Cyber Sleuth-Hound: $160M Wintermute Hack, Betrayal From the Inside

• Betrayal in the city, who would have thought the Wintermute hack was an inside crime?
• Wintermute noted that as much as the turn of events was painful, the rest of the business is unaffected so is the provision of services to their customers.

Betrayal in the city, who would have thought that the Wintermute hack was an inside crime? It was a hacker’s happy day when he discovered a hiccup in Wintermute’s smart contract. Isn’t this hack quite questionable? Wintermute is a global crypto market maker that provides liquidity.

How was it the hacker’s luck that he got to know about the bug instead of the mute smart contractors? Or is the hacker one of the “faithful” employees?

In a report, the hacker swiped over 70 different tokens, including 61.4 million in USD coins (USDC), 29.5 million in Tether, and 671 wrapped Bitcoin (wBTC) worth around 13 million at the time.

“The relevant transactions initiated by the EOA [externally owned address] make it clear that the hacker was likely an inside member of the Wintermute team.

Edward says

The hack was isolated from DeFi smart contracts and did not affect any internal Wintermute systems. In addition, no third-party data was compromised. The Author of the review article James Edwards is not a cyber security researcher nor an analyst. The analytic post from Edward has not gotten any reply from Wintermute but has definitely raised eyebrows.

The hack was isolated to our DeFi smart contract and did not affect any Wintermute’s internal systems. No third party or Wintermute data was compromised.

— Wintermute (@wintermute_t) September 21, 2022

Edward suggests that “who made the call on the ‘compromised’ Wintermute smart contract was itself compromised via the team’s use of a build tool. online personalized addresses faulty”.

Theoretically, the hacker was able to make calls to the smart contract by salvaging the private key from the external address. Moving forward, Edward said that there wasn’t any download or verified code from the Wintermute smart contract. These made it impossible for the public to confirm this theory from outside hackers. This raised concerns about transparency to the public.

According to regulations of the company, any smart contract responsible for managing user, and customer funds that have been deployed on a blockchain would be expected to be publicized and verified to allow the general public to review and audit the unflattened solidity code.

Edward went the extra mile to perform further analysis and manually disassembled the smart contract code and concluded that the code was not similar to the one that had been attributed to the main cause of the hack.

There was a specific transfer that was made during the hack. There was a transfer of 13.48 million USDT from the Wintermute smart contract address to the 0x0248 smart contract that was supposedly created by the hacker.

The fact that @wintermute using the rude wallet generator and keeping millions in that hot wallet is negligence or inside work. To make matters worse, the vulnerability in the profanity tool was disclosed a few days ago.

— Rotex Hawk (@Rotexhawk) September 21, 2022

Wintermute noted that as much as the turn of events was painful, the rest of the business is unaffected, and so is the provision of services to their customers. The hack was isolated from their DeFi smart contracts and their internal systems were not tampered with.