Hacker warned to refund money by market maker Wintermute or face legal consequences

Wintermute is battling its vanity address trick.

Tuesday saw the loss of $160 million in various crypto assets from Wintermute’s Ethereum vault, a form of crypto wallet account containing its assets in a smart contract.

The vault’s reliance on a weak admin address with the prefix “0x0000000,” which researchers refer to as a “vanity address,” led to the exploit. Vanity addresses include names or numbers that can be identified.

The vanity address for Wintermute was created by Profanity, one of several internet programs. A security study from 1inch made it known that all profanity-based vanity addresses had a serious vulnerability a few days before the attack on Wintermute. Using “brute force” methods, hackers could be able to calculate their private keys thanks to this flaw.

As an admin user, Wintermute utilized its profanity-based address to verify transactions on its Ethereum vault. Someone brute forced the private key of the same admin address due to the same vulnerability. As a result, the hacker gained access to Wintermut’s vault and was able to steal the money.

This address was chosen by the company because it might result in lower transaction fees. Vanity addresses with a long string of zeros can be used to create these, according to Mudit Gupta, the chief information security officer at Polygon, who spoke with The Block.

This wasn’t the first time a security flaw cost Wintermute money. A hacker was successful in obtaining 20 million Optimism tokens given to Wintermute by the Optimism Foundation for the token’s market launch in June.

After the incident in June, Wintermute offered a 10% bounty, which the hacker accepted following a day of on-chain communication. But this time, Wintermute hasn’t received a response from the hacker.