Wintermute hack

Wintermute inside job theory ‘not convincing enough’ —BlockSec

The theory is “not convincing enough to accuse the Wintermute project,” wrote BlockSec, as it highlighted that Wintermute’s actions during the hack made sense given the circumstances.

Blockchain security firm BlockSec has debunked a conspiracy theory alleging the $160 million Wintermute hack was an inside job, noting that the evidence used for allegations is “not convincing enough.”

Earlier this week cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular.

BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author claimed,” adding in a Tweet:

“Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

In Edward’s original post, he essentially drew attention as to how the hacker was able to enact so much carnage on the exploited Wintermute smart contract that “supposedly had admin access,” despite showing no evidence of having admin capabilities during his analysis.

BlockSec however promptly debunked the claims, as it outlined that “the report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.”

Our short analysis of the Accusation of the Wintermute Project: https://t.co/6Lw6FjUrLp @wintermute_t @evgenygaevoy @librehash @WuBlockchain @bantg

Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

— BlockSec (@BlockSecTeam) September 27, 2022

It pointed to Etherscan transaction details which showed that Wintermute had removed admin privileges once it became aware of the hack.

Edwards also questioned the reasons why Wintermute had $13 million worth of Tether (USDT) transferred from two or their accounts on two different exchanges to their smart contract just two minutes after it was compromised, suggesting it was foul play.

Addressing this, BlockSec argued that this is not as suspicious as it appears, as the hacker could have been monitoring Wintermute transferring transactions, possibly via bots, to swoop in there.

“However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.”

As previously stated in Cointelegraph’s first article on the matter, Wintermute has strongly refuted Edwards claims, and has asserted that his methodology is full of inaccuracies.

Wintermute inside job theory ’not convincing enough:’ BlockSec

The theory is “not convincing enough to accuse the Wintermute project,” wrote BlockSec, as it highlighted that Wintermute’s actions during the hack made sense given the circumstances.

Earlier this week, cyber sleuth James Edwards published a report alleging that the Wintermute smart contract exploit was likely conducted by someone with inside knowledge of the firm, questioning activity relating to the compromised smart contract and two stablecoin transactions in particular.

BlockSec has since gone over the claims in a Wednesday post on Medium, suggesting that the “accusation of the Wintermute project is not as solid as the author claimed,” adding in a tweet:

“Our analysis shows that the report is not convincing enough to accuse the Wintermute project.”

BlockSec, however, promptly debunked the claims, as it outlined that “the report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.”

Our short analysis of the Accusation of the Wintermute Project: https://t.co/6Lw6FjUrLp @wintermute_t @evgenygaevoy @librehash @WuBlockchain @bantg

Our analysis shows that the report is not convincing enough to accuse the Wintermute project.

— BlockSec (@BlockSecTeam) September 27, 2022

It pointed to Etherscan transaction details which showed that Wintermute had removed admin privileges once it became aware of the hack.

Addressing this, BlockSec argued that this is not as suspicious as it appears, as the hacker could have been monitoring Wintermute transferring transactions, possibly via bots, to swoop in there:

“However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.”

As previously stated in Cointelegraph’s first article on the matter, Wintermute has strongly refuted Edwards’ claims and has asserted that his methodology is full of inaccuracies.

Cyber sleuth alleges $160M Wintermute hack was an inside job

James Edwards bases his accusations on what he feels are dubious transactions and smart contract code that doesn’t match the post-mortem analysis.

A fresh new crypto conspiracy theory is afoot — this time in relation to last week’s $160 million hack on algorithmic market maker Wintermute — which one crypto sleuth alleges was an “inside job.”

Cointelegraph reported on Sept. 20 that a hacker had exploited a bug in a Wintermute smart contract, which enabled them to swipe over 70 different tokens including $61.4 million in USD Coin (USDC), $29.5 million in Tether (USDT) and 671 Wrapped Bitcoin (wBTC), worth roughly $13 million at the time.

In an analysis of the hack posted via Medium on Monday, the author known as Librehash argued that due to the way in which Wintermute’s smart contracts were interacted with and ultimately exploited, it suggests that the hack was conducted by an internal party, claiming:

“The relevant transactions initiated by the EOA [externally owned address] make it clear that the hacker was likely an internal member of the Wintermute team.”

The author of the analysis piece, also known as James Edwards, is not a known cybersecurity researcher or analyst. The analysis marks his first post on Medium but so far hasn’t garnered any response from Wintermute or other cybersecurity analysts.

In the post, Edwards suggests that the current theory is that the EOA “that made the call on the ‘compromised’ Wintermute smart contract was itself compromised via the team’s use of a faulty online vanity address generator tool.”

“The idea is that by recovering the private key for that EOA, the attacker was able to make calls on the Wintermute smart contract, which supposedly had admin access,” he said.

Edwards went on to assert that there’s no “uploaded, verified code for the Wintermute smart contract in question,” making it difficult for the public to confirm the current external hacker theory, while also raising transparency concerns.

“This, in itself, is an issue in terms of transparency on behalf of the project. One would expect any smart contract responsible for the management of user/customer funds that’s been deployed onto a blockchain to be publicly verified to allow the general public an opportunity to examine and audit the unflattened Solidity code,” he wrote.

Edwards then went into a deeper analysis via manually decompiling the smart contract code himself, and alleged that the code doesn’t match with what has been attributed to causing the hack.

Another point that he raises questions about was a specific transfer that happened during the hack, which “shows the transfer of 13.48M USDT from the Wintermute smart contract address to the 0x0248 smart contract (supposedly created and controlled by the Wintermute hacker).”

Edwards highlighted Etherscan transaction history allegedly showing that Wintermute had transferred more than $13 million worth of USDT from two different exchanges, to address a compromised smart contract.

“Why would the team send $13 million dollars worth of funds to a smart contract they *knew* was compromised? From TWO different exchanges?,” he questioned via Twitter.

His theory has, however, yet to be corroborated by other blockchain security experts, although following the hack last week, there were some rumors in the community that an inside job could’ve been a possibility.

The fact that @wintermute_t used the profanity wallet generator and kept millions in that hot wallet is negligence or an inside job. To make things worse the vulnerability in profanity tool was disclosed a couple of days ago.

— Rotex Hawk (@Rotexhawk) September 21, 2022

Providing an update on the hack via Twitter on Sept. 21, Wintermute noted that while it was “very unfortunate and painful,” the rest of its business has not been impacted and that it will continue to service its partners.

“The hack was isolated to our DeFi smart contract and did not affect any of Wintermute’s internal systems. No third party or Wintermute data was compromised.”

The hack was isolated to our DeFi smart contract and did not affect any Wintermute’s internal systems. No third party or Wintermute data was compromised.

— Wintermute (@wintermute_t) September 21, 2022

Cointelegraph has reached out to Wintermute for comment on the matter but has not received an immediate response at the time of publication.