Wintermute Hack — September 20, 2022
Overview
In late September 2022, Wintermute, a leading algorithmic market maker, was hacked for approximately $160 million. One of their hot wallets — a Profanity-generated vanity address — was compromised. The hack exploited a known weakness in the Profanity vanity-address generation tool.
Technical Root Cause: The Profanity Vulnerability
Profanity is an open-source tool that lets Ethereum users generate "vanity" addresses (addresses with a custom prefix/suffix, e.g. lots of leading zeros) for gas optimization or aesthetic reasons.
• Profanity seeded its CSPRNG with only a 32-bit random number, instead of the full 256-bit entropy normally needed to make a private key unguessable.
• This drastically reduced the search space, allowing an attacker with significant compute (GPUs / specialized hardware) to brute-force the private key from a vanity address.
• 1inch had publicly disclosed this vulnerability days earlier and warned all Profanity users to move funds.
Wintermute-Specific Attack Vector
1. Wintermute used a Profanity-generated address (with many leading zeros) as a hot wallet to save gas on routine transactions.
2. After the 1inch disclosure, Wintermute reportedly drained ETH out of the vulnerable hot wallet, but failed to remove the address as an admin / whitelisted signer of their internal vault smart contract.
3. The attacker brute-forced the private key of the Profanity hot wallet.
4. Using the recovered key, the attacker called privileged admin functions on Wintermute's vault and drained ~$160M in stablecoins, ETH, WBTC, and other assets.
Financial Impact
• ~$160 million drained, including ~$114M in stablecoins (USDC, USDT, DAI), ~$13M in WBTC, ~$13.5M in ETH, plus 90+ other tokens.
• Affected primarily Wintermute's own treasury / market-making capital.
• Wintermute CEO Evgeny "Evgeny Gaevoy" stated DeFi counterparties' positions were unaffected and that Wintermute was solvent and would continue operations.
Response & Aftermath
• Mudit Gupta (Polygon CISO) published an early post-mortem on September 20, 2022, identifying the Profanity hot wallet as the likely vector.
• Wintermute CEO publicly confirmed the Profanity vector and emphasized solvency (~2x equity vs. losses).
• Wintermute offered the attacker a 10% white-hat bounty (~$16M) in exchange for return of funds. No funds were returned.
• Funds were laundered through Tornado Cash and Curve.
• Some commentators (e.g. James Edwards of Librehash) raised "inside job" theories, which Wintermute publicly disputed.
Notable Sources Located (not directly fetchable in this run)