A cyber sleuth has claimed to have conducted a follow-up analysis on last week’s $160 million hack on the Wintermute algorithm market maker and published a report that alleges the hack was an inside job.
Reacting to the Wintermute hack, the CEO revealed on Twitter on September 20 that hackers exploited a weakness in the program’s smart contract, resulting in a total loss of $160 million, but claimed that just two of the 90 assets compromised were worth more than $1 million, and none were worth more than $2.5 million.
The author says the attacker was an insider
The analysis’s author, also known as James Edwards, is not a popular cybersecurity analyst or investigator. His report represents his first post on Medium, although neither Wintermute nor any other cybersecurity analysts have commented yet.
He grounds his claims on what he considers to be questionable transactions and smart contract code that doesn’t match the results of the post-mortem inquiry. He claims that the relevant transactions started by the EOA (external owned address) demonstrate that “the hacker was likely an internal member of the Wintermute team.”
In the piece, Edwards makes the case that the prevailing view is that the team’s usage of an unreliable online vanity address generation tool led to the compromise of the EOA that made the decision about the “compromised” Wintermute smart contract.
He explained that the assumption is that the attacker was able to make calls on the Wintermute smart contract, which is alleged to have admin access, by obtaining the private key for that EOA.
He further alleges that the contract source was not checked and published on Etherscan, which presents a problem for the project’s transparency.
“One would expect any smart contract responsible for the management of user/customer funds that’s been deployed onto a blockchain to be publicly verified to allow the general public an opportunity to examine and audit the unflattened Solidity code.”
Wintermute allegedly moved more than $13 million in Tether USD (USDT) from two distinct exchanges to address a breached smart contract, according to Etherscan transaction data cited by Edwards.
He questioned via Twitter that;
“Why would the team send 13 million dollars worth of funds to a smart contract they *knew* was compromised? From TWO different exchanges?”
He added, however, that any answers are welcome if the Wintermute team would like to dispute his report. To yet, the Wintermute team has not reacted to the remark.