Every time I run out of ideas for this blog, I go fishing for some insane story in the crypto world and I never come back empty handed. Here is another mind blowing story that just happened a couple of days ago.
Wintermute, a crypto market maker, has lost $160 million in a hack relating to its decentralized finance (DeFi) operation. It’s quite an interesting story. In a nutshell, their private key was compromised and the hacker transferred the assets out of Wintermute’s vault. A few days prior, someone from 1inch published a blog about how to recover the private key from a vanity address. A vanity address is a cool address which starts with 000000, 111111, 1234567 etc. There are tools people can use to generate these vanity keys with cool addresses but it turns out these keys are a lot less secure and easier to break. For your safety, please never use those tools.
After learning about the vulnerability of the vanity addresses, Wintermute transferred the assets out of the vanity wallet but they forgot to transfer assets out of the contracts the vanity key controlled. (WTF?!) $160M is now gone. Just a few months ago, Wintermute sent 20M OP tokens to an account that they didn’t control. Those tokens are later returned but it doesn’t appear they are getting their funds back this time.
Think about it. $160M is a crazy amount of money. But in Wintermute’s setup, one single private key can move that amount of money around and they lost it all. It boggles my mind that they don’t have a tighter process to at least minimize their exposure per private key. Well, I am sure there are a lot of shenanigans happening in the TradFi world. It’s just not as public. But this recklessness is still maddening.