Security and Risk

20 Sep - Wintermule

Wintermule lost $160 million after its hot wallet being compromised due to a known vulnerability of the wallet address and key generator it used. [more][more-CEOWintermule] [more-ProfanityBug1inch][more-Profanity]

• Background. Wintermute is among the largest crypto liquidity providers dedicated to crypto market making for exchanges including Binance and Coinbase.

• Wintermute CEO, Evgeny Gaevoy, indicated that the hack is likely to be linked to Profanity-type exploit of their DeFi trading wallet. He indicated that Profanity and an internal tool were used to generate addresses with many zeroes in front for gas optimization, not “vanity”. (about Profanity below)

• Wintermute CEO indicated that they are still operational with $320 million. He also offered the hacker a 10% bounty if the funds were to return.

What is Profanity?

• Profanity is a wallet address generator, also know as Ethereum vanity address generating tool. It could generate wallet address with many zeros in front.

Why Profanity generated addresses are vulnerable? And what happened?

• On 15 Sep, DeFi protocol 1inch took to public and warned that Ethereum wallet addresses and associated keys generated by Profanity were weak. This is due to the use of smaller range of random numbers (32bit) to kick start the cryptograhic process. As such, the private key can be easily brute-forced based on the wallet address.

• 1inch noted that there are signs of attack and advised users of Profanity to migrate out to other addresses.

• The author of Profanity has indicated on the github site that the project was abadoned years ago. As updated on 15 Sep, the site also warned about the known security risk, and not to use it.

• Separately on 16 Sep, security analyst with twitter handler “ZachXBT” noted that a hacker drained $3.3 million from multiple Ethereum addresses generated with a tool called Profanity, according to on-chain data from Etherscan. [more]

20 Sep - Arbitrum

Arbitrum, the layer-2 Ethereum scaling solution, paid a whitehat a bounty of 400 ETH (est. $500K USD) as a reward via the bug bounty platform ImmuneFi for discovering an exploitable bridge bug. The whitehat was soured for the low bounty in view of the potential loss incurred by Arbitrum would be $470M. [more][more-analysis]

18 Sep - Ethereum PoW

Ethereum proof-of-work token suffered a replay attack through the Omni bridge of Gnosis chain. The exploit happened because the bridge did not properly verify the ID of the cross-chain message, allowing the attacker to repeatedly swap WETH (Wrapped ETH) for ETHW (ETH PoW).[more][more-ETHPoW]

Other crypto picks

1. United Kingdom introduced the Economic Crime and Corporate Transparency Bill to extend police powers over cryptocurrencies in order to counteract cyber crime, money laundering, and “foreign kleptocrats.” [more][more-UK]

2. Indonesia’s trade ministry wanted to clamp down on foreign ownership with two-thirds of crypto exchange board members and directors to be citizens residing within the country. It also wanted client funds to be custodied by a third party, and exchanges to be barred from reinvesting these stored digital assets. [more]

3. United States Department of Defence - The Defense Advanced Research Projects Agency (DARPA) has contracted digital asset data and analytics provider Inca Digital to research national security risks posed by cryptocurrency. [more]

4. Ethereum co-founder Buterin said that as the technological transition is something that has been widely celebrated within the Ethereum community, and the next main area of focus now for Ethereum developers is solving scalability issues - the Surge. [more]

   • This next step, dubbed “the Surge,” is slated as an intended series of single events that will eventually allow the Ethereum network to process thousands or tens of thousands of transactions per second, up from 30 transactions per second in its current state.

5. Blockchain Zilliqa announced the launch of its own Web3 gaming console, it seems ready to jump into a sector led by PlayStation, Microsoft, and Nintendo. The upcoming console will have multiple capabilities allowing players to enjoy gaming while mining the network native token, ZIL. [more]

6. Blockchain Cardano completed its most significant upgrade to date bringing “performance & capability enhancements to Cardano, from higher throughput capability via diffusion pipelining to a better developer experience with much-improved script performance, efficiency & lower costs.” [more]

7. Tether has been ordered by the court to produce general ledgers, balance sheets, income statements as part of a market manipulation suit tied to USDT, in an ongoing market manipulation lawsuit alleging USDT artificially inflated crypto prices. [more]

8. Singapore DBS rolled out self-directed crypto trading on DBS Digital Exchange (DDEx) via its digibank to 100,000 accredited investors. [more]

9. Singapore couple held the country first-of-its-kind metaverse wedding at Sandbox in retro theme, decorated with super trees and Cinderella horse-drawn carriage. [more]