E15 - Wintermute's 160 Million Dollar Key Generation Lesson - 9/20/2022
Download MP3In this episode, we hunt for Do Kwon and look at the White House's comprehensive framework for the responsible development of digital assets. Then we look into Wintermute's 160M key generation issue. We discuss emerging post-merge Ethereum narratives and the Omni bridge replay attack. We also get into an IRL customs scam for our hack attempt of the week.
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.
Episode Summary
In this episode, we hunt for Do Kwon and look at the White House’s comprehensive framework for the responsible development of digital assets. Then we look into Wintermute’s 160M key generation issue. We discuss emerging post-merge Ethereum narratives and the Omni bridge replay attack. We also get into an IRL customs scam for our hack attempt of the week.
I,Degen - Weekly
The wanted crypto developer Do Kwon, who is accused of fraud by investors following the $45 billion (€45 billion) collapse of his cryptocurrencies Luna and TerraUSD, is reportedly trying to evade South Korean authorities.Prosecutors have accused Kwon of financial fraud, arguing that his terraUSD stablecoin was a kind of investment security under South Korea’s capital markets act [2]Kwon moved from South Korea to Singapore, where the now defunct stablecoin issuer Terraform Labs, which he co-founded, has a base. However, Singapore Police Force said on Saturday he is currently not in the city-state.South Korean prosecutors told Bloomberg in a text message on Monday that there has been “circumstantial evidence of escape” since he left Singapore. The media outlet said prosecutors declined to comment on whether the office knows of Kwon’s whereabouts or if it will contact the international police agency Interpol.Last week, Kwon was charged with violating the Capital Markets Act, and an arrest warrant was issued for him and five allegedly connected to the case who were believed to be in Singapore.
–EuroNews
Over the past six months, agencies across the government have worked together to develop frameworks and policy recommendations that advance the six key priorities identified in the EO: consumer and investor protection; promoting financial stability; countering illicit finance; U.S. leadership in the global financial system and economic competitiveness; financial inclusion; and responsible innovation.The nine reports submitted to the President to date, consistent with the EO’s deadlines, reflect the input and expertise of diverse stakeholders across government, industry, academia, and civil society. Together, they articulate a clear framework for responsible digital asset development and pave the way for further action at home and abroad.
Protecting Consumers
Still sellers commonly mislead consumers about digital assets’ features and expected returns, and non-compliance with applicable laws and regulations remains widespread. One study found that almost a quarter of digital coin offerings had disclosure or transparency problems—like plagiarized documents or false promises of guaranteed returns.The reports encourage regulators like the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC), consistent with their mandates, to aggressively pursue investigations and enforcement actions against unlawful practices in the digital assets space.The reports encourage Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC), as appropriate, to redouble their efforts to monitor consumer complaints and to enforce against unfair, deceptive, or abusive practices.The reports encourage agencies to issue guidance and rules to address current and emergent risks in the digital asset ecosystem. Regulatory and law enforcement agencies are also urged to collaborate to address acute digital assets risks facing consumers, investors, and businesses. In addition, agencies are encouraged to share data on consumer complaints regarding digital assets—ensuring each agency’s activities are maximally effective.The Financial Literacy Education Commission (FLEC) will lead public-awareness efforts to help consumers understand the risks involved with digital assets, identify common fraudulent practices, and learn how to report misconduct.
Advancing Responsible Innovation
The Office of Science and Technology Policy (OSTP) and NSF will develop a Digital Assets Research and Development Agenda to kickstart fundamental research on topics such as next-generation cryptography, transaction programmability, cybersecurity and privacy protections, and ways to mitigate the environmental impacts of digital assets.
Quite a bit more to the report.
And the Forbes Headline reads…
Joe Biden Just Sent A Stark Warning To Bitcoin And Crypto After $2 Trillion Price Crash
Joe Biden Just Sent A Stark Warning To Bitcoin And Crypto After $2 Trillion Price Crash
What is your narrative?
What do the machines think?
- (June 9th, Wintermute OP issue)[https://rekt.news/wintermute-rekt/] and now this… ()[https://rekt.news/wintermute-rekt-2/]
Even worse, the possibility of this issue was raised on the Profanity Github on January 17th, 2022.
Why didn’t Wintermute act when the Profanity issue was raised with proof six days ago? Well, the did:
Around the time that the disclosure happened, Wintermute removed all ether from an admin address which suggests that they realized it might have been vulnerable. However, they forgot to remove this address as an admin from their vault.The attacker is likely a seasoned hacker/solidity developer. They created a helper contract, deposited stables into curve to avoid blacklisting, and figured out this vulnerability in a closed sourced vault contract in the first place.
–Mudit’s BlogThe stolen funds were mostly various stablecoins, totalling $118.4M. The majority of these were deposited into Curve’s 3pool, presumably in an attempt to avoid any blacklisting.The exploiter is now the 3rd largest holder of 3CRV with over 13% of the supply.
I, Degen - Deep Dive
Reflecting on the merge ETH?
Ethereum itself
Social Attacks - Narrative-based attacks in crypto. We tend to think about FUD as a person or small group spreading disinformation, but with crypto it seems we have more large-scale coordinate narrative-based attacks. For example,
Flashbots does build the vast majority of relay blocks… but all relay blocks only make up less than 20% of the network … so, it’s missing the much more interesting point, which is that surprisingly few validators are using MEV Boost at all.
–r/Ethstaker
However:
- Debate rages over ETH as a security post merge
Gary Gensler said cryptocurrencies that allow staking could qualify as securities under the Howey test.
Larger Ecosystem Impact
- ETC Hash Rate
- Omni Bridge Replay attack on ETHPoW & price plummets 37%
- The root cause of the exploitation is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message.–From BlockSec
According to the security researchers, the attacker first transferred 200 WETH through the Omni Bridge and then replayed the same message on the PoW chain, getting an extra 200 ETHW.In short, the root cause of the exploitation is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message. Besides, the similar issues may exist in other protocols.
From Peck Shield - Seems like @EthereumPow
suffered a replay attack. $ETHW has dropped -12%. Be Alert
suffered a replay attack. $ETHW has dropped -12%. Be Alert
I, Degen - Freestyle Convo
I, Degen - Other Stuff
I, Degen - Personal Hack Attempt of the Week
Central American customs shakedown
[[[Outro]]]
We do our best to report accurately on the topics we discuss, but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!
Show notes at: https://hackmd.io/@idegen/E15-wintermute-key-generation-lesson
Show notes at: https://hackmd.io/@idegen/E15-wintermute-key-generation-lesson