Wintermute Incurs $160 Million Loss from Brute Force Private Key Compromise Linked to Profanity's Vulnerability

September 20, 2022

Summary #

On September 20, 2022, Wintermute, a London-based algorithmic market maker offering liquidity across Centralized Finance (CeFi) and Decentralized Finance (DeFi) exchanges and over-the-counter (OTC) deals, was the victim of a security breach. The exploit resulted in a loss of approximately $160 million, impacting 90 different assets including stable coins, Bitcoin, Ether, and various altcoins. The attack was executed through a brute force private key compromise Source. The suspected vulnerability originated from Profanity, a service Wintermute used for generating vanity addresses, despite efforts to blacklist their Profanity-associated accounts after the vulnerability became known.

Attackers #

The identity of the attackers remains unknown. As of June 22, 2023, the Ethereum address linked to the attacker and currently holding all stolen funds is:

0xe74b28c2eAe8679e3cCc3a94d5d0dE83CCB84705.

A smart contract implicated in the attack:

0x0248f752802b2cfb4373cc0c3bc3964429385c26

Losses #

The total losses amounted to roughly $160 million. This consisted of around $120 million in stable coins (USDC and USDT), $20 million in Bitcoin and Ether, and another $20 million spread across various altcoins.

Timeline #

January 17, 2022: Profanity’s vulnerability is discovered by 1inch Network Team, and proper issue was created in GitHub.
September 15, 2022 6:00 AM UTC: 1inch Network drew attention to the issue in their blog.
September 15, 2022 8:42 PM UTC: First malicious transaction of $3.3 Million Profanity hack was performed
September 20, 2022 5:11 AM UTC: Malicious transaction affecting Wintermute’s wallets was performed.
September 20, 2022 8:03 AM UTC: Wintermute’s CEO, Evgeny Gaevoy, promptly announces the theft.

Security Failure Causes #

Profanity’s Vulnerability: An inherent weakness in Profanity’s code allowed the attacker to generate all potential keys for a vanity address by bruteforcing the private keys, scan associated accounts, and then steal the funds.

More details on the hackers process, since the tool’s security bug enabled cracking private keys of addresses, specifically someone could brute-force private keys of every 7-character vanity address using roughly a thousand GPUs for 50 days.
– MetaSchool Source

Human Error: Despite Wintermute’s efforts to blacklist their Profanity accounts upon learning of the vulnerability, a human error resulted in one account not being blacklisted, thus remaining exposed and likely leading to the significant theft. Source

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam