Featured image from Al Bawaba, chart from TradingView.com
Crypto Sleuth Links Wintermute $160M Hack to Insider Job
In the crypto industry, problems with hacks and exploits have become one of the dreaded nightmares. The increasing expansion of the crypto space also leads to more exploits. Despite the security measures most crypto protocols build around them, the bad actors never stop scanning for available vulnerabilities.
On September 20, a source disclosed a Wintermute smart contract exploit. According to the report, the hacker carted off more than 70 different crypto tokens from the platform worth around $160 million.
The stolen tokens include 671 Wrapped Bitcoin (wBTC), Tether (USDT) and USD Coin (USDC). The values of the coins at the time of exploitation are $13 million, $29.5 million and $61.4 million respectively.
Crypto Hack Analysis Points to an Internal Actor
A Medium post outlined the hack’s analysis. The author of the post, James Edwards, also known as Librehash, stated that the hack was from an internal party. His induction was based on how the exploitation occurred on the smart contract of the algorithmic market maker.
Librehash alleged that the relevant transactions initiated by the Externally Owned Address (EOA) suggest the involvement of a member of the Wintermute team.
Edwards details his claims and reported that the EOA triggered the compromise of the Wintermute smart contract. He noted that the EOA itself is compromised through the team’s use of a flawed online vanity address generator tool.
According to Edwards, the attacker could call the Wintermute smart contract by recovering the EOA’s private key. But EOA’s private key should have administrator access.
Transparency of Wintermute in doubt
Edward’s analysis revealed that the same has no uploaded and verified code. Therefore, it inhibits that it is easy to confirm the external hacker theory by the public. This raises concerns regarding the transparency of the algorithmic market maker.
The author called it a transparency flop on the protocol itself. He noted that the smart contract manages users’ funds on the blockchain. So the expectation is to enable the public to examine and revise the solvency rules.
Further analysis through manual decompilation of the smart contract code revealed more truth. Edwards stated that the code did not match the attributed cause of the exploit.
During the attack, there was also a transfer of 13.48M USDT to the 0x0248 smart contract from the Wintermute smart contract. The hacker is supposedly the creator and controller of the recipient address.
Wintermute had not disclosed details of the attack. But it took Twitter to acknowledge the hack on September 21 while stating its continued service to its partners. It noted that the hack did not affect the DeFi smart contract, internal systems or third-party data.
