CEO Evgeny Gaevoy Says Firm Remains Solvent
Crypto market maker Wintermute has lost $160M in a hack that targeted its DeFi operations early Tuesday.
“If you have a [market maker] agreement with Wintermute, your funds are safe,” CEO Evgeny Gaevoy said on Twitter. “There will be a disruption in our services today and potentially for [the] next few days and will get back to normal after.”
Vanity Address
Mudit Gupta, Polygon’s head of information security, said the attacker likely exploited a bug in Profanity, a program that generates “vanity” wallet addresses.
Like license plates on vehicles, crypto addresses are a randomized string of numbers and letters. With Profanity, however, users are able to generate addresses that appear less random and more legible to human eyes.
Profanity Bug
In Wintermute’s case, it was using a Profanity-generated address that started with several zeroes.
Anton Bukov, the co-founder of 1inch, the DeFi protocol that first detailed the bug, said such an address could be exploited within seconds using “average home hardware.”
Gaevoy said the address had been generated to save on Ethereum’s notoriously high gas fees, though it was not clear how it would help in that regard.
Gaevoy and Wintermute representatives did not immediately respond to The Defiant’s request for comment Tuesday.
DEX aggregator 1inch detailed the bug on Thursday, and Wintermute appears to have heeded its warning that Profanity users move their digital assets from vanity wallet addresses, according to Gupta.
But Wintermute made a crucial mistake, Gupta added – it forgot to remove the vanity address as an administrator of the smart contract the hacker drained.
According to crypto analytics firm Arkham Intelligence, the hack took place within a 45-minute window and is the seventh-largest in DeFi history.
Firm Remains Solvent
Gaevoy said on Twitter that Wintermute remains solvent with more than $300M in remaining equity.
“If you are a lender to Wintermute, again, we are solvent, but if you feel safer to recall the loan, we can absolutely do that,” he wrote.