When a DeFi platform is hacked, suspicion often falls on insiders who are the most familiar with the smart contracts and security procedures and are, therefore, most likely to be able to devise an exploit. But are insiders really responsible for most DeFi hacks?
It seemed like a major scoop for on-chain sleuth Librehash. In September 2022, he reported that a $160-million hack of Wintermute, a U.K.-based DeFi platform, was likely an inside job.
It exploited a bug in a smart contract that Wintermute used to generate vanity wallet addresses.
According to Librehash (real name James Edwards), in a lengthy analysis of the hack, the relevant transactions initiated by the externally owned address (EOA) that made the call on the compromised smart contract “make it clear that the hacker was likely an internal member of the Wintermute team.”
“The knowledge required to execute this hack precludes the possibility that the hacker was a random, external entity.”
The hack “was the product of an inside job rather than an outside attacker exploiting an EOA with a weak private key,” the sleuth concluded in a tweet.
But what seemed like an open-and-shut case to Librehash was not simple to prove to the world at large. Wintermute, an automated market maker (AMM), vehemently rejected his theory, stating that it emanated from “an unsubstantiated rumor from a Medium page that has factual and technical inaccuracies associated with the claims made.”
And blockchain security firm BlockSec wrote an analysis of Librehas’s analysis, concluding that “the report is not convincing enough to accuse the Wintermute project.”
7/ That concludes my breakdown of the Wintermute smart contract ‘hack’ and why I’ve come to the conclusion that this was the product of an inside job rather than an outside attacker exploiting an EOA with a weak private key due to the use of a faulty vanity addy generator tool
— James Edwards (@librehash) September 26, 2022
Conclusive proof of inside…
..
