Market maker Wintermute has spoken with the hacker who stole $160 million from the company on Tuesday over the Ethereum blockchain.
The message, which was sent at 00:00 UTC on Thursday, warned the hacker that Wintermute will go to the authorities if the funds weren’t returned by the end of the day. It asked the hacker to take the $16 million “whitehat” prize and give Wintermute the remaining almost $144 million.
“We want to cooperate with you and resolve this matter immediately. Accept the terms of the bounty and return the funds within 24 hours before September 22nd UST by 23:59 while we can still consider this a white-hat event for a 10% bounty as offered,” the message said.
The message continued by stating that the hacker would be referred as a “white hat” (a term used to describe ethical hackers) if they returned the funds. This suggests a promise that if the person agrees with the request, no legal action will be pursued.
The hacker still has 12 hours as of this writing to accept the bounty offer. The team would seek to contact the “relevant authorities and avenues,” the company stated in its on-chain statement if the exploiter does not return the assets (without the bounty).
“If the stolen funds are not returned by the deadline, you will force us to remove our bounty offer and white-hat label; we will then proceed accordingly with the appropriate authorities and avenues,” Wintermute wrote.
Wintermute is battling its vanity address trick.
Tuesday saw the loss of $160 million in various crypto assets from Wintermute’s Ethereum vault, a form of crypto wallet account containing its assets in a smart contract.
The vault’s reliance on a weak admin address with the prefix “0x0000000,” which researchers refer to as a “vanity address,” led to the exploit. Vanity addresses include names or numbers that can be identified.
The vanity address for Wintermute was created by Profanity, one of several internet programs. A security study from 1inch made it known that all profanity-based vanity addresses had a serious vulnerability a few days before the attack on Wintermute. Using “brute force” methods, hackers could be able to calculate their private keys thanks to this flaw.
As an admin user, Wintermute utilized its profanity-based address to verify transactions on its Ethereum vault. Someone brute forced the private key of the same admin address due to the same vulnerability. As a result, the hacker gained access to Wintermut’s vault and was able to steal the money.
This address was chosen by the company because it might result in lower transaction fees. Vanity addresses with a long string of zeros can be used to create these, according to Mudit Gupta, the chief information security officer at Polygon, who spoke with The Block.
This wasn’t the first time a security flaw cost Wintermute money. A hacker was successful in obtaining 20 million Optimism tokens given to Wintermute by the Optimism Foundation for the token’s market launch in June.
After the incident in June, Wintermute offered a 10% bounty, which the hacker accepted following a day of on-chain communication. But this time, Wintermute hasn’t received a response from the hacker.