Key Takeaways:



Edwards alleges relevant transactions initiated by the EOA indicate that the hacker was likely an internal member of the Wintermute team. “The idea is that by recovering the private key for that EOA, the attacker was able to make calls on the Wintermute smart contract, which supposedly had admin access,” he said.



A few days back, crypto trading platform Wintermute was subjected to an exploit that resulted in hackers stealing a staggering $160 Million. Now a Medium blog post by ‘Librehas’ has surfaced alleging that the exploit was an inside job.



“The relevant transactions initiated by the EOA [externally owned address] make it clear that the hacker was likely an internal member of the Wintermute team,” the blog reads.



James Edwards, known as Librehas, says, “the EOA that made the call on the ‘compromised’ Wintermute smart contract was itself compromised via the team’s use of a faulty online vanity address generator tool.”



“The idea is that by recovering the private key for that EOA, the attacker was able to make calls on the Wintermute smart contract, which supposedly had admin access,” he said.



In the deeper analysis of the exploit, Edwards points out that while manually decompiling the smart contract code himself, he found out that the code doesn’t match with what has been attributed to causing the hack.



“ Team needs to clarify how the attacker would (a) have the necessary signature for contract execution (b) know what functions to call since there’s no contract source code published; one of the ‘hack’ TXs involved a ‘delegatecall’ – suggesting intimate knowledge,” Edwards tweet reads.




6a/ Based on @EvgenyGaevoy 's tweet, we know the team was aware the smart contract had been compromised at this point. So why initiate these two withdrawals directly to the compromised smart contract smack in the middle of the hack? — James Edwards (@librehash) September 26, 2022




He further adds that Wintermute smart contract (0x0000000ae) that was allegedly compromised received two deposits from Kraken and Binance’s hot wallets, noting that it’s safe to assume the transaction must have been initiated from team-controlled exchange accounts.



“ Less than one minute after the ‘compromised’ Wintermute smart contract received over 13M USDT in funds, all of said Tether was sent out from the wallet in a manual transfer to the 0x0248 smart contract. As we saw prior, this transfer was initiated by the 0x0000000fe regular wallet address.”



He poses the question of the plausibility of the team initiating two withdrawals from two different exchanges (Binance and Kraken) to their smart contract less than 2 minutes from the time they were compromised.



Wintermute is yet to respond to the blog post. Commenting on the exploit, Wintermute, on September 21, stated, “ The hack was isolated to our DeFi smart contract and did not affect any of Wintermute’s internal systems. No third party or Wintermute data was compromised.”