On-chain asset security raises concerns, with frequent large-scale theft cases in the crypto market.

With the rise of on-chain products such as decentralized finance ( DeFi ) and non-fungible tokens ( NFT ), user assets are gradually shifting from traditional centralized channels to decentralized wallets, cross-chain bridges, and lending platforms. However, this trend has also brought new security risks, with frequent incidents of on-chain projects and user assets being stolen, leading the community to jokingly refer to blockchain as a "cash machine" for hackers.

These thefts involve both technical issues stemming from code vulnerabilities and many caused by human negligence. On September 20, the cryptocurrency market maker Wintermute suffered a massive loss of $160 million due to human error.

An Expensive Human Error

After the attack, the company's founder stated on social media that the company's centralized finance and over-the-counter trading businesses were unaffected, and the remaining capital is still twice the debt, with customer funds safe under the market-making agreement with Wintermute. Among the 90 assets that were hacked, only two had a nominal value exceeding $1 million, making a large-scale sell-off unlikely. The company is rapidly communicating with the affected parties.

The blockchain security company Salus Security quickly identified the hacker's address. The funding sources for this address include mixing services and large withdrawals from multiple exchanges. The security company analyzes that the attack may be related to Wintermute's use of the vanity address tool Profanity to create EOA wallets.

The founder of Wintermute later admitted that the company indeed used Profanity and internal tools to create wallet addresses in June, with the aim of optimizing transaction fees rather than obtaining desirable addresses. After learning about the vulnerability in Profanity last week, the company expedited the abandonment of old keys, but due to an internal error that called the wrong function, it failed to promptly remove the signature permissions of the affected addresses.

Regarding the stolen funds, the founder stated that a bounty of 10%, amounting to 16 million USD, will be given if the full amount is returned. He emphasized that this attack only affected the Ethereum vault used for on-chain DeFi trading, and the company will not lay off employees, change its strategy, raise funds, or stop its DeFi business as a result.

However, on-chain data shows that Wintermute has over $200 million in DeFi debt to multiple counterparties, with the largest being a $92 million USDT loan maturing in October. If the stolen funds cannot be recovered in time, the company may face the risk of a debt crisis.

Wintermute once lost 20 million tokens due to human error.

In fact, this is not the first time Wintermute has suffered losses due to human factors. In June of this year, the company lost 20 million tokens due to an operational error while providing liquidity services for a certain public chain token.

At that time, Wintermute was invited to provide liquidity for the public chain token and received a temporary grant of 20 million tokens. However, the receiving address provided by the company was a multi-signature address on the Ethereum mainnet, which was not deployed on the target chain. Since they could not directly control the cross-chain assets, Wintermute attempted to deploy the multi-signature contract to the same address on the target chain, but was outpaced by the attacker.

Fortunately, the hacker later returned 17 million tokens, and Wintermute promised to repay the remaining 2 million. This incident again highlights the complexity and risks of cross-chain operations.

How Individual Users Can Avoid the Risk of Asset Theft

Institutions frequently suffer huge losses due to human errors. As individual users, how can we protect our own asset security? Here are a few suggestions:

1. Avoid using third-party tools to create wallets. Such tools may have security vulnerabilities and are prone to malicious monitoring. You should stick to using native encryption wallets.

2. Use multi-signature for major asset wallets. Although it is not suitable for high-frequency trading, it is an effective security measure for most users.

3. Do not copy and paste to save your private key. Many devices and applications may steal clipboard content, leading to private key leakage.

4. Carefully verify the contract address when authorizing operations. Prevent phishing websites and hacked front-ends.

5. Limit the authorized amount and promptly revoke idle authorizations. Unlimited authorization may pose potential risks, and should be revoked in a timely manner after use.

Once blockchain assets are stolen, they are difficult to recover and often not protected by law. Users should remain vigilant at all times and take necessary measures to protect their asset security. It is even more important to act cautiously when performing on-chain operations to minimize risks.