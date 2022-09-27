A cryptocurrency conspiracy theory has emerged in relation to last week’s $160 million theft of algorithmic market maker Wintermute, which a crypto fraudster claims were “an inside job.”

On September 20, a hacker exploited a weakness in a Wintermute smart contract, allowing them to steal over 70 different tokens, including $61.4 million in USD Coin (USDC), $29.5 million in Tether (USDT), and 671 Wrapped Bitcoin (wBTC), which was valued over $13 million at the time.

In a Medium post on September 26, the author identified as Librehash suggested that the manner Wintermute’s smart contracts were interacted with and eventually abused implies that the hack was carried out by an internal entity.

The analysis piece’s author, also known as James Edwards, is not a well-known cybersecurity researcher or analyst. The study is his first Medium post, but he has yet to receive a reaction from Wintermute or other cybersecurity researchers. In the post, Edwards stated:

“Currently, the prevailing theory is that an EOA (externally owned address) that made the call on the ‘compromised’ Wintermute smart contract was itself compromised via the team’s use of a faulty online vanity address generator tool. The idea is that by recovering the private key for that EOA, the attacker was able to make calls on the Wintermute smart contract, which supposedly had admin access.”

Edwards went on to assert:

“There’s no uploaded, verified code for the Wintermute smart contract in question that we’re examining here for some reason. This, in itself, is an issue in terms of transparency on behalf of the project. One would expect any smart contract responsible for the management of user/customer funds that’s been deployed onto a blockchain to be publicly verified to allow the general public an opportunity to examine and audit the unflattened Solidity code.”

Edwards then conducted a more in-depth investigation, manually decompiling the smart contract code, and claimed that the code does not match what has been credited to triggering the attack.

“Let’s examine one of the transactions in question that was part of the greater compromise collective

That transaction shows the transfer of 13.48M USDT from the Wintermute smart contract address to the 0x0248 smart contract (supposedly created and controlled by the Wintermute hacker).”

“If we take a look at the trace execution for this transaction, however, we’ll see that the transfer was a bit more complex than just sending funds from one smart contract to the other.”

Source: Librehash

Wintermute allegedly moved more than $13 million in Tether USD (USDT) from two distinct exchanges to address a breached smart contract, according to Etherscan transaction data.

Edwards asked the question:

7/ That concludes my breakdown of the Wintermute smart contract 'hack' and why I've come to the conclusion that this was the product of an inside job rather than an outside attacker exploiting an EOA with a weak private key due to the use of a faulty vanity addy generator tool — James Edwards (@librehash) September 26, 2022

On September 21, Wintermute provided an update on the attack through Twitter, noting that, while it was very regrettable and painful, the rest of its business had not been disrupted and that it will continue to support its partners.

The hack was isolated to our DeFi smart contract and did not affect any Wintermute’s internal systems. No third party or Wintermute data was compromised. — Wintermute (@wintermute_t) September 21, 2022

Currently, the project side has not yet commented on this information.