In my testing I found the current iterations of ChatGPT and GPT-3 (which are largely similar) to have high failure rates comparing and summarizing content in detail. That isn’t to say there aren’t occasional spectacular successes, just that it’s unreliable without careful coaching (aka prompt engineering). I did find it quite capable of accurately producing short form summaries though and decided to improve search-ability and usability of my public reading list by using GPT-3 to read all the articles I added last month to:

1. Summarize

2. Generate relevant keywords

3. Grade the piece as if it were a college professor who was a subject matter expert

4. Write the most upvoted response on Reddit

Of note the ECB’s piece on Bitcoin received the lowest grade with a 60%, the feedback given was: “Does a good job of exploring the complexities surrounding the Bitcoin market, though it could have benefited from more concrete examples of the risks posed by crypto assets”.

On the other hand my intern army gave two perfect 100% grades: Uniswap's Financial Alchemy and Bitcoin Can’t Be Copied. I concur, both are must reads.

My takeaway overall from this experiment is that becoming familiar with the strengths and weaknesses of OpenAI’s GPT models is likely to be an asset. If you are comfortable running a relatively untested Chrome extension I’d suggest setting up this which displays ChatGPT’s answer beside all your Google queries to start learning today without altering your existing workflow.

Follow me on Twitter @jackoneschuk or Farcaster @joneschuk if you enjoyed this post

I have written answers below to my initial questions after reading this Decrypt article.

What assets were stolen?

Initial incident: >80% stablecoins, ETH, AAVE, COMP.

Wintermute incident: >80% stablecoins, ETH, wBTC. Full list at end this report.

Will the loss of $160 million impact Wintermute’s operations?

Per Evgeny, Wintermute still has at least $320 million in equity.

https://twitter.com/EvgenyGaevoy/status/1572134277428703234?s=20&t=0mijxdBSXc5paGyY9e2zmg

At the time of exploit Wintermute had $200M in debt outstanding with on-chain lenders leading Maple Finance and TrueFi to release statements further confirming Wintermute is still in a strong financial position.

https://twitter.com/Blockanalia/status/1572216230890864642?s=20&t=ZDfELG3iMJSSRG3suhRxuA

Why didn’t Wintermute react to the 1inch disclosure on September 14th?

Mudit Gupta noted in his summary of the attack that Wintermute did in fact react shortly after the POC was released by 1inch removing all assets from the vulnerable address. However, that address was also designated an admin of the Wintermute vault smart contract (which contained the $160 million) and Evgeny noted that human error led to this access not being appropriately revoked.

How much computing power did this attack require?

https://twitter.com/0xtuba/status/1572153573605281792?s=20&t=YxDj2xwVLHELZprl-7wjcQ

Although a comment on Profanity’s Github from January of this year hypothesized an attack would require significant computing power the 1inch blog notes instead that their proof of concept allowed them to:

recover private keys from any vanity address generated with Profanity at almost the same time that was required to generate that vanity address

According to a Reddit post from the creator of Profanity in 2017 on a single GPU it takes less than 10 minutes on average to generate a specific 8 character address. The Wintermute address had only 7 leading 0s so per the 1inch blog should have been trivial to crack once the exploiter built the required tools. Further technical discussion about how this was done including comments from the founder of 1inch can be found here.

How much did Wintermute save by using a leading 0 address?

The specific vulnerable address only spent $27k in gas since inception and since leading 0s only reduce gas spend up to 5% in most cases the savings were minimal and likely less than $1k. However the Wintermute vault smart contract has used $3.3 million in total gas across 120k+ transactions over 3.5 months of active use. Extrapolated over a year that puts the upper bound of annual gas savings at about $500k. A Twitter user noted this disparity in $ saved vs. $ lost prompting a lighthearted reply from Evgeny.

https://twitter.com/EvgenyGaevoy/status/1572606599314960385?s=20&t=StRy6I3OtiXccLN8CkB23A

Before recalling that Etherscan added gas analytics I used impersonator.xyz to WalletConnect as Wintermute’s address with fees.wtf to view lifetime gas spend. Including this because I don’t think enough people have impersonator.xyz bookmarked, it’s a great tool.

Where did the funds stolen from Wintermute go?

The Wintermute exploiter swapped the stolen BUSD and TUSD to DAI and then deposited all stolen DAI, USDT, and USDC into Curve’s 3pool becoming the 3rd largest 3CRV holder. This prevents the stablecoins from being blacklisted without also blacklisting all other stablecoins in 3pool (currently $860 million). The other assets stolen are still held by the exploiter and can be see here on debank.

As rekt.news pointed out in their summary of events, it is worrying to see Curve potentially being used as a mixer post Tornado sanctions.

What happens next?

https://twitter.com/EvgenyGaevoy/status/1572329658636537857?s=20&t=kkvxUdJIlxXdHxtFp71ozg

Wintermute has offered a 10% bounty to the exploiter on Twitter and sent a corresponding transaction with the below message indicating a deadline of 5pm PST today.

We want to cooperate with you and resolve this matter immediately. Accept the terms of the bounty and return the funds within 24 hours before September 22nd UST by 23:59 while we can still consider this a white-hat event for a 10% bounty as offered. If the stolen funds are not returned by the deadline, you will force us to remove our bounty offer and white-hat label; we will then proceed accordingly with the appropriate authorities and avenues

Follow me on Farcaster @joneschuk if you have enjoyed this post