Wintermute

Wintermute inside job theory ‘not convincing enough’ —BlockSec

The theory is “not convincing enough to accuse the Wintermute project,” wrote BlockSec, as it highlighted that Wintermute’s actions during the hack made sense given the circumstances.

Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough.”

Earlier this week cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular.

BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author claimed,” adding in a Tweet:

“Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

In Edward’s original post, he essentially drew attention as to how the hacker was able to enact so much carnage on the exploited Wintermute smart contract that “supposedly had admin access,” despite showing no evidence of having admin capabilities during his analysis.

BlockSec however promptly debunked the claims, as it outlined that “the report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.”

It pointed to Etherscan transaction details which showed that Wintermute had removed admin privileges once it became aware of the hack.

BlockSec report: Medium

Edwards also questioned the reasons why Wintermute had $13 million worth of Tether (USDT) transferred from two or their accounts on two different exchanges to their smart contract just two minutes after it was compromised, suggesting it was foul play.

Related: Tribe DAO votes in favor of repaying victims of $80M Rari hack

Addressing this, BlockSec argued that this is not as suspicious as it appears, as the hacker could have been monitoring Wintermute transferring transactions, possibly via bots, to swoop in there.

“However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.”

As previously stated in Cointelegraph’s first article on the matter, Wintermute has strongly refuted Edwards claims, and has asserted that his methodology is full of inaccuracies.

Wintermute inside job theory ’not convincing enough:’ BlockSec

The theory is “not convincing enough to accuse the Wintermute project,” wrote BlockSec, as it highlighted that Wintermute’s actions during the hack made sense given the circumstances.

Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough.”

Earlier this week, cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular.

BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author claimed,” adding in a tweet:

“Our analysis shows that the report is not convincing enough to accuse the Wintermute project.”

In Edward’s original post, he essentially drew attention as to how the hacker was able to enact so much carnage on the exploited Wintermute smart contract that “supposedly had admin access,” despite showing no evidence of having admin capabilities during his analysis.

BlockSec, however, promptly debunked the claims, as it outlined that “the report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.”

It pointed to Etherscan transaction details which showed that Wintermute had removed admin privileges once it became aware of the hack.

BlockSec report: Medium

Edwards also questioned the reasons why Wintermute had $13 million worth of Tether (USDT) transferred from two or their accounts on two different exchanges to their smart contract just two minutes after it was compromised, suggesting it was foul play.

Related: Tribe DAO votes in favor of repaying victims of $80M Rari hack

Addressing this, BlockSec argued that this is not as suspicious as it appears, as the hacker could have been monitoring Wintermute transferring transactions, possibly via bots, to swoop in there:

“However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.”

As previously stated in Cointelegraph’s first article on the matter, Wintermute has strongly refuted Edwards’ claims and has asserted that his methodology is full of inaccuracies.

Cyber sleuth alleges $160M Wintermute hack was an inside job

James Edwards bases his accusations on what he feels are dubious transactions and smart contract code that doesn’t match the post-mortem analysis.

A fresh new crypto conspiracy theory is afoot — this time in relation to last week’s $160 million hack on algorithmic market maker Wintermute — which one crypto sleuth alleges was an “inside job.”

Cointelegraph reported on Sept. 20 that a hacker had exploited a bug in a Wintermute smart contract, which enabled them to swipe over 70 different tokens including $61.4 million in USD Coin (USDC), $29.5 million in Tether (USDT) and 671 Wrapped Bitcoin (wBTC), worth roughly $13 million at the time.

In an analysis of the hack posted via Medium on Monday, the author known as Librehash argued that due to the way in which Wintermute’s smart contracts were interacted with and ultimately exploited, it suggests that the hack was conducted by an internal party, claiming:

“The relevant transactions initiated by the EOA [externally owned address] make it clear that the hacker was likely an internal member of the Wintermute team.”

The author of the analysis piece, also known as James Edwards, is not a known cybersecurity researcher or analyst. The analysis marks his first post on Medium but so far hasn’t garnered any response from Wintermute or other cybersecurity analysts.

In the post, Edwards suggests that the current theory is that the EOA “that made the call on the ‘compromised’ Wintermute smart contract was itself compromised via the team’s use of a faulty online vanity address generator tool.”

“The idea is that by recovering the private key for that EOA, the attacker was able to make calls on the Wintermute smart contract, which supposedly had admin access,” he said.

Edwards went on to assert that there’s no “uploaded, verified code for the Wintermute smart contract in question,” making it difficult for the public to confirm the current external hacker theory, while also raising transparency concerns.

“This, in itself, is an issue in terms of transparency on behalf of the project. One would expect any smart contract responsible for the management of user/customer funds that’s been deployed onto a blockchain to be publicly verified to allow the general public an opportunity to examine and audit the unflattened Solidity code,” he wrote.

Edwards then went into a deeper analysis via manually decompiling the smart contract code himself, and alleged that the code doesn’t match with what has been attributed to causing the hack.

Related: Almost $1M in crypto stolen from vanity address exploit

Another point that he raises questions about was a specific transfer that happened during the hack, which “shows the transfer of 13.48M USDT from the Wintermute smart contract address to the 0x0248 smart contract (supposedly created and controlled by the Wintermute hacker).”

Edwards highlighted Etherscan transaction history allegedly showing that Wintermute had transferred more than $13 million worth of USDT from two different exchanges, to address a compromised smart contract.

“Why would the team send $13 million dollars worth of funds to a smart contract they *knew* was compromised? From TWO different exchanges?,” he questioned via Twitter.

His theory has, however, yet to be corroborated by other blockchain security experts, although following the hack last week, there were some rumors in the community that an inside job could’ve been a possibility.

Providing an update on the hack via Twitter on Sept. 21, Wintermute noted that while it was “very unfortunate and painful,” the rest of its business has not been impacted and that it will continue to service its partners.

“The hack was isolated to our DeFi smart contract and did not affect any of Wintermute’s internal systems. No third party or Wintermute data was compromised.”

Cointelegraph has reached out to Wintermute for comment on the matter but has not received an immediate response at the time of publication. 

The impact of the Wintermute hack could have been worse than 3AC, Voyager and Celsius — Here is why

Market makers are the backbone of every crypto exchange, ICO, DApp and many token listings, which is exactly why investors shouldn’t shrug off Wintermute’s hack.

Most crypto investors probably never heard of Wintermute Trading before the Sept. 20 $160 million hack, but that does not reduce their significance within the cryptocurrency ecosystem. The London-based algorithmic trading and crypto lending firm also provides liquidity to some of the largest exchanges and blockchain projects.

As a crypto-native trading firm, meaning digital assets have been its core since its inception in July 2017, Wintermute’s expertise in the sector is attested by $25 million in funding from global venture capital investors like Fidelity Investments, Pantera Capital and Blockchain.com Ventures.

Lending and venture capital firms have limited impact on day-to-day operations

An important distinction sets a market maker apart from bankrupt crypto venture capital firms like 3 Arrows Capital or insolvent lending and yield platforms like Voyager Digital and Celsius Network. Wintermute’s $160 million hack could have a much more profound impact on the crypto industry, considering how essential liquidity is.

The very nature of these businesses is vastly different. For example, a venture capitalist typically invests in pre-seed or seed capital by funding the projects ahead of their launch. There is a need for early-stage funding for tokens, nonfungible token (NFT) projects, decentralized applications (DApps) and infrastructure, but the money will eventually come up when a good team, idea and community are assembled.

Furthermore, the failure of a certain venture capitalist, whether it is or is not relevant to the industry, does not damage its competitors’ reputation. In fact, the opposite sentiment emerges because it proves that picking the right projects pays off, if the firm has been correctly managing its risk exposure. The same can be said for the yield and lending platforms, which basically compete for client deposits and scramble to offer the best returns.

When market markers fail, liquidity dries up and there is nothing worse for tradable assets than spreads growing wider. Most DApps users and exchanges aren’t aware of these intermediaries because their work is hidden within the order books and price arbitrage across intermediaries whether or not they are centralized. The real secret lies in algorithmic trading.

By applying sophisticated modeling and trading software, algorithmic firms like Wintermute resort to diverse strategies to find a competitive advantage over regular traders, including arbitrage, derivatives and colocation servers for high-frequency market access.

In addition to traditional proprietary desk trading, Wintermute provides market-making services by facilitating transactions on intermediaries using their own resources. These services can be hired by exchanges, brokers, token issuers or third-party entities such as foundations and supporting companies.

Specialized trading firms usually handle this process, but the activity can also be carried out independently. Currently, Wintermute, Alameda Research, DRW, Jump Trading and Cumberland are some of the leading prop trading firms that provide liquidity for centralized exchanges and decentralized finance (DeFi) platforms.

