So many ways to leak your private key. Wintermute hack case

So many ways to leak your private key. Wintermute hack case

A villain attacked Wintermute, which resulted in a $160M loss , 73 percent of funds were in stablecoins, as Peckshield has reported. It was discovered during the analysis, that the hacker had taken advantage of a leaked private key, called a specific function and managed to run a swap contract, where the assets were transferred in the end.

More and more such alert notifications pop up here and there. It does not mean that users and developers have become astonishingly careless. What is the reason for these issues then? The specialists blame the key leakage. What does this mean, what kind of attacks wallet and contract holders may face and how can they be avoided.

Private key leakage

Talking about types of wallets one can imagine how the data of custodial wallets can leak, as long as the information protection depends not only on the wallet holder. In case of the non-custodial wallets, the access is more secure and the user needs a private key to get it. The whole responsibility lies totally on the holder’s shoulders and this must grant the assets the highest protection ever. But… One of the weakest points that leads to a catastrophe is when the user loses the key or secret recovery phrase or discloses it willingly or erroneously (somehow similar to the common scam with credit cards or banking accounts). It gives villains the free way to private assets or data.

Popular private key scam scenarios

How does it happen? There is a list of the most frequent scam schemes users fall in.

  • Private key/secret recovery phrase leak tops the rating. More often newbies fall into this trap. Fake tech specialists, help desk assistants or wallet employees try to find out the private information, offering help in various cases or threatening the user with closing an account, etc.
  • The user opens up the private information by mistake or without noticing, for example, when the information is written on the paper or got on the camera shot, or being filmed on video or heard on the phone, etc.
  • The user installs the wallet or program from a fake website and the device becomes infected, or, more than that, the user gives assets away, ‘sponsoring’ unwillingly the criminals. The website may be real and trusted, but does not always double-check the applications and some of them can be fake, but with the same name (several cases were noted with fake application Trezor, which had nothing to do with real Trezor, in GooglePlay store and iPhone Appstore).
  • The user follows the fishing link, replies a suspicious letter or accepts suspicious investing proposal (for example, someone takes on a newbie, offers a helping hand and guidance in crypto world and suggests common investments, from which only the ‘fake benefactor’ gets profits and soon disappears after receiving a reward).

Wintermute hack analysis

Let’s look into the example of the Wintemute hack, mentioned at the beginning.

The attacker called the 0x178979ae function in 0x0x00000000ae347930bd1e7b0f35588b92280f9e75 contract, using the address 0x0000000fe6a514a32abdcdfcc076c85243de899b, supposedly Wintermute owned. The call of this function does not have an open access and requires authorization, so this is a private data leak.

0x178979ae function requires an authorization. Wintermute hack analysis

A specific function with specific parameters is being called within it and the data is transferred to the hacker. It runs an ‘unoswap’ method on 1inch router. The villain created a pool and replaced the real pool.

The data is transferred to the attacker. Wintermute hack case

Thus, the attacker made a transaction:

which proved successful and then repeated it several times until all the tokens from the targeted contract 0x00000000AE347930bD1E7B0F35588b92280f9e75 were transferred to the contract of the fake pool. Then the funds, resulting in total approx. 160 mln US dollars, were withdrawn by means of several transactions such as the following:

Protection strategies

Does this all mean wallet holders are not safe? No. It can mean only that the user can avoid the majority of problems and keep the data and assets safe. What steps should the user take to reach it?

  • First and foremost, keep all private information (either keys or secret recovery phrases) away from the reach of anyone, share them with no one else, however trustful the third party may seem. Not to store valuable data in the place where it can be reached (paper in the pocket is not a good idea, also for the reason that the user can lose it accidentally somewhere; the same is the ‘notepad’ program on the phone)
  • Protect the devices with a reliable and strong antivirus program
  • Install the hot wallet only from the trusted platforms and better check the source twice. Even better is to use the cold wallet.
  • Keep out from suspicious links, letters and convincing proposals, even if the sender resembles a trusted and well-known one, as long as villains are ready to disguise. So double check will not go amiss.


In the end it is necessary to point out once more that privacy of keys is one of the key issues everyone should take care of (however absurd this word playing may sound). Following simple steps and instructions (which do not take much of the user’s time and effort) will save much more of private property and nerves by protecting assets in future. Keeping the keys deep in the secret pocket and sharing them with no one else, even a trustful person, is a good strategy. Safe bind, safe find.

SmartState: New generation of smart contract audit

About SmartState

Launched in 2019 and located in Dubai, SmartState is retaining the place of one of the leading DeFi security auditing companies. We carry out tests of security of the code core, smart contracts and blockchain for all types of errors or vulnerabilities.

We specialize in manual testing, so the SmartState’s tech team of white-hat security professionals carefully measures up a project’s git and supports clients with guidelines and recommendations for the further advancement.

Our security audit reports review the threats and vulnerabilities with which codebases may be exploited in the future, because the network achieves scalability and expands to accommodate more use cases and functionality.

Keep up to date with all the SmartState news & events, follow us on social media:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

SmartState is an independent audit company for DLT projects. It performs smart contract audit and security reviews and provides reco for improvements.