Ultimate magazine theme for WordPress.

Wintermute hackers used 3pool to protect stolen funds: report

Neither the author, Tim Fries, nor this website, The Tokenist, provide financial advice. Please consult our website policies before making any financial decisions.

Last week’s Wintermute hack shows how the Tornado Cash Sanction is affecting the flow of stolen funds. Kaiko reported that $114.4 million worth of stablecoins were dumped into Curve’s 3pool. As a neutral privacy tool, Tornado Cash Currency Mixer can be used by both good and bad players. After the US Treasury approved the protocol, hackers now fear that either Tether (USDT) or Circle (USDC) could freeze stablecoins before they are withdrawn.

What happened to Wintermute?

Just as Citadel Securities serves as a high-frequency market maker for stockbrokers, Wintermute does for the crypto sector. In fact, Wintermute boosts the liquidity of both centralized and decentralized exchanges. In addition to HFT, Wintermute operates over-the-counter (OTC) trading for 250 digital assets.

Last Tuesday, Wintermute CEO Evgeny Gaevoy announced that $160 million worth of funds had been hacked. Interestingly, only DeFi operations were affected by Wintermute while CeFi and OTC operations remained intact. From about $160 million worth of funds, the hacker exchanged them into:

  • $61.4 million in USDC
  • $29.5 million in USDT
  • $23.6 million DAI
  • $48.9 million in wBTC, ETH and USDP

The likely culprit comes from an exploit in the Ethereum wallet address generator Profanity. Although this tool was abandoned due to serious security issues, one of Wintermute’s addresses appears to have been created using Profanity.

Image credit: GitHub

As the name suggests, vanity addresses are personalized and generated from a set of conditions to make them more identifiable. In the case of Wintermute, Profanity generated an address with the prefix 0x0000000. According to Anton Bukov, co-founder of 1inch, such an address can be enforced in seconds using regular hardware.

Using the null address gateway, the hacker then transferred $114.4 million from Wintermute to Curve’s 3pool. Just today, another Profanity-related hack happened worth $950,000 (732 ETH), as reported by cybersecurity firm PeckShield. However, since these were not stablecoins, the hacker transferred them directly to currency mixer Tornado Cash.

Join our Telegram group and don’t miss any red hot digital asset story.

Wintermute’s hacker avoids tornado cash

Tornado Cash obfuscates tracking funds by mixing cryptocurrencies. Finally, Ethereum is a public blockchain with all transfers visible in the Etherscan address explorer, which can then be attached to real IDs when traced back to crypto exchanges using know-your-customer (KYC) rules. Shortly after the US Treasury Department’s OFAC sanctioned Tornado Cash for its money laundering potential, Circle began blacklisting associated addresses.

To avoid this scenario, Wintermute hacker used 3pool, one of the largest liquidity pools for DeFi dApps. Typically, the tri-pool holds parity between DAI/USDC/USDT, the top three stablecoins by market cap.

The Wintermute exploit disrupted this balance with a heavy influx of stolen USDC stablecoins.

Photo credit: Kaiko

So mixed with other stablecoins, either Circle or Tether should have frozen all funds in the 3pool. In fact, this is the first time a DEX platform, Curve.fi, has been used in this way.

After the vanity address exploit, Wintermute’s CEO reported that “we’re solvent with twice that amount of equity.” This amounts to $320 worth of cryptos to use in future liquidity ventures.

As for Tornado Cash itself, Microsoft-owned GitHub has restored its open-source code, but only in read-only mode. The green light came from the Treasury Department’s clarification that sharing TC’s code itself is not prohibited, only its transactions. This was not surprising given the many precedents that open source code equates to language protected as such by the US Constitution.

Finances are changing.

Find out how with Five Minute Finance.

A weekly newsletter covering the big trends in FinTech and Decentralized Finance.

Try it (free)


You have signed up.

You’re well on your way to knowing.

It seems that Ethereum’s experimental phase has left many legacy exploits wide open. Do you think Cardano will do better with its peer review approach? Let us know in the comments below.

About the author

Tim Fries

Tim Fries is co-founder of The Tokenist. He has a B.Sc. in mechanical engineering from the University of Michigan and an MBA from the University of Chicago Booth School of Business. Tim was a senior associate on the investment team of RW Baird’s US private equity practice and is also a co-founder of Protective Technologies Capital, an investment firm specializing in sensing, protection and control solutions.

Learn Crypto Trading, Yield Farms, Income strategies and more at CrytoAnswers

Comments are closed.

%d bloggers like this: