Amber Group investigated Wintermute’s $160 million market maker exploit and was able to fully replicate it.
The company said it recalculated the private address key Wintermute used and signed the transaction from the hacked Wintermute address, leaving a message in the chain to confirm the experiment.
In two days, Amber Group cracked Wintermute’s private key using a MacBook M1.
“We replicated a recent Wintermute hack. We figured out the algorithm to build the exploit. We were able to reproduce the private key on a MacBook M1 with 16GB of memory in less than 48 hours,” the company stated.
On Sept. 20, Wintermute was hacked for $160 million because of a Profanity vulnerability. Profanity’s tool allowed it to generate legible Ethereum addresses (vanity addresses) containing words, names or phrases.
The Amber Group explained that Profanity relied on a particular elliptic curve algorithm to create large sets of public and private addresses that had certain desirable characters. The Profanity tool created millions of addresses per second and looked for the right letters or numbers that users requested as user wallet addresses. However, the process used to generate these addresses was not random, and the private keys could be computed in reverse order using graphical processors.
“We figured out how Profanity splits the work on the GPU. Based on that, we can efficiently compute the private key of any public key generated by Profanity. We precomputed the public key table, then performed a reverse computation until we found the public key in the table,” the company concluded.