The hacker behind the Wintermute exploit of September 2022 is now the largest holder of Curve DAO’s CRV, Etherscan data on April 25 shows.
Wintermute exploiter controls 28% of all CRV in circulation
As of writing, the address controlled by the “Wintermute Exploiter” holds 111,953,508.959916301101032331 CRV, or over 28% of the total supply.
CRV, the governance token of the Curve DAO, a decentralized autonomous organization (DAO) behind Curve, the decentralized exchange for stablecoins, is critical for voting.
The more an organization, individual, or entity controls the token, the more they have sway over development proposals.
The Wintermute Exploiter has more tokens than those held in the DAI/USDC/USDT Curve DAO gauge, which stands at 59,356,921.119106859558394588 CRV, or around 15% of the total supply.
Curve DAO’s gauge measures the level of liquidity a user provides at any time. The more a user supplies liquidity and deposits liquidity provider tokens, the higher the gauge and, therefore, the more incentives they receive in CRV. Besides governance, CRV is also used to accumulate value over time.
The hacking group also controls all the tokens staked via Frax Finance, a liquidity staking provider and a competitor of Lido Finance. Tokens held through this facility are 93,147,299.745660205446630915 CRV, or around 23.3% of the total supply.
At this level, the risk posed by the hacking group on the protocol’s governance and general decentralization is worrying. The situation is even worse, considering the top 100 wallets control over 99% of all CRV in circulation.
Since the exploiter’s wallet address is constantly being monitored with the possibility of the hacker being apprehended, the effect on CRV’s price could be severe.
The Wintermute hack of Q3 2022
In September 2022, Wintermute, an algorithmic market maker, was hacked for a whopping $160 million.
The weakness was pinned to a hole in their profanity algorithm; it was the second time they had been hacked that year.
Short communication on the ongoing Wintermute hack
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Out of this hack, a big percentage, or 73%, were stablecoins in DAI, USDT, and USDC worth $114 million. The remainder were bitcoin (BTC) and ethereum (ETH) derivatives. Stolen stablecoins were deposited to Curve Finance, most likely to avoid being blacklisted.