{"id":1168,"date":"2022-09-26T07:44:19","date_gmt":"2022-09-26T07:44:19","guid":{"rendered":"https:\/\/metaschool.so\/articles\/?p=1168"},"modified":"2023-02-01T08:35:17","modified_gmt":"2023-02-01T08:35:17","slug":"wintermute-hack-profanity","status":"publish","type":"post","link":"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/","title":{"rendered":"How Profanity caused the $160 million Wintermute hack"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_56_1 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#Whats_a_vanity_address\" title=\"What\u2019s a vanity address?\">What\u2019s a vanity address?<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#There_are_two_known_ways_of_generating_a_vanity_address\" title=\"There are two known ways of generating a vanity address \">There are two known ways of generating a vanity address <\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#1_The_safe_way\" title=\"1. The safe way\">1. The safe way<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#2_The_dangerous_way\" title=\"2. The dangerous way\">2. The dangerous way<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#Profanity_%E2%80%93_a_third_party_tools_role_in_the_Wintermute_hack\" title=\"Profanity &#8211; a third party tool&#8217;s role in the Wintermute hack\">Profanity &#8211; a third party tool&#8217;s role in the Wintermute hack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#Whats_happening_now\" title=\"What&#8217;s happening now?\">What&#8217;s happening now?<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#Other_notable_DeFi_hacks_in_the_past\" title=\"Other notable DeFi hacks in the past\">Other notable DeFi hacks in the past<\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#1_bZx_flash_loan_attack\" title=\"1. bZx flash loan attack\">1. bZx flash loan attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#2_Harvest_Finance_attack\" title=\"2. Harvest Finance attack\">2. Harvest Finance attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#3_dForce_attack\" title=\"3. dForce attack\">3. dForce attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#4_Akropolis_hack\" title=\"4. Akropolis hack\">4. Akropolis hack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/metaschool.so\/articles\/wintermute-hack-profanity\/#5_Cover_Protocol_hack\" title=\"5. Cover Protocol hack\">5. Cover Protocol hack<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n<p>Cryptocurrency trading firm Wintermute was hacked this Tuesday, Sep 20th 2022. Reportedly $160 million were stolen as part of the Wintermute hack from the firm&#8217;s <a href=\"https:\/\/metaschool.so\/articles\/defi-meaning\/\">decentralized finance<\/a> (DeFi) operations as announced by the company CEO Evgeny Gaevoy last week.<\/p>\n\n\n\n<p>Evgeny Gaevoy disclosed in a series of tweets this week about the hack and the role of Profanity, a customized vanity <a href=\"https:\/\/metaschool.so\/articles\/wallet-address-blockchain\/\">address<\/a> generator which is speculated to have played a massive role in its vulnerability and consequently the Wintermute hack.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/jmAnWBwxQbiSTzkwdEIPRat1vgH2HpSWbKQonYy1lS2jd2KeoHir04yattfBGTj2LQeEM89t_aWILjzUkjj8yQZpUB8JIG0M3qARUCj4Ln_7hYRpRhkAmtbaryNmv8TTJlteki0m9IY6GcyL1Ya0N8ytyzhcJYkdqmXkNLbrIH7MG9p2MXt-5Fdfaw\" alt=\"twitter tweet by wintermute founder\"\/><figcaption>via Twitter<\/figcaption><\/figure><\/div>\n\n\n\n<p><a href=\"https:\/\/twitter.com\/EvgenyGaevoy\/status\/1572134273875951617?t=D9r5V0N78OWNtGVBsoRvmQ&amp;s=19\" target=\"_blank\" rel=\"noopener\"><\/a>Let\u2019s go deeper into how such hacks can happen.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-s-a-vanity-address\"><span class=\"ez-toc-section\" id=\"Whats_a_vanity_address\"><\/span>What\u2019s a vanity address?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>To begin with, standard addresses generated in wallets are typically made of randomly ordered alphanumeric strings of characters (A through F) which don&#8217;t have any meaning or a specific order.&nbsp;<\/p>\n\n\n\n<p>However, today we have the ability to personalize these wallet addresses by adding a personal touch to them. This could be a brand, a name or even a special keyword to generate a slightly more complete message. This kind of address is called a <strong>vanity address<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"there-are-two-known-ways-of-generating-a-vanity-address\"><span class=\"ez-toc-section\" id=\"There_are_two_known_ways_of_generating_a_vanity_address\"><\/span>There are two known ways of generating a vanity address <span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"there-are-two-known-ways-of-generating-a-vanity-address\"><span class=\"ez-toc-section\" id=\"1_The_safe_way\"><\/span>1. The safe way<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>This would be to generate it privately using computer equipments with the relevant programs. Although carrying out this activity requires high GPU powered equipments, this is the most secure way of generating public and private keys known only to you.