Crypto Sleuth: This is why the Wintermute exploit was an inside job – BeInCrypto

Crypto sleuth James Edwards aka Librehash offered his take on the attack vector used to steal the London-based crypto firm, Wintermute on September 20, 2022, alleging the attack was an inside job.

Edwards offers a theory that the knowledge needed to perform this attack required intimate knowledge of Wintermute’s systems, and was not simply the result of an external address (EOA) calling a Wintermute smart contract compromised by Profanity, a service used by Wintermute to help reduce transaction costs. .

After the attack, the prevailing theory was that it came from Profanity. Wintermute has blacklisted its Profanity accounts after aggregator network DEX 1inch exposed a security flaw in Profanity’s code.

By human error, the London-based company forgot to blacklist an account, which CEO Evgeny Gaevoy suspected of allowing the hacker to get away with $120 million in so-called stablecoins, $20 million of bitcoin and ether, and $20 million of other altcoins.

Edwards specifically pointed out which operates within an intermediary smart contract (address 1111111254fb6c44bac0bed2854e76f90643097d) is responsible for coordinating the transfer of funds between the Wintermute smart contract (address 0x0000000ae) and the alleged hacker (address 0x0248) designates the Wintermute team as the owner of the external address (AEO).

Specifically, the function in the intermediary contract reveals that funds cannot be moved without the caller validating their security clearance.

Additionally, the Wintermute smart contract revealed two deposits from the Kraken and Binance exchanges before the funds were transferred to the hacker’s smart contract. Edwards believes the deposits came from exchange accounts controlled by the Wintermute team. If not, at least two questions must be answered: a) Would the Wintermute team have been able to withdraw funds from both exchanges into their smart contract within two minutes of the start of the exploit? b) If the answer to the first question is no, how did the hacker know about the two Wintermute exchange accounts?

After the hack, Wintermute contacted the hacker, offering him a 10% bounty if all stolen funds were returned within 24 hours. Gaevoy also announced an investigation involving internal and external service providers.

At the time of this writing, the hacker had not answered to the bounty offer, which means Wintermute will likely pursue legal action.

The company has made no official announcement on its planned course of action.

The Wintermute hack was the fifth biggest DeFi hack of 2022.


All information contained on our website is published in good faith and for general information purposes only. Any action the reader takes on the information found on our website is strictly at their own risk.

#Crypto #Sleuth #Wintermute #exploit #job #BeInCrypto #Crypto

Related Articles

Back to top button