Third-party provider blamed for $160m crypto heist

Updated on: 21 September 2022

Damien Black
Senior Journalist

Mobile phone with drained Bitcoin account — Image by Shutterstock

The Wintermute hack, which saw the cryptocurrency platform robbed of $160m worth of digital assets, was caused by a vulnerability in popular address-generator software Profanity, according to experts.

The DeFi platform’s CEO admitted to the breach yesterday, before offering a bug bounty to the attacker if he or she returns the stolen funds. “We are still open to treating this as a white hat, so if you are the attacker – get in touch,” pleaded Evgeny Gaevoy, aka Wishful Cynic, on Twitter.

But he insisted the hack had not spelled the end for Wintermute, which he claimed retained sufficient funds to remain viable. Of the 90 assets that had been hacked, only two had resulted in losses of more than $1m.

“We are solvent with over twice that amount in equity left,” he said. “Your funds are safe. There will be a disruption in our services potentially for the next few days.”

twitter

Profanity named and shamed

Crypto-pundits seem convinced the attacker exploited a weakness in third-party cryptocurrency provider Profanity, hijacking a Wintermute user’s address to obtain the privileges needed to access the platform and loot it.

Profanity is a widely used program that generates a vanity address – a personalized cryptocurrency user account that is easily identifiable. In theory it should do this without compromising security, although that caveat appears to have gone out the window.

Trading and surveillance technology developer Modulus joined its voice to the growing chorus of experts who are blaming the address provider for Wintermute’s woes. Its boss Richard Gardiner believes that a recently identified weakness in the address vendor’s coding could allow “somebody with enough computing power to generate all possible passwords to a Profanity vanity address.”

“What we’re seeing here is the culmination of three different dangers,” Gardiner said. “First, there’s the use of external vendors. Then, combine that with human error. Finally, decentralized finance itself creates vulnerabilities because of the use of open-source coding.”

Expect further attacks

Other industry observers seemed to share Gardiner’s take on the Wintermute hack, with vanity address vulnerabilities and Profanity specifically singled out as the weakest link.

“In this Wintermute case, attackers took over a vanity address of a deployer,” tweeted cybersecurity professional Tal Be’ery. “While funds were recently removed from [the] address, the deployer still had admin privileges on the contract and attackers used it to drain $160m.”

“Your money is not safu [sic] if your wallet address was generated with the Profanity tool,” warned DeFi consortium 1inchNetwork. “Transfer all of your assets to a different wallet as soon as possible! Moreover, if you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”

1inch claims it detected flaws in Profanity’s cybersecurity earlier this year, when it spotted five parties claiming one set of funds that were subsequently transferred to a single wallet. Further investigation revealed that a brute-force hacking attack could be used to gain entry to a vanity address, which would in turn facilitate further attacks.

“More and more, we’re seeing platforms and exchanges hacked through vulnerabilities in third-party vendors. Hackers are seeing these vendors as an entryway to attack firms with much larger holdings. Wintermute isn’t the first, and it won’t be the last,” Gardiner said.