Wintermute Hackers Used 3pool to Protect Stolen Funds: Report

Last week’s Wintermute hack is showcasing how Tornado Cash sanction affects the flow of stolen funds. Kaiko reported that $114.4 million worth of stablecoins was funneled into Curve’s 3pool. As a neutral financial privacy tool, Tornado Cash currency mixer can be used by both good and bad actors. After the US Treasury sanctioned the protocol, hackers now worry that either Tether (USDT) or Circle (USDC) could freeze stablecoins before they are withdrawn.

What Happened to Wintermute?

Just like Citadel Securities serves as a high-frequency market maker for stock brokers, so does Wintermute for the crypto sector. In fact, Wintermute bolsters the liquidity of both centralized and decentralized exchanges. In addition to HFT, Wintermute runs over-the-counter (OTC) trading for 250 digital assets. 

Last Tuesday, Evgeny Gaevoy, Wintermute CEO, announced that $160 million worth of funds was hacked. Interestingly, only Wintermute’s DeFi operation was affected, leaving its CeFi and OTC operations intact. Out of about $160 million worth of funds, the hacker swapped them into:

• $61.4 million in USDC
• $29.5 million in USDT
• $23.6 million in DAI
• $48.9 million in wBTC, ETH and USDP

The likely culprit comes from an exploit in the Ethereum wallet address generator Profanity. Despite the fact this tool was abandoned due to severe security issues, one of Wintermute’s addresses appears to have been created with Profanity.

As their name suggests, vanity addresses are personalized and generated from a set of conditions to make them more identifiable. In the case of Wintermute, Profanity generated an address with a 0x0000000 prefix. According to 1inch co-founder Anton Bukov, such an address can be brute-forced in mere seconds, just using regular hardware.

Through the null address gateway, the hacker then transferred $114.4 million from Wintermute to Curve’s 3pool. Just today, another Profanity-related hack happened worth $950k (732 ETH), as reported by cybersecurity firm PeckShield. However, because it didn’t involve stablecoins, the hacker transferred it directly to currency mixer Tornado Cash.

Join our Telegram group and never miss a breaking digital asset story.

Wintermute’s Hacker Avoids Tornado Cash

Tornado Cash obscures the tracking of funds by mixing cryptocurrencies. After all, Ethereum is a public blockchain with all transfers visible on Etherscan address explorer, which can then be attached to real IDs if they are traced to crypto exchanges with know-your-customer (KYC) rules. Soon after US Treasury’s OFAC sanctioned Tornado Cash for its money-laundering potential, Circle started blacklisting associated addresses.

To avoid this scenario, the Wintermute hacker took advantage of 3pool, one of the largest liquidity pools for DeFi dApps. Typically, the Tri-Pool holds parity between DAI/USDC/USDT, the three top stablecoins by market cap.

The Wintermute exploiter disrupted this balance with a heavy influx of stolen USDC stablecoins.

So mixed with other stablecoins, either Circle or Tether would have had to freeze all the funds in the 3pool. In fact, this is the first time a DEX platform, Curve.fi, was used in such a way.

In the aftermath of the vanity address exploit, Wintermute’s CEO reported that “We are solvent with twice over that amount in equity left,”. This amounts to $320 worth of cryptos for use in future liquidity ventures.

As for Tornado Cash itself, Microsoft-owned GitHub restored its open-source code, but only in read-only mode. The green light came from Treasury’s clarification that TC’s code itself is not prohibited from sharing, only its transactions. This was not surprising, given many legal precedents by which open-source code is equivalent to speech, protected as such by the US constitution.

It seems that Ethereum’s experimental phase left many legacy exploits wide open. Do you think Cardano will do better with its peer-review approach? Let us know in the comments below.