1inch: Severe Vulnerability in Ethereum Vanity Address Tool Risks Millions of Dollars

Decentralized exchange aggregator 1inch claimed on Aug. 15 to have discovered a severe vulnerability in Ethereum vanity address generating tool Profanity. This has the potential to put millions of dollars in user money at risk.

1inch founder and CEO Anton Bukov warned ethereum users in a tweet that “funds are not Safu,” crypto lingo used to express that user funds are at risk of loss following a hack or exploit.

Attention, Ethereans! Funds are not SAFU! Beware of using vanity addresses generated by the “profanity” tool! Moreover, check the ownership of your deployer wallets of vanity contracts. https://t.co/5D9obk2tP9

— Anton Bukov (@k06a) September 15, 2022

“Transfer all of your assets to a different wallet as soon as possible,” 1inch Network later said in a security report. “If you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”

Hundreds of millions of dollars at risk

Profanity is a tool that allows Ethereum users to create “vanity addresses,” a type of custom crypto wallets that contain recognizable names or numbers within them. The popular tool was launched sometime in 2017.

In its report, 1inch explained that the private keys to addresses generated on Profanity could be calculated using brute force attacks. It claimed the vulnerability may have allowed hackers to “secretly” siphon millions of dollars from Profanity users’ wallets for years.

“1inch contributors are still trying to determine all the vanity addresses which were hacked,” said the outfit, adding:

“It’s not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions. One good thing is that proofs of hacks are available on-chain forever.”

Profanity developer: don’t use this tool!

Profanity anonymous developer, who goes by the moniker ‘johguse’ on Github, said that they “abandoned” the project a few years ago after finding out about “fundamental security issues in the generation of private keys.”

“I strongly advise against using this tool in its current state. The code will not receive any updates and I’ve left it in an uncompilable state. Use something else!” the developer added.

Ethereum uses a combination of public and private keys to generate wallet addresses – a long list of random alphanumeric characters. Those that have the private key to an address are able to authorize the transfer of funds from one account to another, proving they own the money.

Vanity addresses, however, are generated somewhat differently. 1inch detailed that Profanity, a popular and “highly efficient” tool, allowed users to create millions of addresses per second and searched for those strings of letters and numbers requested by users for a bespoke wallet address.

1inch said the method used by Profanity to generate the addresses was not foolproof and that public keys from vanity addresses could be calculated with brute force attacks.

“A few days ago, 1inch contributors achieved proof-of-concept code allowing them to recover private keys from any vanity address generated with Profanity at almost the same time that was required to generate that vanity address,” it explained.

The post 1inch: Severe Vulnerability in Ethereum Vanity Address Tool Risks Millions of Dollars appeared first on BeInCrypto.

Related Posts

US Treasury yields are soaring, but what does it mean for markets and crypto?

The 10-year U.S. Treasury yield recently hit its highest level in 12 years, but how might this impact investors’ sentiment toward stocks and cryptocurrencies? Across all tradeable…

SEC alleges fintech and ‘market maker’ firms manipulated crypto market in token scheme

Though the SEC has pursued many enforcement actions related to initial coin offerings, the regulator’s stance on airdrops’ role in alleged token schemes is unclear. The United…

ECB reports on digital euro validation, privacy one year into investigative phase

The ECB’s two-year investigative phase is halfway completed, with key use and policy issues clarified; more stakeholder engagement is planned before the decision is made to proceed….

Kazakhstan Completes First Crypto Purchase With Local Currency, Eyes Regulation: Report

President Tokayev said Kazakhstan will give full legal recognition to digital assets if demand persists while they continue testing security concerns. The first purchase of cryptocurrency with…

Diana Sinclair “Phases” NFT Collection To Drop On Christie’s 3.0

Diana Sinclair, the 18-year-old top NFT creator, kicks off Christie’s 3.0 with her first solo exhibit, Phases starting this week. On September 28, Christie’s launched its on-chain…

What Bear Market? A Single CryptoPunk NFT Just Sold For $4.5 Million

The NFT market has taken a good hit during the latest iteration of the crypto market bear run. But not all collections have lost favor in the…

Generated by Feedzy