Thousands of addresses at risk – The ecosystem of cryptocurrencies is rooted in open source values. However, open source does not always rhyme with security. Thus, users of the Profanity tool have just found out the hard way, when millions of dollars may have been stolen.
Profanity: the address generator in turmoil
Cryptocurrency wallet addresses are randomly generated by calculating the hash of a public key derived from a random private key. However, in some cases, users wish to reduce the random part to generate personalized addresses. Thus, these have a defined prefix or suffix. These addresses are what are commonly called “vanity addresses”.
To do this, the latter must generate a very large number of addresses in order to hope to obtain the desired address.
Profanity is a tool that allows you to perform this maneuver to generate addresses having a certain suffix or prefix. His high performance brought him great success.
For example, the address 0x00000000000000000000000000000000000dEaD is a very good example of an address that was generated using this method.
>> Generate passive income with your cryptos thanks to the 8% return on FTX Earn (commercial link) <<
A potential attack vector on Profanity?
On September 15, the protocol teams 1inch published a blog post warning Profanity users.
Thus, at the beginning of the year, some 1inch contributors contacted the protocol teams after detecting a potential flaw in the Profanity address generation process.
“In early 2022, some of 1inch’s contributors noticed that Profanity was using a 32-bit random vector to seed 256-bit private keys and suspected it might be dangerous. »
At first, contributors felt it was possible to recalculate vanity addresses. However, the maneuver required thousands of graphics cards and months of calculations.
A few months after this discovery, the deployed addresses of several protocols, including 1inch or Synthetix showed several suspicious activities.
“At least 5 deployers from different projects claimed the same airdrop. Subsequently, the funds claimed passed through a single wallet. It was getting really suspicious. »
Indeed, it was not the holders of these deployer addresses who had claimed the airdrops. Therefore, someone had been able to gain access to these addresses.
More than 3 million dollars exploited
After investigation, 1inch contributors were able to develop a method to regenerate the private keys of vanity addresses.
“A few days ago, concerned contributors at 1inch came up with a proof of concept allowing them to retrieve the private keys of any vanity address generated through the Profanity tool. »
Faced with this discovery, the crypto-investigator ZachXBT has identified that this vulnerability has allowed the hijacking of more than $3.3 million.
“It appears that $3.3 million in cryptocurrency was mined by 0x6ae from this vulnerability. Interestingly, the Indexed Finance attacker was the first address drained by 0x6ae. »
Hundreds of other addresses could also be affected by this flaw. Therefore, tens of millions of dollars could be at risk, as explained in 1inch’s report:
“1inch contributors are still trying to determine the list of vanity addresses that have been hacked. It’s not a simple task, but at this point it looks like tens, if not hundreds of millions of dollars in cryptocurrencies could be stolen. One good thing is that hack evidence is available on the channel forever. »
If you have ever used the Profanity tool to generate a vanity address, we recommend that you put your funds in another address so that your funds do not disappear.
Hard blow for the strikerIndexed Finance. Another hacker relieved him of some of his loot. It is still actively wanted by law enforcement. The schemer refused to return the funds stolen from Indexed Finance.
Are you looking for a crypto platform that is committed to the environment? Register without delay on the FTX reference platform. In addition, you benefit from a return of up to 8% on all your crypto assets (commercial link, see conditions on official website).