This week’s hack was not Wintermute’s first million-dollar mistake

Wintermute was hired by the Optimism Foundation to provide liquidity for its token listing in June 2022 but completely messed up by losing 20 million OP tokens. Wintermute’s team disclosed the incident to the Optimism community and posted 50 million USD Coin (USDC) as collateral to ensure the protocol was fully reimbursed.

Think about that for a moment. Exchanges, blockchain projects, venture capitalists and DApps all need some form of liquidity to ensure that the secondary market works seamlessly for end users. Without thin spreads and some depth to the order book, there is barely a chance for any project to succeed.

Whether one considers liquidity providers to be villains or heroes, their importance to the crypto industry cannot be underestimated. The current hack could have been due to mistakes exclusive to Wintermute, and for this reason, they haven’t turned manifest as an additional risk for other market makers.

Traders should not compare the failure of 3AC, Voyager and Celsus to the threat of a liquidity vacuum that is driven by the exodus of the remaining arbitrage desks. There is no indication that widespread risk has emerged at the moment, but until a detailed post-mortem is issued and similar risks eliminated, traders should keep a close eye on the markets.

The views and opinions expressed here are solely those of the author and do not necessarily reflect the views of Cointelegraph. Every investment and trading move involves risk. You should conduct your own research when making a decision.

Optimism loses 20M tokens after L1 and L2 confusion exploited

Although the airdrop took place less than two weeks ago, problems have already arisen for the vaunted layer-2 scaling solution’s team and market maker.

The honeymoon period for the Optimism layer-2 scaling solution has been cut short, as an exploit in its market maker’s smart contract led to the loss of 20 million OP tokens.

The exploit took place on May 26 but has only just been reported to the community. One million tokens valued at about $1.3 million were sold on Sunday. An additional 1 million tokens valued at about $730,000 were transferred to Vitalik Buterin’s Ethereum address on Optimism earlier today at 12:26 am UTC. The remaining tokens are dormant for now but could be sold at any time or used to sway governance decisions.

OP tokens are the native token for the Optimism layer 2 (L2) blockchain, and a portion of the supply was airdropped to network users on June 1. L2 solutions help alleviate congestion on a layer-1 (L1) blockchain such as Ethereum.

A summary of events from the Optimism team on Thursday detailed how the 20 million OP tokens were intended to be used by the Wintermute crypto market-making firm. After sending two test transactions, the Optimism team sent the full amount of tokens.

However, Wintermute discovered that it could not access the tokens because the smart contract it used to accept the tokens was still on L1 and had not been updated to be deployed on Optimism. This technical oversight opened the contract to an attack, in which a bad actor took control of the contract on the L2 themselves.

As soon as Wintermute became aware of the problem, it “began a recovery operation with the goal to deploy the L1 multisig contract to the same address on L2,” but its attempt to remedy the situation was too late.

“An attacker was able to deploy the multisig to L2 with different initialization parameters before the recovery operation was completed and took control of the 20 million OP tokens.”

A multisig contract requires the approval of multiple key holders to execute a transaction.

In a Thursday message to the Optimism community, Wintermute took full responsibility for the exploit. The firm stated that it would perform OP buybacks equal to the amount the exploiter sells as a means of making “best efforts to smoothen the effects” of price volatility.

Wintermute has also offered to accept the incident as a white hat exploit if the hacker agreed to return 19 million tokens within one week. This offer was made before the hacker transferred another 1 million tokens.

Replies to Wintermute’s message mostly applauded the firm for its transparency in revealing the issue and for accepting the blame for what happened.

Related: Hacker tastes own medicine as community gets back stolen NFTs

In the short-term, the Optimism team has granted Wintermute an additional 20-million-OP grant “so that they can continue with their work as things unfold.” But the team also pointed out that such market-making efforts are temporary.

“The community should not expect or rely on the Optimism Foundation to support liquidity provisioning efforts in the future.”

Chris Blec, host of the Proof of Decentralization podcast, said the team had considered (but rejected) regaining control of the stolen funds by performing a network upgrade. This meant that, in his view, Optimism (like most decentralized finance projects with admin keys) is “DANGEROUSLY CENTRALIZED.”

Blec also suggested that the most obvious explanation for exploits involves those most closely involved, meaning someone involved with Wintermute may have performed the attack themselves. He asked, “Why is everyone in this space always so opposed to vetting the most obvious possibilities?” There is no evidence at this stage to support this theory.

OP investors have responded negatively to the update, as the token price is down 31.2% trading at $0.76 over the past 24 hours according to CoinGecko.