https://www.benzinga.com/markets/cryptocurrency/22/09/28972362/wintermute-asks-hacker-to-return-stolen-funds-or-face-legal-action
Automated market maker Wintermute, which was hacked of $160 million worth of funds, has told the hacker to return the stolen funds or face legal consequences.
In an on-chain message sent to the hacker on Thursday, Wintermute warned whoever it was to accept a $16 million white-hat bounty and return the remaining $144 million.
Cooperate or Face Legal Consequences
“We want to cooperate with you and resolve this matter immediately. Accept the terms of the bounty and return the funds within 24 hours before September 22nd UST by 23:59 while we can still consider this a white-hat event for a 10% bounty as offered,” the message said.
The message further stated the hacker would be referred to as a "white hat" (a term used to describe ethical hackers) if they returned the funds.
This suggests an assurance that if the bad actor agrees to the request, no legal action will be pursued.
The hacker still has about 6 hours as of this writing to accept the bounty offer.
If the money, minus the bounty, is not returned within the stipulated time, the Wintermute team will contact the "relevant authorities and avenues," the on-chain statement said.
“If the stolen funds are not returned by the deadline, you will force us to remove our bounty offer and white-hat label; we will then proceed accordingly with the appropriate authorities and avenues,” it stated.
Human Error Attributed to the Hack
According to Wintermute CEO Evgeny Gaevoy, the theft of around $160 million from the algorithmic market maker service was the result of a "human mistake."
The assault vector was connected to the Ethereum vault that Wintermute uses for its on-chain decentralized finance (DeFi) trading activities.
Gaevoy emphasized this wallet was separate from Wintermute's centralized financing (CeFi) and over-the-counter (OTC) activities, as well as that none of its internal or counterparty data, nor any of its CeFi or OTC wallets, were harmed or compromised.
A Profanity-Related Vulnerability Was Used in the Assault
Gaevoy said that a "profanity-type exploit" on Wintermute's DeFi vault was most likely what started the attack.
Profanity was used to produce keys on the compromised wallet address last week, according to a post written by 1inch contributors.