Wintermute DeFi Operations Hacked for $160M

Crypto market maker Wintermute has lost $160M in a hack that targeted its DeFi operations early Tuesday.

“If you have a [market maker] agreement with Wintermute, your funds are safe,” CEO Evgeny Gaevoy said on Twitter. “There will be a disruption in our services today and potentially for [the] next few days and will get back to normal after.”

On Thursday, Wintermute gave the hacker one day to return 90% of the funds and write off the remaining 10% as payment for having discovered a vulnerability.

“If the funds are not returned by [Sept. 23], you will force us to remove our bounty offer and white-hat label,” Wintermute wrote in an on-chain message to the hacker, using a term for friendly hackers. “We will then proceed accordingly with the appropriate authorities and avenues.”

Vanity Address

Mudit Gupta, Polygon’s head of information security, said the attacker likely exploited a bug in Profanity, a program that generates “vanity” wallet addresses.

Like license plates on vehicles, crypto addresses are a randomized string of numbers and letters. With Profanity, however, users are able to generate addresses that appear less random and more legible to human eyes.

Profanity Bug

In Wintermute’s case, it was using a Profanity-generated address that started with several zeroes.

Anton Bukov, the co-founder of 1inch, the DeFi protocol that first detailed the bug, said such an address could be exploited within seconds using “average home hardware.”

Gaevoy said the address had been generated to save on Ethereum’s notoriously high gas fees, though it was not clear how it would help in that regard.

Gaevoy and Wintermute representatives did not immediately respond to The Defiant’s request for comment Tuesday.

DEX aggregator 1inch detailed the bug on Thursday, and Wintermute appears to have heeded its warning that Profanity users move their digital assets from vanity wallet addresses, according to Gupta.

But Wintermute made a crucial mistake, Gupta added – it forgot to remove the vanity address as an administrator of the smart contract the hacker drained.

According to crypto analytics firm Arkham Intelligence, the hack took place within a 45-minute window and is the seventh-largest in DeFi history.

Firm Remains Solvent

Gaevoy said on Twitter that Wintermute remains solvent with more than $300M in remaining equity.

“If you are a lender to Wintermute, again, we are solvent, but if you feel safer to recall the loan, we can absolutely do that,” he wrote.

UPDATED on 9/22 @ 2pm ET with Wintermute’s message to the hacker.