Getting to the bottom of the exploit that led to one of the biggest hacks in the history of decentralized finance.
In order to understand the $160M Wintermute hack, we first need to understand algorithmic market makers and how they work in DeFi (decentralized finance), since that’s what Wintermute is.
Imagine you’re the developer of a crypto project and you expect to get your token listed on a large exchange, even a top 10 such as Kraken or Binance. It sounds great, but now you have a new problem because you’ll need to constantly ensure the exchange always has enough liquidity to maintain trading, especially in DeFi markets where liquidity is a primary target for exploiters to attempt malicious activities and try to drain the funds. It would be great if you could deploy an algorithm to perform this constant liquidity observation and management for you – that’s essentially what an algorithmic market maker does.
Wintermute offers this service on both centralized and decentralized exchanges, among other services such as OTC trading and early-stage start up investments. They incentivize users to provide liquidity into their protocol, and then their protocol manages the markets and liquidity pools across the project’s various partners’ and clients’ exchanges. Wintermute solves two of the tallest hurdles for projects in crypto – lack of liquidity and inefficient markets.
This is the full story behind the Wintermute exploit of 2022.
$160M Wintermute Hack Timeline
September 15, 2022:
The 1inch Network finds a vulnerability in an Ethereum vanity address tool called Profanity. They publish a technical breakdown of the bug and how it could potentially be exploited if not patched, adding a notice that states “Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP! Moreover, if you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”
This is relevant to the Wintermute hack because Wintermute had generated a vanity wallet with Profanity and it was an admin to their vault, which means it could execute withdrawals.
September 20, 2022:
This transaction initiates the attack at 05:11 UTC, calling Wintermute’s vault contract to transfer various amounts of several different cryptocurrencies into the hacker’s contract.
The assets include:
- 6,919 wrapped Ether (WETH), valued around $9,410,159
- 10,895,735 Dai Stablecoin (DAI), valued at $10,895,735
- 61,350,986 USD Coin (USDC), valued at $61,350,986
- 29,461,553 Tether (USDT), valued at $29,461,553
- 3,246,604 TrueUSD (TUSD), valued at $3,246,604
- 9,470,755 Binance USD (BUSD), valued at $9,470,755
- 3,250,807 Pax Dollar (USPD), valued at $3,250,807
- 671.247 Wrapped BTC (WBTC), valued around $14,341,194
- And various amounts of 62 other altcoins, almost all with values under $1M
How the Wintermute Hack was Executed
Polygon’s Chief Information Security Officer, Mudit Gupta, published this post-mortem on September 20th, correctly identifying the Profanity-built hot wallet as the attack vector.
While the Wintermute team had clearly been aware of the Profanity vulnerability, evidenced by the fact that they transferred all the ETH from the compromised hot wallet shortly after 1inch exposed it, they had simply forgotten to revoke admin permissions that the wallet had pertaining to Wintermute’s vault.
Through the Profanity vulnerability, the attacker was able to access the hot wallet with admin permissions and simply ask the vault to send them $160M worth of tokens.
While the stolen digital assets have yet to be recovered, Wintermute remained solvent through the incident and has continued to operate without any serious pause in their protocol.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.