Our short analysis of the Accusation of the Wintermute Project

By BlockSec

After investigating the report named Analysis of the Wintermute Hack: An Inside Job (the report) published by James Edwards (@libreshash), we believe that the accusation of the Wintermute project is not as solid as the author claimed.

0x1. The privilege of the account 0x0000000fe6a514a32abdcdfcc076c85243de899b

The report just looked up the current state of the account in the mapping variable _setCommonAdmin, however, it is not reasonable because the project may take actions to revoke the admin privilege after knowing the attack.

The storage slot key of _setCommonAdmin[0x0000000fe6a514a32abdcdfcc076c85243de899b] is 0x1488acaeec0884899a8f09209808003200bbe32c28e8f074961d28a1dc78daa1, and we just investigated the storage change in history accordingly. The result shows that the value has been altered twice in the following two transactions:

• 0x37ab1d41fe3fa405b993c72ad9812d2074d55639f31ead8db2668993f3028f2a (at block 15007314);
• 0x3456571463b98eb253bfd894f06ed706073942a89fb21c42fc12ea56c190b528 (at block 15575003).

The first modification just changed the value from 0 to 1; while the second changed the value from 1 to 0, as follows:

Note that the attack analyzed in the report occurred at block 15572515 (0xd2ff7c138d7a4acb78ae613a56465c90703ab839f3c8289c5c0e0d90a8b4ce16), which is in between the first modification and the second one.

Obviously, the second modification of the value means the project just revoked the admin privilege of the account.

0x2. The suspicious activity

The report regarded the following activity as suspicious:

However, it is not as plausible as it claimed. The attacker could monitor the activity of the transferring transactions to achieve the goal. It is not quite weird from a technical point of view. For example, there exist some on-chain MEV-bots which continuously monitor the transactions to make profits.

0x3. Conclusion

In brief, this report is not convincing enough to accuse the Wintermute project.

About BlockSec

The BlockSec is dedicated to building blockchain security infrastructure. The team is founded by top-notch security researchers and experienced experts from both academia and industry. We have published multiple blockchain security papers in prestigious conferences, reported several zero-day attacks of DeFi applications, and successfully protected digital assets that are worth more than 5 million dollars by blocking multiple attacks.

• Twitter: [BlockSecTeam]
• Medium: https://blocksecteam.medium.com
• Website: https://www.blocksec.com