Hack Track: Analysis of Wintermute Attack

On 20 September 2022, crypto market maker Wintermute was hacked for circa $160 million. According to the tweet from Wintermute’s Founder and CEO Evgeny Gaevoy, the amount lost was related to its decentralized finance (DeFi) operations, while its centralized exchange and over-the-counter offerings remain unaffected.

Founded in 2017, Wintermute is a leading global algorithmic market maker creating liquid and efficient markets on centralized and decentralized trading platforms and off-exchanges. Recently, blockchain network Tron named Wintermute as its official market maker and strategic partner. Wintermute is set to not only provide liquidity to all TRX pairs across cryptocurrency exchanges worldwide but it is also set to elevate TRON’s ecosystem development by empowering it to become the go-to global layer-1 blockchain. Reportedly, Wintermute provides liquidity to over 50 exchanges and trading platforms including Binance, FTX, and Kraken, as well as DeFi platforms such Dydx and Uniswap.

What are Automated market makers?

Automated market makers are a crucial part of the DeFi ecosystem, they enable digital assets to be traded automatically via liquidity pools instead of a traditional market of buyers and sellers. DeFi applications such as decentralized exchanges (DEXs) use liquidity pools to facilitate trading. Liquidity pools in DeFi replace the traditional order book model used in Centralized Finance (CeFi), ensuring that there are sufficient assets for transactions, whether they be trading, lending, or other financial functions. In the most basic version of the DeFi liquidity pool, two tokens are locked in a smart contract to form a trading pair. Each liquidity pool creates a new market for that particular trading pair. The first liquidity provider is required to determine the initial price of tokens in the pool. 

Though the design of decentralized exchanges in terms of trade-offs around throughput, latency, security, scalability, etc may differ, AMMs has become a popular feature used to replace the traditional order book. Through AMMs, a trader deals against on-chain liquidity pools supplied by market makers rather than the traditional order book which subjects the traders to bid/ask spread. AMMs leverage smart contracts to define the price of digital assets and provide liquidity.

DeFi exploits continue to be on the rise

The Wintermute attack happened amidst a rapid increase in hacking incidents suffered by DeFi platforms. Losses from hacks and exploits have reached circa $2 billion in 2022, propelled by the surge in DeFi exploits, such as attacks on cross-chain bridges. According to Merkle Science data, out of the $2 billion lost in hacks, approximately 1.6 billion has been swindled from DeFi protocols. The biggest contributors to these losses have been Ronin Bridge, Wormhole, and Nomad, Horizon Bridge, Beanstalk Farm exploits and more. 

Last month, the Federal Bureau of Investigation (FBI) issued an alert warning investor of the risks DeFi platforms face from hackers and exploiters. The FBI stated that cyber criminals exploit vulnerabilities in the smart contracts governing DeFi platforms to steal investors’ cryptocurrency. The FBI also observed that exploiters defraud DeFi platforms by initiating a flash loan that triggered an exploit in the smart contracts, exploiting a signature verification vulnerability such as in the case of the Wormhole token bridge attack, and more. The FBI urged DeFi platforms to leverage services of solutions that facilitate real-time analytics and monitoring, and rigorous testing of code in order to more quickly identify vulnerabilities and respond to indicators of suspicious activity. Learn more here

How did Wintermute respond?

Post the attack, Evgeny Gaevoy disclosed in a series of tweets that though the firm’s DeFi operations have been hacked, its CeFi and OTC offerings remain unaffected and secure. The platform is solvent with twice over $160 million remaining in equity left. He also assured that if the lenders wish to recall their loans, Wintermute will honor that.

Gaevoy also revealed that 90 assets have been stolen. Two amounts of tokens were worth between $1 million and $2.5 million, with the rest remaining below $1 million. Gaevoy added that the company is still treating the hack as a "white hat" event and asked the hacker to get in touch.

Merkle Science’s on-chain analysis

According to Merkle Science’s on-chain analysis, the hacker transferred over $160 million worth of funds from 90 assets to his wallet address:  0xe74b28c2eAe8679e3cCc3a94d5d0dE83CCB84705

The hacker converted over 

• 9,470,755 BUSD to 9,467,293 DAI using Curve.Fi
• 3,246,604.TrueUSD to 3,246,041.4025 DAI using an unnamed smart contract
• 61,350,986 USDC to 111,953,508 using LP 3pool Curve
• 23,609,070 DAI Converted to 29,461,553 USDT using Curve.Fi
• 350,000 WINU Converted to 35 wETH using Uniswap V2
• Unwrapped 6,919.6925 wETH to ETH

In what may be an attempt to launder funds, the Wintermute hacker purchased some NFTs as well. We have also observed an incoming of 9.9435 Ether from a Tornado Cash address that was sanctioned on the 8th of August 2022.

 Merkle Science’s investigation team is following the Witermute hack closely. Stay tuned for a detailed analysis of the hack and further updates