On Tuesday, cryptocurrency market marker Wintermute reported losing $160 million in an exploit, becoming the latest victim in a series of high-level hacks that have beleaguered the De-Fi industry year to date.
In a thread of tweets following the hack, Wintermute CEO Evgeny Gaevoy took to explaining what happened partially attributing the exploit to an “internal human error”. The hack which saw some 90 assets affected was linked to Wintermute’s Ethereum vault which is used for Defi proprietary trading operations.
According to Gaevoy, the attack was a “Profanity-type exploit” of the firm’s DeFi vault. He admitted they had used Profanity together with an internal tool to generate addresses which he said would help save them on gas fees.
Profanity is an Ethereum address-generating tool which was reportedly hacked last week with $3.3.million in cryptocurrencies being stolen. According to the tool’s GitHub page, the project was abandoned a couple of years ago after “fundamental security issues in the generation of private keys” were raised. However, following last week’s exposé by 1inch, the project was marked as archived to warn people against using it.
According to Gaovey, although Wintermute last generated addresses using Profanity in June before moving to a more secure key generation script, last week’s hack prompted them to move all ETH from the compromised addresses, accelerating the “old key” retirement. However in the process, they “failed to remove this address’s ability to sign for and do other things” exposing key details to the hacker, Nicholas Weaver a Researcher at ICSI and Chief Mad Scientist tweeted.
According to Gaevoy, the DeFi vault was the only one affected since it is “completely separate and independent” from the firm’s CeFi and OTC operations. He further clarified that all Wintermute lenders were safe, adding that they were free to recall their loans since the company still had over twice the amount stolen.
In the latest update, Wintermute has offered a 10% bounty ($16m USDC) on funds taken stating that they are still treating the exploit as a white hat attack. Gaevoy has also stated that there will be no lay-offs, strategy changes or emergency fundraisers adding that they are working with multiple leads to resolve the issue “in a simple way”.
Meanwhile, the hacker’s wallet currently holds around $9 million in ether (ETH) and over $100 million in other assets in Curve’s 3pool, presumably in an attempt to avoid any blacklisting. That said, with Tuesday’s incident marking the first major DeFi exploit since crypto mixer Tornado Cash was sanctioned, it will be interesting to see how those funds ar laundered if Wintermute fails to reach a compromise with the hacker.