(Sept 21): Crypto market maker Wintermute said about US$160 million had been hacked from its decentralised finance unit, the latest in a string of exploits hitting the digital assets industry.

Wintermute’s centralized finance and over-the-counter operations were not affected and the company remains “solvent”, its founder and chief executive officer Evgeny Gaevoy said on Twitter on Tuesday (Sept 20).

A cryptocurrency wallet address labelled on blockchain explorer platform Etherscan as belonging to the Wintermute exploiter showed a series of transactions took place earlier on Tuesday, one of which involved transferring 112 million native tokens of Curve’s 3pool, a platform for swapping stablecoins, from a null address to the hacker.

These tokens were swapped for US$29.5 million in USDT, US$61.4 million in USDC and US$23.6 million in DAI, worth a total of US$114.4 million. Data on blockchain analysis platform Arkham confirmed those figures, while also pointing to around US$48.9 million in other tokens including wrapped Bitcoin, Ether and USDP.

We’ve been hacked for about (US)$160M in our defi operations. Cefi and OTC operations are not affected
— wishful cynic (@EvgenyGaevoy) Sept 20, 2022

Hackers are a rising menace in DeFi, where crypto investors trade, borrow and lend without using a central intermediary. North Korea-affiliated hackers alone stole about US$1 billion from DeFi protocols in the first seven months of the year, accounting for more than half of the total value of crypto hacks, according to a report published by researcher Chainalysis last month.

Gaevoy offered the hacker a 10% bounty on the funds taken, nudging the attacker to transfer all of the money, excluding US$16 million USDC, to a specific wallet address.

To the hacker, we offer a 10% bounty on funds taken. To make it easy, we propose for you to transfer all of the funds taken through the exploit, save for (US)$16M USDC, to: 0x4f3a120E72C76c22ae802D129F599BFDbc31cb81
— wishful cynic (@EvgenyGaevoy) Sept 20, 2022

Marina Gurevich, the firm’s chief operating officer, said in an email that Wintermute was working with external teams and cybersecurity specialists “to identify the exact nature of the hack and person(s) responsible”.

“We can confirm we remain in a financially strong position and there is no more further damage possible in relation to this hack,” she added.

Vanity Address

The attack was likely the result of the hacker exploiting an old Wintermute wallet address, which still retained administrative access to the market maker’s vault contract, said Mudit Gupta, chief information security officer at blockchain platform Polygon. Vault contracts are digital wallets that are used to store tokens and automate DeFi transactions.

The Wintermute wallet involved in the hack used a so-called “vanity address” which replaces the letters and numbers in a typical Ethereum address with zeroes to make it look more simple. Earlier this month, a vanity address tool called Profanity disclosed a critical bug that made its addresses unsafe to use, though it is not known whether Wintermute used Profanity.

Wintermute was hacked for ~160m a few hours ago.
I took a quick look and my best guess is that it was a hot wallet compromise due to the Profanity bug that was publicly disclosed a few weeks ago.
— Mudit Gupta (@Mudit__Gupta) Sept 20, 2022

Counterparties

Wintermute counterparties — those that either borrow from, lend to or trade with the firm, could be affected by the hack.

Wintermute is listed as the top borrower on DeFi liquidity marketplace Clearpool, with a total of US$22.2 million in USDC outstanding on the platform. It also has an outstanding loan for US$92.1 million in USDT with TrueFi, according to Andrew Thurman, content lead at Nansen. The TrueFi loan will mature on Oct 15, the platform’s website showed.

Meanwhile Maple, another DeFi lender, said in a tweet that it was communicating with Wintermute about any fallout from the attack, with assurances that Wintermute has “sufficient equity to cover hack and repay loans”. Wintermute has US$75 million in active loans on Maple, according to Thurman.

Executives at Clearpool, TrueFi and Maple did not immediately respond to requests for comment.

Gaevoy reassured those with agreements with Wintermute that their funds are safe and that the business remains solvent, but said the company would work with any lender that preferred to have their loan repaid. “There will be a disruption in our services today and potentially for next few days and will get back to normal after,” he added.