Crypto Sleuth: This is why the Wintermute exploit was an inside job
Crypto speculator James Edwards, aka Librehash, has offered his take on the attack vector used to rob London-based crypto firm, Wintermute on September 20, 2022, claiming the attack was an inside job.
Edwards offers a theory that the knowledge to carry out this attack required intimate knowledge of Wintermute’s systems, and was not simply the result of an externally owned address (EOA) calling a Wintermute smart contract compromised by Profanity, a service Wintermute used to mitigate the transaction costs.
After the attack, the prevailing theory was that it stemmed from profanity. Wintermute blacklisted its Profanity accounts after DEX aggregator 1 Inch Network highlighted a security flaw in Profanity’s code.
Through human error, the London-based company had forgotten to blacklist one account, which CEO Evgeny Gaevoy suspected allowed the hacker to make off with $120 million in so-called stablecoins, $20 million worth of bitcoin and Ether, and $20 million worth of other things. altcoins.
Edwards specifically points out that functions within an intermediary smart contract (address 1111111254fb6c44bac0bed2854e76f90643097d) are responsible for coordinating the transfer of funds between the Wintermute smart contract (address 0x0000000ae) and the alleged 0x0 address of the owner of the Wintermute team as the 0x0x0 owner. externally owned address (EOA).
Specifically, the feature in the intermediary contract reveals that funds cannot be moved without the caller validating their security clearance.
Furthermore, the Wintermute smart contract revealed two deposits from exchanges Kraken and Binance before the funds were moved to the hacker’s smart contract. Edwards believes that deposits came from exchange accounts controlled by the Wintermute team. Otherwise, at least two questions need to be answered: a) Would the Wintermute team have been able to withdraw funds from both exchanges to their smart contract in less than two minutes after the exploit began? b)If the answer to the first question is no, how did the hacker know about Wintermute’s two exchange accounts?
Wintermute will likely pursue legal action
After the hack, Wintermute reached out to the hacker and offered them a 10% bounty if all stolen funds were returned within 24 hours. Gaevoy also announced an investigation involving internal and external service providers.
At the time of writing, the hacker had not responded to the bounty offer, meaning Wintermute is likely to pursue legal action.
The company has not made any official announcement about the planned action.
The Wintermute hack was the fifth largest DeFi hack of 2022.
Disclaimer
All information on our website is published in good faith and for general information purposes only. Any action the reader takes on the information contained on our website is strictly at their own risk.