September 20, 2022
Today's $160 million Wintermute hack is the 7th largest in DeFi history. Using the Arkham Platform, we looked at the on-chain data regarding this incident & visualized the flow of funds from Wintermute to the attacker.
At time of publishing the hacker’s top holdings are: $114M in 3CRV, $13M in $WBTC and $9M in $ETH.
As a result of this incident, Wintermute’s on-chain holdings appear to be down to $55 million, 3x less than the hacker. With their top 3 holdings: $12.6M in $LDO, $6.2M in $YFI and $5.9M in $BTRST.
The hacker immediately moved nearly all of the stolen funds to another address, first funded 23 min before the hack with 10 ETH from Tornado Cash. After exchanging $12M in BUSD/TUSD for DAI, this 2nd hacker address deposited $114M in USDC/USDT/DAI to Curve, acquiring 3CRV.
All hacker activity occurred within a 45 min window ending at 05:48 UTC.
The Wintermute Hacker’s Next Move
Following the exploit, the hacker deposited nearly all of the obtained stablecoins into Curve's 3pool. It is likely the hacker did this to avoid having their $USDT and $USDC blacklisted by Tether & Circle. Once the stolen tokens were deposited into the pool, they could no longer be blacklisted - however, it remains unclear what the hacker's next move could be from this position.
Though they may choose to redeem $DAI with their 3CRV, which cannot be blacklisted as $DAI does not have a centralized entity to freeze it, such a move would be straightforward to trace on chain. The PolyNetwork hacker was the last to use the CurveFinance 3pool in this way, in the 2nd biggest #DeFi hack in history.
During this exploit, Tether blacklisted ~$33m of the stolen $USDT. Soon after, the PolyNetwork hacker successfully moved the rest of their stolen stablecoins into the pool. However, they seemed to hit a snag in deciding what to do next.
Within days, the hacker returned the funds in exchange for a bounty. While this could have been the goal all along, it is also possible they were unable to find a way to launder their funds from 3pool.
It remains to be seen what the Wintermute hacker will do.
We wish the Wintermute Team all the best with recovering from this incident. For continual updates on our analysis, visit us on Twitter.