\u00a0<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-the-dangerous-way\"><span class=\"ez-toc-section\" id=\"2_The_dangerous_way\"><\/span>2. The dangerous way<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>This is to resort to an online third-party service like <a href=\"https:\/\/vanity-eth.tk\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Vanity-ETH<\/a>. A number of these services generate vanity addresses for free or at a very low price. But as is the case with third party services and tools, there is always an added risk as they store your private key while generating your vanity address. This form of wallet generation process is not recommended unless it&#8217;s a calculated decision.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/65af9PGSZVny-WDNioDn8DJBdzXEla_4DWk3mHZQSwmORTVC-Vp1PublGxqfqSQwKA2y5HJdtqEOOBci-4OBRfLkoQ-QzWh5VYyroRBI8LsOvRQXuaK1iMsLNLS-XfTzMKw9pAUWl5KI1Tkbu6PdvwWVXtfpz8QooshSI-PLXw8xZrHDI3b6ndK-_Q\" alt=\"profanity disabled github repository\"\/><figcaption>via Github<\/figcaption><\/figure><\/div>\n\n\n\n<p>Now back to vulnerable and looted Wintermute.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"profanity-a-third-party-tool-s-role-in-the-wintermute-hack\"><span class=\"ez-toc-section\" id=\"Profanity_%E2%80%93_a_third_party_tools_role_in_the_Wintermute_hack\"><\/span>Profanity &#8211; a third party tool&#8217;s role in the Wintermute hack<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Profanity is an <a href=\"https:\/\/metaschool.so\/blockchains\/ethereum?ref=Articles&amp;utm_source=Blog_Organic\" target=\"_blank\" rel=\"noreferrer noopener\">Ethereum<\/a> vanity address generating tool. It allows users to generate predefined, specialized and patterned wallet addresses. This ability to generate customized private keys decreases the randomization of key generation, creating a point of vulnerability for private key holders.&nbsp;<\/p>\n\n\n\n<p>The Profanity project was abandoned by its author a few years ago, due to the fundamental security flaw of the tool, which enabled back tracking and extracting the private keys. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"567\" height=\"425\" src=\"https:\/\/metaschool.so\/articles\/wp-content\/uploads\/2022\/09\/B2SSXL3VFZGQJJBDGL3NQELU5I.jpg\" alt=\"wintermute ceo Evgeny Gaevoy \" class=\"wp-image-1191\" srcset=\"https:\/\/metaschool.so\/articles\/wp-content\/uploads\/2022\/09\/B2SSXL3VFZGQJJBDGL3NQELU5I.jpg 567w, https:\/\/metaschool.so\/articles\/wp-content\/uploads\/2022\/09\/B2SSXL3VFZGQJJBDGL3NQELU5I-300x225.jpg 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><figcaption>CEO Wintermute<\/figcaption><\/figure><\/div>\n\n\n\n<p>Wintermute\u2019s CEO has not provided the details regarding how the hacker managed to steal the crypto funds but some experts have painted a plausible scenario that the attacker most likely exploited this Profanity vulnerability.&nbsp;<\/p>\n\n\n\n<p>More details on the hackers process, since the tool\u2019s security bug enabled cracking private keys of addresses, specifically someone could brute-force private keys of every 7-character vanity address using roughly a thousand GPUs for 50 days.<\/p>\n\n\n\n<p><a href=\"https:\/\/twitter.com\/Mudit__Gupta\/status\/1572150289943363589\" target=\"_blank\" rel=\"noopener\"><\/a>However, a collection of thousand GPUs needs massive investment, we know many cryptocurrency mining farms work with a large number of GPUs. It is to be noted that powerful mining farms have now been rendered useless post the Ethereum merge from <a href=\"https:\/\/metaschool.so\/articles\/proof-of-work-meaning\/\" target=\"_blank\" rel=\"noreferrer noopener\">PoW<\/a> to <a href=\"https:\/\/metaschool.so\/articles\/proof-of-stake-pos-meaning\/\" target=\"_blank\" rel=\"noreferrer noopener\">PoS<\/a>, so taking advantage of this Profanity vulnerability could be an excellent way of returning to profitability for them.<\/p>\n\n\n\n<p>1inch Network, a <a href=\"https:\/\/metaschool.so\/articles\/dex-decentralized-exchange\/\" target=\"_blank\" rel=\"noreferrer noopener\">decentralized exchange<\/a> (DEX), recently exposed this vulnerability that could be abused to reverse engineer the private key generation process to attain the seed phrase and private key.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/U_jenD8DwtRdFB7zMeevr_lEAgOS-Mpyf0ZG7aStxZTX-Z9YM9s_Pv-YW_5TMp-NOCvbeTXuvGlfxjr1bFC0WHlpSeCUQA1Gn9cex-CTaYhewYJfJoqUb0Aqj3CA2QARs4e5o5UQaOKsKHO0cTTqsIh_51lxY8R5LX8FhMjXqSP-JKyQV5oqKsbSqA\" alt=\"wintermute profanity hack tweet\"\/><figcaption>via Twitter<\/figcaption><\/figure><\/div>\n\n\n\n<p>In June 2022, Wintermute also disclosed that it was using Profanity alongside an in-house tool to generate addresses for its DeFi wallets. It is believed that the attacker took advantage of the Profanity bug to conduct this hack and steal $160 million from Wintermute&#8217;s DeFi wallets.&nbsp;<\/p>\n\n\n\n<p>The hacker\u2019s wallet currently holds USD Coin, <a href=\"https:\/\/metaschool.so\/blockchains\/binance?ref=Articles&amp;utm_source=Blog_Organic\" target=\"_blank\" rel=\"noreferrer noopener\">Binance<\/a> USD, Tether USD, ETH and 66 other cryptocurrencies taken from Wintermute. The company has clarified that their Centralized Finance (CeFi) and Over-The-Counter (OTC) operations have not been impacted by this security incident. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-s-happening-now\"><span class=\"ez-toc-section\" id=\"Whats_happening_now\"><\/span>What&#8217;s happening now?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Post the incident, Profanity\u2019s author removed all binaries and archived the project&#8217;s GitHub repository to reduce the risk of someone using this insecure tool in the future.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/xUJfUc9d1C9tNK5TvTpwjSX6jSUPafUNqGMl-atxwQcRHDRW2X3MAjWmUk7dS9SwGOooBOzmmBybUbPvq78DTBRPbp2svKeULxUzoTdMOBuZTpPAGjJ284oUNfwjrs7WoRzaQkw3kOr7S85Pn12IvFaBuX9FAZwcNVJXsp8Xc5-oXO6fSZw-CuXXjg\" alt=\"wintermute profanity hack bounty offer\"\/><figcaption>via Twitter<\/figcaption><\/figure><\/div>\n\n\n\n<p>Evgeny Gaevoy has also assured Wintermute&#8217;s fund holders that it is &#8220;solvent with twice over that amount in equity left&#8221; to ease the lender anxiety. <\/p>\n\n\n\n<p>This incident is being treated as a <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/white-hat#:~:text=A%20white%20hat%20hacker%20%2D%2D,as%20it%20applies%20to%20hacking.\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">white hat event<\/a> for a very short time, that means no action against the hacker is being taken right now and the hacker has been offered a 10% bounty of the funds taken provided they return the funds on Wintermute&#8217;s specified wallet address.\u00a0<\/p>\n\n\n\n<p>Although returning of the stolen funds does seem like an unlikely scenario.<\/p>\n\n\n\n<p>The Wintermute hack is the latest in a growing list of crypto firms who have endured a hack in recent months. Nomad, Axie Infinity, Harmony are just a few victims of various recent cryptocurrency heists. As per crypto auditing firm Certik, more than $1.3 billion have been lost in DeFi hacks since last year.\u00a0<\/p>\n\n\n\n<p>I don\u2019t know about you but this definitely is a profanity worthy incident for all the crypto holders affected by the hack.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-notable-defi-hacks-in-the-past\"><span class=\"ez-toc-section\" id=\"Other_notable_DeFi_hacks_in_the_past\"><\/span>Other notable DeFi hacks in the past<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>DeFi has been vulnerable for quite sometime now. Let&#8217;s refresh our memory and see how these hacks went down so that we can collectively do something about increasing security and auditing in the space. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"1-bzx-flash-loan-attack\"><span class=\"ez-toc-section\" id=\"1_bZx_flash_loan_attack\"><\/span>1. bZx flash loan attack<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In February 2020, an attacker used a flash loan from the dYdX protocol to manipulate the price of ETH-DAI on the bZx protocol, resulting in a loss of over $350,000.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"2-harvest-finance-attack\"><span class=\"ez-toc-section\" id=\"2_Harvest_Finance_attack\"><\/span>2. Harvest Finance attack<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In November 2020, an attacker used a flash loan from the dYdX protocol to manipulate the price of a stablecoin and drain over $24 million from the Harvest Finance protocol.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"3-dforce-attack\"><span class=\"ez-toc-section\" id=\"3_dForce_attack\"><\/span>3. dForce attack<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In April 2020, an attacker was able to exploit a vulnerability in the dForce protocol, resulting in a loss of over $10 million.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"4-akropolis-hack\"><span class=\"ez-toc-section\" id=\"4_Akropolis_hack\"><\/span>4. Akropolis hack<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In October 2020, an attacker was able to exploit a vulnerability in the Akropolis protocol, resulting in a loss of over $2 million.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"5-cover-protocol-hack\"><span class=\"ez-toc-section\" id=\"5_Cover_Protocol_hack\"><\/span>5. Cover Protocol hack<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In December 2020, an attacker was able to exploit a vulnerability in the Cover Protocol smart contract, resulting in a loss of over $8 million.<\/p>\n\n\n\n<p>That&#8217;s all for this news. <\/p>\n\n\n\n<p><strong>If you want to learn about the right way to go about entering web3 and building in the space, check our tutorials here \ud83d\udc47\ud83c\udffc<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":7,"featured_media":1181,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[71],"tags":[],"class_list":["post-1168","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trending-web3"],"_links":{"self":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts\/1168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/comments?post=1168"}],"version-history":[{"count":15,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts\/1168\/revisions"}],"predecessor-version":[{"id":4899,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/posts\/1168\/revisions\/4899"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/media\/1181"}],"wp:attachment":[{"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/media?parent=1168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/categories?post=1168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/metaschool.so\/articles\/wp-json\/wp\/v2\/tags?post=1168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}