Digital assets trading firm Wintermute has been hacked and lost $162.2 million in DeFi operations, the company CEO, Evgeny Gaevoy, announced earlier today.
Wintermute provides liquidity to over 50 cryptocurrency exchanges and trading platforms, including Binance, Coinbase, Kraken, and Bitfinex.
The company remains solvent, holding twice the stolen amount in equity. A service disruption in the following days, though, is to be expected as the platform will work to restore all its operations.
Gaevoy has also stated that they’re willing to treat the security incident as a “white hat” event, meaning they are open to pay the attacker a bounty for successfully exploiting the vulnerability, without any legal consequences.
However, it’s unknown if the threat actor is interested in returning the stolen funds to Wintermute.
The company CEO has clarified that Wintermute’s CeFi (centralized finance) and OTC (over-the-counter) operations have not been impacted by the security breach.
To ease lender anxiety on investors, Gaevoy has offered them the opportunity to recall loans if they wanted to.
The hacker’s wallet currently holds roughly $47,7 million worth of digital assets. The rest of the money has been moved to Curve Finance’s “3CRV” liquidity pool, where the tokens will be hard to distinguish and freeze.
How the hack happened
Gaevoy did not provide details about how the hacker managed to steal the funds but some crypto-experts suggest as a plausible scenario that the attacker likely exploited a bug in Profanity, a vanity address generator for Ethereum, for which proof-of-concept (PoC) exists.
What the Profanity tools allows users is generate addresses that are not completely randomized but contain a an Ethereum vanity address generation tool that allows users to create a personalized address that contains a predefined string of numbers and letters (A through F).
The author abandoned the project a few years ago, due to fundamental security flaws that enabled cracking the private keys.
More specifically, it was estimated that someone could brute-force private keys of every 7-character vanity address using roughly a thousand GPUs for 50 days.
Although such a collection of GPUs requires a significant investment, many cryptocurrency mining farms work with a larger number of GPUs.
Furthermore, powerful mining farms have been rendered useless following the recent Ethereum merge. Some of these farm operators might find that cracking Profanity addresses would be an excellent way to return to profitability.
Security analysts have recently disclosed Profanity’s vulnerability and claimed that attackers already used it to steal $3.3 million.
They called everyone holding funds on wallets created with Profanity to move the assets elsewhere immediately.
Following the recent disclosures, the author of Profanity removed all binaries and archived the project’s GitHub repository to reduce the risk of someone using the insecure tool in the future.
The compromised Wintermute wallet appears to have been created with the buggy vanity address generator, so the Profanity weakness looks like a valid possibility for stealing the money.