be vanity addresses."

"Thankfully, after the initial Profanity vulnerability was discovered, all affected binaries in the Profanity github repo were removed by its creator in order to prevent further unsafe use of the tool. But what about the next tool or software update? To learn more about securely creating and managing your blockchain account private keys, reach out to our Web3 security experts at halborn@protonmail.com."

"Despite the new $160 million hole in its balance sheet, Gaevoy says Wintermute is on sound financial footing, with more than $350 million in equity. “We are one of the very few crypto-native proprietary trading firms that can actually take this punch,” the CEO says. For a couple hours after the hack, the company paused its OTC trading desk, where it facilitates large trades between other parties. But that has resumed to its normal operation."

"Despite a long investigation, no single individual or entity has been linked or traced to this breach." "There are many theories online as to who may have been behind this hack. Prominent cyber sleuth James Edwards has alleged that due to the analysis, smart contract code, and some dubious transactions, the hack may have been an inside job. Any and all theories on the matter are simply conjecture, as no concrete evidence has been discovered as of yet."

"[The] hacker who stole over $160 million from trading firm Wintermute has become the largest liquidity provider in a Curve Finance trading pool after depositing the funds there last year. The hacker’s stolen funds now account for 28% of the $409 million backing Curve’s 3pool, a popular decentralised trading pool that lets users swap between stablecoins Tether, Circle’s USDC, and MakerDAO’s DAI.

“All Curve pools are absolutely permissionless, so no one can stop anyone from depositing,” Michael Egorov, founder of Curve Finance, told DL News. Launched in 2020, Curve is DeFi’s biggest decentralised exchange, with its contracts holding over $5 billion worth of crypto across 12 different blockchains."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Wintermute Profanity Private Key Breach
Date Event Description
September 15th, 2022 Profanity Profanity "On September 15th, 1inch Network warned investors that addresses generated through this tool were particularly vulnerable as their private keys could easily be cracked through a brute force attack."
September 19th, 2022 10:40:11 PM MDT Transfer From TornadoCash 10 ethereum is transfered from TornadoCash to the attacker's wallet.
September 19th, 2022 10:48:47 PM MDT Smart Contract Created The attacker creates a smart contract.
September 19th, 2022 11:11:35 PM MDT Wintermule Drained The transaction to drain with Wintermule hacked wallet is executed on the blockchain.
September 20th, 2022 2:03:00 AM MDT Evgeny Gaevoy Tweet CEO Evgeny Gaevoy publishes a tweet about the ongoing hack.
September 20th, 2022 2:14:00 AM MDT ZachXBT Tracing Address ZachXBT published the attacker's address on Twitter.
September 20th, 2022 2:15:00 AM MDT CoinDesk Article Published CoinDesk publishes an article on the Wintermute hack.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $160,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. The Crypto World Is on Edge After a String of Hacks - The New York Times (Nov 30, 2022)
  2. Wintermute (Oct 6, 2023)
  3. About - Wintermute (Oct 6, 2023)
  4. Crypto Market Maker Wintermute Hacked for $160M, OTC Services Unaffected (Oct 6, 2023)
  5. @EvgenyGaevoy Twitter (Oct 6, 2023)
  6. @zachxbt Twitter (Oct 6, 2023)
  7. Crypto Market Maker Wintermute Hacked for $160M (Oct 6, 2023)
  8. How Crypto Trading Firm Wintermute Was Hacked For $160 Million (Oct 6, 2023)
  9. Explained: The Wintermute Hack (September 2022) (Oct 6, 2023)
  10. The Wintermute Hack Explained (Oct 6, 2023)
  11. Curve.fi DAI/USDC/USDT Token Contract and Distribution Chart (Oct 6, 2023)
  12. Wintermute hacker turns $160m heist into top liquidity position on Curve Finance – DL News (Oct 6, 2023)
  13. TechCrunch fait partie de la famille de marques Yahoo (Oct 6, 2023)
  14. An Analysis of Wintermute’s USD$160 Million Hacking - Numen (Oct 6, 2023)
  15. Ethereum Transactions Information | Etherscan (Oct 6, 2023)
  16. Ethereum Transaction Hash (Txhash) Details | Etherscan (Oct 6, 2023)
  17. Ethereum Transaction Hash (Txhash) Details | Etherscan (Oct 6, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Wintermute_Profanity_Private_Key_Breach&oldid=5129"