Skip to content
Home » Trending » How Profanity caused the $160 million Wintermute hack

How Profanity caused the $160 million Wintermute hack

wintermute profanity hack 160 million dollars

Cryptocurrency trading firm Wintermute was hacked this Tuesday, Sep 20th 2022. Reportedly $160 million were stolen as part of the Wintermute hack from the firm’s decentralized finance (DeFi) operations as announced by the company CEO Evgeny Gaevoy last week.

Evgeny Gaevoy disclosed in a series of tweets this week about the hack and the role of Profanity, a customized vanity address generator which is speculated to have played a massive role in its vulnerability and consequently the Wintermute hack.

twitter tweet by wintermute founder
via Twitter

Let’s go deeper into how such hacks can happen. 

What’s a vanity address?

To begin with, standard addresses generated in wallets are typically made of randomly ordered alphanumeric strings of characters (A through F) which don’t have any meaning or a specific order. 

However, today we have the ability to personalize these wallet addresses by adding a personal touch to them. This could be a brand, a name or even a special keyword to generate a slightly more complete message. This kind of address is called a vanity address.

There are two known ways of generating a vanity address

1. The safe way

This would be to generate it privately using computer equipments with the relevant programs. Although carrying out this activity requires high GPU powered equipments, this is the most secure way of generating public and private keys known only to you. 

2. The dangerous way

This is to resort to an online third-party service like Vanity-ETH. A number of these services generate vanity addresses for free or at a very low price. But as is the case with third party services and tools, there is always an added risk as they store your private key while generating your vanity address. This form of wallet generation process is not recommended unless it’s a calculated decision.

profanity disabled github repository
via Github

Now back to vulnerable and looted Wintermute. 

Profanity – a third party tool’s role in the Wintermute hack

Profanity is an Ethereum vanity address generating tool. It allows users to generate predefined, specialized and patterned wallet addresses. This ability to generate customized private keys decreases the randomization of key generation, creating a point of vulnerability for private key holders. 

The Profanity project was abandoned by its author a few years ago, due to the fundamental security flaw of the tool, which enabled back tracking and extracting the private keys.

wintermute ceo Evgeny Gaevoy
CEO Wintermute

Wintermute’s CEO has not provided the details regarding how the hacker managed to steal the crypto funds but some experts have painted a plausible scenario that the attacker most likely exploited this Profanity vulnerability. 

More details on the hackers process, since the tool’s security bug enabled cracking private keys of addresses, specifically someone could brute-force private keys of every 7-character vanity address using roughly a thousand GPUs for 50 days.

However, a collection of thousand GPUs needs massive investment, we know many cryptocurrency mining farms work with a large number of GPUs. It is to be noted that powerful mining farms have now been rendered useless post the Ethereum merge from PoW to PoS, so taking advantage of this Profanity vulnerability could be an excellent way of returning to profitability for them.

1inch Network, a decentralized exchange (DEX), recently exposed this vulnerability that could be abused to reverse engineer the private key generation process to attain the seed phrase and private key.

wintermute profanity hack tweet
via Twitter

In June 2022, Wintermute also disclosed that it was using Profanity alongside an in-house tool to generate addresses for its DeFi wallets. It is believed that the attacker took advantage of the Profanity bug to conduct this hack and steal $160 million from Wintermute’s DeFi wallets. 

The hacker’s wallet currently holds USD Coin, Binance USD, Tether USD, ETH and 66 other cryptocurrencies taken from Wintermute. The company has clarified that their Centralized Finance (CeFi) and Over-The-Counter (OTC) operations have not been impacted by this security incident.

What’s happening now?

Post the incident, Profanity’s author removed all binaries and archived the project’s GitHub repository to reduce the risk of someone using this insecure tool in the future.

wintermute profanity hack bounty offer
via Twitter

Evgeny Gaevoy has also assured Wintermute’s fund holders that it is “solvent with twice over that amount in equity left” to ease the lender anxiety.

This incident is being treated as a white hat event for a very short time, that means no action against the hacker is being taken right now and the hacker has been offered a 10% bounty of the funds taken provided they return the funds on Wintermute’s specified wallet address. 

Although returning of the stolen funds does seem like an unlikely scenario.

The Wintermute hack is the latest in a growing list of crypto firms who have endured a hack in recent months. Nomad, Axie Infinity, Harmony are just a few victims of various recent cryptocurrency heists. As per crypto auditing firm Certik, more than $1.3 billion have been lost in DeFi hacks since last year. 

I don’t know about you but this definitely is a profanity worthy incident for all the crypto holders affected by the hack. 

Other notable DeFi hacks in the past

DeFi has been vulnerable for quite sometime now. Let’s refresh our memory and see how these hacks went down so that we can collectively do something about increasing security and auditing in the space.

1. bZx flash loan attack

In February 2020, an attacker used a flash loan from the dYdX protocol to manipulate the price of ETH-DAI on the bZx protocol, resulting in a loss of over $350,000.

2. Harvest Finance attack

In November 2020, an attacker used a flash loan from the dYdX protocol to manipulate the price of a stablecoin and drain over $24 million from the Harvest Finance protocol.

3. dForce attack

In April 2020, an attacker was able to exploit a vulnerability in the dForce protocol, resulting in a loss of over $10 million.

4. Akropolis hack

In October 2020, an attacker was able to exploit a vulnerability in the Akropolis protocol, resulting in a loss of over $2 million.

5. Cover Protocol hack

In December 2020, an attacker was able to exploit a vulnerability in the Cover Protocol smart contract, resulting in a loss of over $8 million.

That’s all for this news.

If you want to learn about the right way to go about entering web3 and building in the space, check our tutorials here 👇🏼