Cybersleuth says the $160M Wintermute hack was done by someone on the inside.
One crypto sleuth says that the $160 million hack on algorithmic market maker Wintermute last week was an “inside job.” This is a new crypto-conspiracy theory.
Asian trade reported on September 20 that a hacker had used a bug in a Wintermute smart contract to steal over 70 different tokens, including $61.4 million in USD Coin (USDC), $29.5 million in Tether (USDT), and 671 wrapped bitcoin (wBTC), which was worth about $13 million at the time.
In an analysis of the hack posted on Medium on September 26, the author who goes by the name Librehash said that the way Wintermute’s smart contracts were used and abused suggests that the hack was done by someone inside the company. He or she said:
Related: A lobby group warns that China’s proposed cybersecurity rules pose risks for financial companies.
“It’s clear from the transactions started by the EOA [externally owned address] that the hacker was probably a member of the Wintermute team.
The author of the analysis, who is also known as James Edwards, is not a well-known researcher or analyst in cybersecurity. This analysis is his first post on Medium, but neither Wintermute nor any other cybersecurity analysts have replied to it yet.
In the post, Edwards says that the current theory is that the EOA “that made the call on the “compromised” Wintermute smart contract was itself compromised because the team used a broken online vanity address generator tool.”
“The idea is that by getting the private key for that EOA, the attacker was able to make calls on the Wintermute smart contract, which was supposed to have admin access,” he said.
Edwards went on to say that there is no “uploaded, verified code for the Wintermute smart contract in question.” This makes it hard for the public to confirm the current theory that a hacker from outside the company did it, and it also raises questions about how open the company is.
“This is a problem on its own in terms of how open the project is. “One would expect that any smart contract that’s been put on a blockchain and is in charge of managing user or customer funds would be publicly verified so that the public can look at and audit the unflattened Solidity code,” he wrote.
Edwards then did a deeper analysis by decompiling the code for the smart contract by hand. He said that the code doesn’t match what has been said to have caused the hack.
He also raises questions about a transfer that happened during the hack, which “shows the transfer of 13.48M USDT from the Wintermute smart contract address to the 0x0248 smart contract (which the Wintermute hacker is said to have made and controlled).”
Edwards pointed to the transaction history on Etherscan, which he said showed that Wintermute had moved more than $13 million worth of Tether USD (USDT) from two different exchanges to fix a smart contract that had been hacked.
“Why would the team send $13 million to a smart contract that they knew had been broken into?” “From TWO separate conversations?” he asked on Twitter.
Other blockchain security experts haven’t yet confirmed his theory, but after the hack last week, there were some rumblings in the community that it might have been an inside job.
Related: In a round led by KKR, cybersecurity company Semperis raised more than $200 million.
Wintermute gave an update on Twitter on September 21 about the hack, saying that it was “very unfortunate and painful,” but that the rest of its business was not affected and it would continue to serve its partners.
“The hack only affected our DEFI smart contract. None of Wintermute’s other systems were affected. “No data from a third party or Wintermute was lost or stolen.”
Asian Trade has asked Wintermute for a comment on the situation, but as of the time of publication, it hadn’t heard back right away.