20201118 hacker
A hacker works on his laptop. For illustrative purposes only. Image Credit: Reuters

Crypto market maker Wintermute said about $160 million had been hacked from its decentralised finance unit, the latest in a string of exploits hitting the digital assets industry.

Wintermute's centralised finance and over-the-counter operations were not affected and the company remains "solvent," its founder and Chief Executive Officer Evgeny Gaevoy said on Twitter on Tuesday.

A cryptocurrency wallet address labeled on blockchain explorer platform Etherscan as belonging to the Wintermute exploiter showed a series of transactions took place earlier on Tuesday, one of which involved transferring 112 million native tokens of Curve's 3pool, a platform for swapping stablecoins, from a null address to the hacker.

Token swapped

These tokens were swapped for $29.5 million in USDT, $61.4 million in USDC and $23.6 million in DAI, worth a total of $114.4 million. Data on blockchain analysis platform Arkham confirmed those figures, while also pointing to around $48.9 million in other tokens including wrapped Bitcoin, Ether and USDP.

Hackers are a rising menace in DeFi, where crypto investors trade, borrow and lend without using a central intermediary. North Korea-affiliated hackers alone stole about $1 billion from DeFi protocols in the first seven months of the year, accounting for more than half of the total value of crypto hacks, according to a report published by researcher Chainalysis last month.

Gaevoy offered the hacker a 10% bounty on the funds taken, nudging the attacker to transfer all of the money, excluding $16 million USDC, to a specific wallet address.

Marina Gurevich, the firm's chief operating officer, said in an email that Wintermute was working with external teams and cybersecurity specialists "to identify the exact nature of the hack and person(s) responsible."

"We can confirm we remain in a financially strong position and there is no more further damage possible in relation to this hack," she added.

Vanity address

The attack was likely the result of the hacker exploiting an old Wintermute wallet address which still retained administrative access to the market maker's vault contract, said Mudit Gupta, chief information security officer at blockchain platform Polygon. Vault contracts are digital wallets that are used to store tokens and automate DeFi transactions.

The Wintermute wallet involved in the hack used a so-called "vanity address," which replaces the letters and numbers in a typical Ethereum address with zeroes to make it look more simple. Earlier this month a vanity address tool called Profanity disclosed a critical bug that made its addresses unsafe to use, though it is not known whether Wintermute used Profanity.


Wintermute counterparties - those that either borrow from, lend to or trade with the firm, could be affected by the hack.

Wintermute is listed as the top borrower on DeFi liquidity marketplace Clearpool, with a total of $22.2 million in USDC outstanding on the platform. It also has an outstanding loan for $92.1 million in USDT with TrueFi, according to Andrew Thurman, content lead at Nansen. The TrueFi loan will mature on Oct. 15, the platform's website showed.

Meanwhile Maple, another DeFi lender, said in a tweet that it was communicating with Wintermute about any fallout from the attack, with assurances that Wintermute has "sufficient equity to cover hack and repay loans." Wintermute has $75 million in active loans on Maple, according to Thurman.

Executives at Clearpool, TrueFi and Maple did not immediately respond to requests for comment.

Gaevoy reassured those with agreements with Wintermute that their funds are safe and that the business remains solvent, but said the company would work with any lender that preferred to have their loan repaid. "There will be a disruption in our services today and potentially for next few days and will get back to normal after," he added.