A hacker stole $160 million in digital assets from cryptocurrency trading firm Wintermute, its chief executive said Tuesday in an appeal for hackers to restore the funds that also contained a message that the company remains solvent.
Any lender inclined to recall a loan will be paid in full, tweeted CEO Evgeny Gaevoy.
The hack affected the London-based market maker’s decentralized finance operation but not its centralized finance or over-the-counter operations, Gaevoy said. The company has more than twice the stolen amount on hand in equity, he added.
Wintermute supplies liquidity to cryptocurrency trading by holding digital assets in internet-connect wallets and tapping into them when necessary to ensure the execution of large deals. The company is among the largest market makers and is backed by Lightspeed Venture Partners and Pantera Capital.
Mudit Gupta, chief information security officer at Ethereum cryptocurrency transaction scaler Polygon, analyzed tokens being transferred to the attacker’s address and said the hack may be a hot wallet compromise due to a vulnerability created by a wallet addressing tool called Profanity. The bug was publicly disclosed Thursday by 1inch Network.
The vulnerability, which stems from how Profanity hashes wallet public keys to generate a blockchain address, allows attackers to recover the private encryption key necessary to drain a wallet of funds, 1inch Network disclosed. “It looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions,” the company warned.
