News
Wintermute hack recreated; learn what went wrong on 20 Sept.
Hong Kong-based digital asset company Amber Group decoded the Wintermute hack that took place last month. The hack that occurred on 20 September caused the trading platform to lose approximately $160 million to the exploit.
A little about the hack
As reported by AMBCrypto earlier, the hacker made away with more than $61 million in USD Coin [USDC], $29.4 million in Tether [USDT], and 671 wrapped Bitcoin [wBTC] worth more than $13 million.
Several other altcoins worth millions of dollars were also a part of the stolen funds. The hacker gained funds spread across more than 90 altcoins.
Amber Group’s investigation
Amber Group managed to recreate the hack by cloning the algorithm that was reportedly used by the perpetrator. The process, according to Amber Group, was rather quick and didn’t involve the use of any sophisticated equipment.
Recall that crypto influencer @K06a previously stated that a brute force attack on Wintermute’s “vanity address” could theoretically be possible in 50 days using 1,000 graphics processing units. A vanity address is usually easily identifiable and thus comparatively vulnerable.
Wintemute stated after the hack that Profanity, an Ethereum address generation tool, was used to generate several of its addresses which happened to contain several zeros in front (vanity address).
2. The attack was likely linked to the Profanity-type exploit of our DeFi trading wallet. We did use Profanity and an internal tool to generate addresses with many zeroes in front. Our reason behind this was gas optimization, not “vanity”
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Amber Group put this theory to the test and elaborated on how they exploited the Profanity bug to recreate the hacker’s exploit. For their test hack, the group used an Apple Macbook M1 with 16 GB RAM to process datasets related to the hack. They were able to recreate the algorithm in less than 48 hours. The blog further added,
“The actual process, not counting the precomputation, took about 40 minutes for one address with seven leading zeros. We finished the implementation and were able to crack the private key of 0x0000000fe6a514a32abdcdfcc076c85243de899b in less than 48 hours.”
Wintermute’s CEO Evgeny Gaevoy was not quite amused when Amber Group first revealed that it had successfully cloned the algorithm of the hack. Gaevoy responded to the news by
commenting “classy” on Amber Group’s tweet.classy
— wishful cynic (@EvgenyGaevoy) September 27, 2022
The Amber Group further stated,
“By reproducing hacks and exploits, we can build a better understanding of the attack surface spectrum across Web3. Better collective awareness of various patterns of hacks, flaws, and vulnerabilities hopefully contributes to a stronger and more attack-resistant future”
Amber Group emphasized the fact that addresses generated through Profanity were not secure and any funds linked with them were definitely unsafe.