Market maker Wintermute tells hacker to return funds or face legal action

Market making firm Wintermute has sent a message over the Ethereum blockchain to the hacker that stole $160 million from the firm on Tuesday.

Sent at midnight UTC on Thursday, the message told the hacker to return the funds by end of the day, or else Wintermute would proceed to approach the authorities. It urged the hacker to accept a $16 million “whitehat” bounty reward and return the remainder of nearly $144 million back to Wintermute.

“We want to cooperate with you and resolve this matter immediately. Accept the terms of the bounty and return the funds within 24 hours before September 22nd UST by 23:59 while we can still consider this a white-hat event for a 10% bounty as offered,” the message said.

The message went on to say that if the hacker returned the funds, the person would be labeled as a "white hat," — a term given to ethical hackers. This points to an assurance that no legal action would be taken if the person complies with the request. 

At the time of writing, the hacker has another 12 hours to accept the bounty offer. On the flip side, if the exploiter does not give back the assets (minus the bounty), the team would move to approach the “appropriate authorities and avenues," the firm said in its on-chain message. 

“If the stolen funds are not returned by the deadline, you will force us to remove our bounty offer and white-hat label; we will then proceed accordingly with the appropriate authorities and avenues,” Wintermute wrote.

Wintermute grapples with its vanity address exploit 

On Tuesday, Wintermute’s Ethereum vault, a type of crypto wallet account holding its assets in a smart contract, was drained of $160 million in various crypto assets.

The exploit occurred because the vault relied on a vulnerable admin address with a prefix “0x0000000,” which analysts say is a “vanity address.” Vanity addresses contain identifiable names or numbers within them.

Wintermute's vanity address was generated using a certain online tool called Profanity. A few days prior to the attack on Wintermute, a security report from 1inch disclosed that all Profanity-based vanity addresses had a critical vulnerability. This vulnerability could allow hackers calculate their private keys using "brute force" attacks.

Wintermute used its Profanity-based address as an admin account to authenticate transactions on its Ethereum vault. Because of the same vulnerability, someone brute forced the private key of its admin address. This gave the hacker control over Wintermut's vault enabling the actor to drain the funds.

The firm picked this address because of potential transaction fee savings. These can be made with vanity addresses that have a string of several zeroes, Mudit Gupta, Polygon's chief information security officer, told The Block.

This was not the first time Wintermute has lost funds in a security exploit. In June, a hacker was able to take ownership of 20 million Optimism tokens sent to Wintermute by Optimism Foundation for market making of the token.

After the June incident, Wintermute offered a 10% bounty, which the hacker accepted after one day of on-chain correspondence between the two parties. This time, however, the hacker has yet to reply to Wintermute’s request.