Wintermute Incurs $160 Million Loss from Brute Force Private Key Compromise Linked to Profanity's Vulnerability

Summary

On September 20, 2022, Wintermute, a London-based algorithmic market maker offering liquidity across Centralized Finance (CeFi) and Decentralized Finance (DeFi) exchanges and over-the-counter (OTC) deals, was the victim of a security breach. The exploit resulted in a loss of approximately $160 million, impacting 90 different assets including stable coins, Bitcoin, Ether, and various altcoins. The attack was executed through a brute force private key compromise Source. The suspected vulnerability originated from Profanity, a service Wintermute used for generating vanity addresses, despite efforts to blacklist their Profanity-associated accounts after the vulnerability became known.

Attackers

The identity of the attackers remains unknown. As of June 22, 2023, the Ethereum address linked to the attacker and currently holding all stolen funds is:

A smart contract implicated in the attack:

Losses

The total losses amounted to roughly $160 million. This consisted of around $120 million in stable coins (USDC and USDT), $20 million in Bitcoin and Ether, and another $20 million spread across various altcoins.

Timeline

Security Failure Causes

Profanity’s Vulnerability: An inherent weakness in Profanity’s code allowed the attacker to generate all potential keys for a vanity address by bruteforcing the private keys, scan associated accounts, and then steal the funds.

More details on the hackers process, since the tool’s security bug enabled cracking private keys of addresses, specifically someone could brute-force private keys of every 7-character vanity address using roughly a thousand GPUs for 50 days.

– MetaSchool Source

Human Error: Despite Wintermute’s efforts to blacklist their Profanity accounts upon learning of the vulnerability, a human error resulted in one account not being blacklisted, thus remaining exposed and likely leading to the significant theft. Source