Well-known vulnerability in private keys likely exploited in $160M Wintermute hack

Well-known vulnerability in private keys likely exploited in $160M Wintermute hack

The vulnerability in private keys generated by the popular Profanity vanity key generator was noted in January and has already been implicated in at least one major hack.

Blockchain cybersecurity company Certik has said a vulnerable private key was attacked in the Wintermute hack. A vulnerability in private keys generated by the Profanity app was likely exploited. The vulnerability has been known since at least January.

The U.K.-based algorithmic crypto market maker announced the hack on Tuesday and said over-the-counter and centralized finance operations were not affected. About $162.5 million worth of cryptocurrencies were taken. “We are solvent with twice over that amount in equity left,” Wintermute CEO Evgeny Gaevoy said in a tweet.

Certik said in a blog post that the hack was due to a leaked or brute-forced private key, and not a smart contract vulnerability:

A private key is derived from a user’s seed phrase, which is a list of 12–24 words associated with a wallet that allows a user to recover the cryptocurrency in a wallet, even if the wallet is lost or deleted.

According to Certik, around $273.9 million has been lost this year due to compromised private keys, making the method “one of the largest attack vectors.” The Wintermute attack is by far the largest, with the Harmony Protocol hack in June coming in second at $97 million.

Rate article
( No ratings yet )
×