Wintermute Hack Was Actually an Inside Job
There's new, relevant information seriously questioning the narrative that this channel's Wintermute Inside Job theory was "debunked" (
it wasn't - at all - because BlockSec and Wintermute failed to account for one critical detail in their failed attempt to debunk Librehash).
Hopefully CoinTelegraph has enough journalistic integrity to either update the embarrassingly off-base article that they published claiming my claims were debunked or publish a new one in their series covering the event that makes it abundantly clear that
nothing was debunked because this channel doesn't publish conspiracy theories or push half-assed, poorly researched ideas for the sake of generating clicks, views or otherwise.
To understand what I'm talking about, how this started, and what's been published (on both of sides), I'm going to briefly walkthrough the order of events that have led us to this point.
What 'Wintermute Hack'? A lot has happened since this event, so if you forgot about it or it slipped your memory - that's understandable.
Way back in September, Wintermute was hacked to the tune of approximately $160M or so.
The narrative that was pushed by the Evgeny (Wintermute founder/lead) and the surrounding community was that the hack was made possible because:
1. The team generated an EOA (regular address on Ethereum) using a "vanity address generator tool" they grabbed from GitHub. FYI a 'vanity address' is one that's specially created to have a human readable phrase/word located within it somewhere or designed to begin with a certain # of leading zeroes (
which was the case in this instance). The specific address in question was: 0x0000000fE6A514a32aBDCDfcc076C85243De899b (
edit:
sorry put up the wintermute smart contract itself at first, substituted it with the correct address now - apologies!)
2. Just a week prior to the Wintermute hack, 1inch (DEX) published an analysis that found that this specific tool used to generate these vanity addresses did so in a cryptographically insecure method that allowed for the practical recovery of the private key associated with any address generated with this tool.
3. Putting #1 and #2 together, you've probably figured that this vanity address identified in #1 was supposedly compromised (via some hacker that somehow deduced that said address was generated using this tool or took a lucky gamble & set about attempting to recover the private key associated with that address).
3a. After said attacker was able to successfully recover the private key to that address (allegedly), they were then able to drain the Wintermute smart contract of all of its funds because this insecure vanity address we identified in #1 was apparently designated an 'admin' by Wintermute's smart contract, which granted it to the authority to unilaterally manage and move funds held by the Wintermute smart contract. Thus, by compromising that address, the attacker effectively was able to compromise the Wintermute Smart Contract.
All sounds good, right?
Not really because this theory didn't pass the sniff test. This channel published an analysis questioning the legitimacy of these claims by Wintermute back on September 26th both on Medium and Twitter which gained a surprising amount of attention all things considered.
You can read the original Medium report here -
https://medium.com/@librehashresearch/analysis-of-the-wintermute-hack-an-inside-job-736422c08ef1 (won't bother linking the Twitter thread since that's redundant).
