On Tuesday, crypto market making firm Wintermute said that it had $160 million stolen from its Ethereum vault, a type of crypto wallet account holding its assets in a smart contract.
While the Wintermute team has yet to provide an official post-mortem, security analysts have offered some insights into the hack. According to Mudit Gupta, Polygon's chief information security officer, a vulnerability may well have enabled the hacker to calculate the private keys of the vault’s admin address — allowing them to drain the vault of its funds.
As a market maker, Wintermute maintained several crypto assets in a vault. This vault relied on an admin address with a prefix “0x0000000,” which analysts say is a “vanity address.” At the same time, the vanity address functioned as an admin account (in the form of a hot wallet) to authenticate transactions for Wintermute’s vault.
Vanity addresses contain identifiable names or numbers within them — or have a particular style — and can be generated using certain online tools like Profanity. Last week, decentralized exchange aggregator 1inch published a security disclosure report claiming that “vanity addresses” generated with Profanity were not secure. Per 1inch, the private keys linked to Profanity-generated addresses could be extracted with brute force calculations.
Gupta and other security analysts have hypothesized that since the admin address is a vanity address, the hacker calculated its private key, took over Wintermute’s vault and transferred funds out to another address in their control.
“The vault only allows admins to do these transfers and Wintermute’s hot wallet is an admin, as expected. Therefore, the contracts worked as expected but the admin address itself was likely compromised,” Gupta wrote in a separate blog post.
Gupta said that it seems like Wintermute moved all the ether (ETH) from the vanity address wallet itself prior to the hack, perhaps as a precuation in light of the Profanity disclosures — but the firm didn't change its admin privileges.
Wintermute founder Evgeny Gaevoy did not reply to a request for comment on whether the vanity address was the cause of the hack. On Twitter, Gaevoy did not address this directly but he quote tweeted a tweet by Yearn Finance lead developer Banteg referencing a previous case of a hack involving vanity addresses, saying, "Karma is a bitch:)"
Why use a vanity address at all? Gupta told The Block that Wintermute may have used one because it's more efficient for making transactions. He said it saves 12 gas — a term used in relation to Ethereum transaction fees — per transaction. Gaevoy confirmed on Twitter that this was why the firm used one.
SlowMist, a smart contract security firm, corroborated Gupta’s findings. It told The Block: “After analysis, we think that the reason may be that Wintermute's stolen externally-owned account (EOA) is a wallet created by Profanity (starting with 0x0000000).”
According to SlowMist, the hacker has now deposited $114 million worth of stolen assets into decentralized exchange Curve.
© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
