As disclosed by 1inch on September 14th, a vulnerability in Profanity an Ethereum vanity address generator was discovered. A day later $3.3 million was stolen from about a dozen vanity addresses including 0xBA5Ed… owned by the Index Finance Exploiter and 0x00000000000… which saves gas costs on certain contract interactions due to its leading 0s. Two days ago a Wintermute wallet which similarly used leading 0s to save on gas costs initiated $160 million in unauthorized transfers and CEO Evgeny Gaevoy confirmed the loss was likely linked to a Profanity-type exploit.
I have written answers below to my initial questions after reading this Decrypt article.
What assets were stolen?
Initial incident: >80% stablecoins, ETH, AAVE, COMP.
Wintermute incident: >80% stablecoins, ETH, wBTC. Full list at end this report.
Will the loss of $160 million impact Wintermute’s operations?
Per Evgeny, Wintermute still has at least $320 million in equity.
At the time of exploit Wintermute had $200M in debt outstanding with on-chain lenders leading Maple Finance and TrueFi to release statements further confirming Wintermute is still in a strong financial position.
Why didn’t Wintermute react to the 1inch disclosure on September 14th?
Mudit Gupta noted in his summary of the attack that Wintermute did in fact react shortly after the POC was released by 1inch removing all assets from the vulnerable address. However, that address was also designated an admin of the Wintermute vault smart contract (which contained the $160 million) and Evgeny noted that human error led to this access not being appropriately revoked.
How much computing power did this attack require?
Although a comment on Profanity’s Github from January of this year hypothesized an attack would require significant computing power the 1inch blog notes instead that their proof of concept allowed them to:
recover private keys from any vanity address generated with Profanity at almost the same time that was required to generate that vanity address
According to a Reddit post from the creator of Profanity in 2017 on a single GPU it takes less than 10 minutes on average to generate a specific 8 character address. The Wintermute address had only 7 leading 0s so per the 1inch blog should have been trivial to crack once the exploiter built the required tools. Further technical discussion about how this was done including comments from the founder of 1inch can be found here.
How much did Wintermute save by using a leading 0 address?
The specific vulnerable address only spent $27k in gas since inception and since leading 0s only reduce gas spend up to 5% in most cases the savings were minimal and likely less than $1k. However the Wintermute vault smart contract has used $3.3 million in total gas across 120k+ transactions over 3.5 months of active use. Extrapolated over a year that puts the upper bound of annual gas savings at about $500k. A Twitter user noted this disparity in $ saved vs. $ lost prompting a lighthearted reply from Evgeny.
Before recalling that Etherscan added gas analytics I used impersonator.xyz to WalletConnect as Wintermute’s address with fees.wtf to view lifetime gas spend. Including this because I don’t think enough people have impersonator.xyz bookmarked, it’s a great tool.
Where did the funds stolen from Wintermute go?
The Wintermute exploiter swapped the stolen BUSD and TUSD to DAI and then deposited all stolen DAI, USDT, and USDC into Curve’s 3pool becoming the 3rd largest 3CRV holder. This prevents the stablecoins from being blacklisted without also blacklisting all other stablecoins in 3pool (currently $860 million). The other assets stolen are still held by the exploiter and can be see here on debank.
As rekt.news pointed out in their summary of events, it is worrying to see Curve potentially being used as a mixer post Tornado sanctions.
What happens next?
Wintermute has offered a 10% bounty to the exploiter on Twitter and sent a corresponding transaction with the below message indicating a deadline of 5pm PST today.
We want to cooperate with you and resolve this matter immediately. Accept the terms of the bounty and return the funds within 24 hours before September 22nd UST by 23:59 while we can still consider this a white-hat event for a 10% bounty as offered. If the stolen funds are not returned by the deadline, you will force us to remove our bounty offer and white-hat label; we will then proceed accordingly with the appropriate authorities and avenues
Follow me on Farcaster @joneschuk if you have enjoyed this post
