The Bug That Took Down Wintermute Is Still at Large

Though no funds were lost, ParaSwap is the latest protocol found to have a vulnerable deployer address

article-image

Source: DALL·E

share

key takeaways

  • ParaSwap was alerted of the vulnerability early Tuesday by security firms
  • The vulnerability, in a tool called Profanity, was exploited to drain $160 million from global crypto market maker Wintermute last month

Blockchain security infrastructure company BlockSec confirmed on Twitter that decentralized exchange aggregator ParaSwap’s deployer address was vulnerable to what’s become known as the Profanity vulnerability.

ParaSwap was first alerted of the vulnerability early Tuesday morning after Web3 ecosystem security team Supremacy Inc. learned that the deployer address was associated with multiple multi-signature wallets.

Loading Tweet..

Profanity once was one of the most popular tools used to generate wallet addresses, but the project was abandoned due to fundamental security flaws

Most recently, global crypto market maker Wintermute was set back $160 million due to a suspected Profanity bug.

A Supremacy Inc. developer, Zach — who didn’t provide his last name — told Blockworks that Profanity generated addresses are vulnerable to hacks because it uses weak random numbers to generate private keys.

“If these addresses initiate transactions on the chain, exploiters can recover their public keys through transactions and then obtain the private keys by continuously back-propelling collisions on the public keys,” Zach told Blockworks via Telegram on Tuesday.

“There is one and only one solution [to this problem], which is to transfer the assets and change the wallet address immediately,” he said.

After looking into the incident, ParaSwap said that no vulnerabilities were found and denied that Profanity generated its deployer.

Although it is true that Profanity did not generate the deployer, BlockSec co-founder Andy Zhou told Blockworks that the tool that generated ParaSwap’s smart contract was still at risk of Profanity vulnerability.

“They didn’t realize they used a vulnerable tool to generate the address,” Zhou said. “The tool did not have enough randomness which made it possible to crack the private key address.”

Knowledge of the vulnerability has also been able to help BlockSec recover funds. This was true for DeFi protocols BabySwap and TransitSwap, which were both attacked on Oct. 1.

“We were able to retrieve the funds and return them to the protocols,” Zhou said.

After noticing that some attack transactions had been front run by a bot susceptible to Profanity vulnerability, BlockSec developers were able to effectively steal from the thieves.

Despite its popularity as an efficient tool for generating addresses, the developer of Profanity cautioned on Github that wallet security is paramount. “The code will not receive any updates, and I’ve left it in an uncompilable state,” the developer wrote. “Use something else!”


Don’t miss the next big story – join our free daily newsletter.

Tags

Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Top Icon.png

Research

Osmosis thrived in H2 2023 on the back of increased DeFi activity deriving from recently launched Cosmos-related projects and better market conditions. With new value accrual mechanisms for the native token, Osmosis is well-positioned to continue its strong performance in 2024.

/

article-image

Though the opposing flow trend is likely to slow over time, industry watchers note, bitcoin fund assets could one day eclipse the $90 billion gold ETF space

article-image

Celestia had the first mover advantage. EigenDA has staked ether. What sets Avail apart?

article-image

Bitcoin moved 1% higher Monday morning in New York, Matrixport analysts say $62,000 could happen next month

article-image

It’s hard to believe right now that crypto — even with all of its flexibility and massive capabilities — could ever be like cash on the internet

article-image

Michael Saylor announced Monday morning that MicroStrategy bought 3k more bitcoin after the X account was compromised over the weekend

article-image

Plus, Pudgy Penguins grows its brand and a group of Autoglyphs sell for $14.5 million