Monday 26 September 2022
Home / none / Well-known vulnerability in private keys likely exploited in $160M Wintermute hack

Well-known vulnerability in private keys likely exploited in $160M Wintermute hack

Blockchain cybersecurity company Certik has said a vulnerable private key was attacked in the Wintermute hack. A vulnerability in private keys generated by the Profanity app was likely exploited. The vulnerability has been known since at least January.

The U.K.-based algorithmic crypto market maker announced the hack on Tuesday and said over-the-counter and centralized finance operations were not affected. About $162.5 million worth of cryptocurrencies were taken. “We are solvent with twice over that amount in equity left,” Wintermute CEO Evgeny Gaevoy said in a tweet.

Certik said in a blog post that the hack was due to a leaked or brute-forced private key, and not a smart contract vulnerability:

“The exploiter used a privileged function with the private key leak to specify that the swap contract was the attacker controlled contract.”

The company added that a vulnerability in the popular Profanity vanity address generator was probably at fault in the hack.

Certik noted that decentralized exchange 1inch Network disclosed the apparent Profanity vulnerability in a Sept. 13 blogpost and subsequent warning on Twitter. 1inch users spotted the vulnerability after a suspicious airdrop took place in June. 1inch said on its blog:

“Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.”

The vulnerability was blamed for the hacking of $3.3 million on Sept. 13. GitHub users spotted the issue in January 2022, leading the developer to abandon the project and then archive it on Sept. 15.

A private key is derived from a user’s seed phrase, which is a list of 12–24 words associated with a wallet that allows a user to recover the cryptocurrency in a wallet, even if the wallet is lost or deleted.

Related: Polygon CSO blames Web2 security gaps for recent spate of hacks

According to Certik, around $273.9 million has been lost this year due to compromised private keys, making the method “one of the largest attack vectors.” The Wintermute attack is by far the largest, with the Harmony Protocol hack in June coming in second at $97 million.

Original Article

About Jude Savage

Check Also

Reversible transactions could mitigate crypto theft — Researchers

Stanford University researchers have come up with a prototype for “reversible transactions” on Ethereum, arguing it could be a solution to reduce the impact of crypto theft. In a Sept. 25 tweet, Stanford University blockchain researcher Kaili Wang shared a run down of the Ethereum-based reversible token idea, noting that at this stage it is not a finished concept but more of a “proposal to provoke discussion and even better solutions from the blockchain community,” noting: “The major hacks we've seen are undeniably thefts with strong evidence. If there was a way to reverse those thefts under such circumstances, our ecosystem would be much safer. Our proposal allows reversals only if approved by a decentralized quorum of judges.”The proposal was put together by blockchain researchers from Stanford, including Wang, Dan Boneh, Qinchen Wang, and it outlines “opt-in token standards that are siblings to ERC-20 and ERC-721” dubbed ERC-20R and ERC-721R. However, Wang clarified that th..

Leave a Reply

Your email address will not be published. Required fields are marked *