Wintermute DeFi Platform Offers Hacker a Cut in $160M Crypto-Heist

The decentralized finance (DeFi) platform was the victim of an exploit for a partner's vulnerable code — highlighting a challenging cybersecurity environment in the sector.

Gold coins with cryptocurrency logos on them
Source: Klaus Ohlenschlaeger via Alamy Stock Photo

London-based cryptocurrency-trading platform Wintermute saw cyberattackers take off with $160 million this week, likely due to a security vulnerability found in a partner's code. The incident showcases deep concerns around implementing security for this finance sector, researchers say.

Wintermute founder and CEO Evgeny Gaevoy took to Twitter to say that the heist was aimed at the company's decentralized finance (DeFi) arm, and that while the incident might disrupt some operations "for a few days," the company is not existentially impacted.

"We are solvent with twice over that amount in equity left," he tweeted. "If you have a [money-management] agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after."

He also said that about 90 assets were hit, and appealed to the culprit: "We are (still) open to treat this as a white hat [incident], so if you are the attacker — get in touch."

Meanwhile, he explained to Forbes that the "white hat" comment means that Wintermute is offering a $16 million "bug bounty," if the cyberattacker returns the remaining $144 million.

Filled With Profanity

He also told the outlet that the theft likely traces back to a bug in a service called Profanity, which allows users to assign a handle to their cryptocurrency accounts (normally account names are made up of long, gibberish strings of letters and numbers). The vulnerability, disclosed last week, allows attackers to uncover keys used to encrypt and pry open Ethereum wallets generated with Profanity.

Wintermute was using 10 Profanity-generated accounts to make rapid trades as part of its DeFi business, according to Forbes. DeFi networks connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions. When news of the bug broke, the crypto-firm tried to take the accounts offline, but due to “human error,” one of the 10 accounts remained vulnerable and allowed the attackers into the system, Gaevoy said.

"Some of these [DeFi] technologies also involve third-party integrations and connections where the company may not have the ability to control the source code, leading to additional risk for the company," Karl Steinkamp, director at Coalfire, tells Dark Reading. "In this instance, a vanity digital asset address provider, Profanity, was leveraged in the attack ... An expensive and preventable mistake for Wintermute."

DeFi Exchanges Will Grow as a Target

Analysts with Bishop Fox earlier this year found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the difficulty in locking down the sector, which relies on automated transactions.

And, just last month, the FBI issued a warning that cybercriminals are increasingly exploiting vulnerabilities in DeFi platforms to steal cryptocurrency, to the tune of $1.3 billion nabbed between January and March 2022 alone.

Researchers note that enhanced adoption and price appreciation of digital assets has and will continue to attract the attention of malicious individuals — as will the lax state of security in the DeFi area.

"Many of these companies are growing at such a rapid pace, customer acquisition is their primary focus," Mike Puterbaugh, CMO at Pathlock, says. "If internal security and access controls are secondary to 'grow at all costs,' there will be gaps in application security that will be exploited."

The obstacles in shoring up DeFi security are numerous; Wintermute's chief noted that finding appropriate tools is difficult.

"You need to sign transactions on the fly, within seconds," Gaevoy told Forbes, adding that Wintermute had to create its own security protocols since tools are lacking. He also admitted that Profanity didn't offer multifactor authentication, but the company decided to use the service anyway. "Ultimately, that's the risk we took. It was calculated," he added.

Steinkamp notes, "Depending on the architecture of the DeFi platform, there may be a multiple of challenges in securing them. These may range from risk from third parties, to crypto-bridge bugs, human error, and the lack of secure software development, to name just a few."

And Puterbaugh points out that even with out-of-the-box controls and configurations enabled, customizations and integrations could create weaknesses in overall security.

Best Practices for Shoring Up DeFi Security

Despite the challenges, there are nonetheless best-practice approaches that DeFi platforms should be implementing.

For instance, Puterbaugh advocates implementing access controls with each new app deployment, along with continuous checks for access conflicts or application vulnerabilities, as key, especially when dealing with easily portable digital currency.

Also, "companies within the DeFi space need to routinely be doing internal and external testing of their platforms to continually ensure they are mitigating threats proactively," according to Steinkamp. He adds that companies should also implement additional enhanced security measures as a part of transactional security, including multifactor authentication and alert triggers on suspicious and/or malicious transactions.

Every layer helps, he adds. "Which would you rather try to gain access to: a house with the door open or a castle with a moat and draw bridge?" he says. "DeFi companies will continue to be prime targets by cyber-thieves until they implement adequate security and process controls to make attacking their platforms less attractive."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights