Market maker Wintermute suffers $160 million hack

Security researchers blame the attack on the recently discovered ‘vanity address’ vulnerability, CEO claims the firm’s CeFi operations and OTC services weren’t affected.

Wintermute, a leading liquidity provider across multiple exchanges and trading platforms, announced it has lost about $160 million in a hacking incident that targeted a known vulnerability in Profanity, an Ethereum vanity address generating tool. The bug was discovered by 1inch contributors on September 15.

“Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP! Moreover, if you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract,” researchers warned in a blog post.

As pointed out by Mudit Gupta, a chief security officer at Polygon, Wintermute moved all ETH from the vanity address before the attack, most likely as a precaution in light of the disclosed vulnerability, but didn’t change admin privileges, which allowed the hacker to take over Wintermute’s vault.

“The vault only allows admins to do these transfers and Wintermute's hot wallet is an admin, as expected. Therefore, the contracts worked as expected but the admin address itself was likely compromised,” Gupta tweeted.

Evgeny Gaevoy, the founder and CEO of Wintermute, assured lenders in a Twitter thread that the company remains solvent, and loan recalls are processed as usual. “We are (still) open to treat this as a white hat, so if you are the attacker – get in touch,” he added.

Today’s accident marks the second time the firm falls victim to the hack this year. On June 9, a hacker stole $35 million worth of Optimism (OP) tokens intended for the airdrop by exploiting a transaction sent to the wrong address. The attacker returned most funds after Optimism offered them employment and threatened with legal consequences, but it’s unclear whether the same trick will work again.