Blockchain cybersecurity company, Certik has said that a vulnerable private key was compromised in the Wintermute hack. It is likely that a vulnerability in the private keys generated by the Profanity application has been exploited. The vulnerability has been known since at least January.
The UK-based cryptocurrency algorithmic market maker announced the hack on Tuesday, saying OTC and centralized trading were unaffected. Some $162.5 million worth of cryptocurrency was drained. “We are solvent and we have twice that amount left in capital,” said Wintermute CEO Evgeny Gaevoy in a tweet.
Certik said in a blog post that the hack was due to a leaked or forced private key, and not due to a smart contract vulnerability:
“The attacker used a privileged function with private key leak to specify that the exchange contract was the contract controlled by the attacker.”
The company added that a vulnerability in the popular Profanity vanity address generator was likely to blame for the hack.
Certik noted that decentralized exchange 1inch Network disclosed the apparent Profanity vulnerability in a blog post on September 13 and in a subsequent warning on Twitter. 1inch users discovered the vulnerability after a suspicious airdrop occurred in June. 1inch said on his blog:
“Profanity is one of the most popular tools due to its high efficiency. Unfortunately, that could only mean that most Profanity wallets were secretly hacked.”
The vulnerability was blamed for the $3.3 million hack on September 13. GitHub users discovered the issue in January 2022, prompting the developer to abandon the project and archive it on September 15.
RUN, YOU FOOLS
âš ï¸ Spoiler: Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP!
âž¡ï¸ Read more: https://t.co/oczK6tlEqG#Ethereum #crypto #vulnerability #1inch
— 1inch Network (@1inch) September 15, 2022
A private key is derived from a user’s seed phrase, which is a list of 12 to 24 words associated with a wallet that allows a user to access cryptocurrencies in a wallet, even if the wallet is lost or deleted.
According to Certik, around $273.9 million has been lost this year due to compromised private keys, making this method “one of the biggest attack vectors.” The Wintermute hack is by far the biggest, while the Harmony hack in June comes in second with $97 million.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.