Wintermute CEO Gaevoy updates on hack, says firm will continue on-chain trading

Quick Take

  • Wintermute CEO Evengy Gaevoy provided an update on its $160 million exploit.
  • The exploit was caused by human error, whereby Wintermute did not remove the ability of the compromised address to sign and make actions.
  • Wintermute will continue to operate its on-chain trading operations.
  • Wintermute has offered a 16 million USDC bounty for the return of all its stolen assets.

Wintermute CEO Evengy Gaevoy provided updates on the $160 million Ethereum hack it suffered this morning and attributed it to “human error.”

Wintermute has also put out a 10% bounty to the hacker, which, if all the funds were to be returned, would be worth 16 million USDC.

Gaevoy in a Twitter thread explained the attack vector was associated with Wintermute’s Ethereum vault that it used for on-chain decentralized finance (DeFi) trading operations, emphasizing this wallet is separate from its centralized finance (CeFi) and Over the Counter (OTC) operations.

Providing more color, none of Wintermute’s CeFi or OTC wallets were affected or compromised, and neither has any of its internal or counterparty data, he said.

The attack was most likely caused by a “Profanity-type exploit” on Wintermute’s DeFi vault, Gaevoy added. Profanity, which it used for the key generation on the compromised wallet address, was exploited last week, according to a post published by 1inch contributors.

The hack Wintermute suffered was due to an “internal (human) error,” Gaevoy wrote, following its discovery of the Profanity exploit. Even after suffering its financial loss, Gaevoy said Wintermute will not be laying off any employees, changing any strategies, fundraising additional capital or stopping its DeFi operations.

When Wintermute initially set up its DeFi vault, it utilized Profanity, an open-source tool for generating multiple addresses, and an internal tool to generate an address with multiple zeroes in the front.

Gaevoy said their reasoning behind this was for “gas optimization, not vanity,” where vanity addresses have admin privileges and a prefix “0x0000000." This prefix, as security analysts have hypothesized since the announcement of the exploit, could be taken advantage of by hackers when they can calculate the private key.

Wintermute in June began moving away from this type of set up, switching to a more secure key-generation script.

During the expedited process of “retiring” the old key, Wintermute moved all its ETH from the compromised vanity address wallet. Although they were able to move the ETH prior to the hack, it “failed to remove this address’s ability to sign for and do other things,” Berkeley ICSI staff researcher Nicholas Weaver tweeted.

Gaevoy ended his thread by acknowledging the fact that operating on-chain trading comes with its inherent risks that Wintermute was well aware of, mainly no safeguards such as 2FA protected key generation or the ability to use multisigs due to the nature of high frequency trading (HFT).

Editor's Note: This story has been updated with the bounty amount Wintermute said it will pay.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.