Sep 19, 2022 Frank Stewskid
Hackers drained $3.3M from addresses associated with Profanity tool, despite a warning from 1Inch
Launched in 2017, Profanity Tool helps users create vanity wallet addresses with numbers that could be recognized, in contrast to conventional addresses. The idea clicked with crypto users, and Profanity Tool became a popular choice.
1Inch identified a potential vulnerability in the tool on September 15th, and advised users not to rely on Profanity Tool anymore:
🚨 RUN, YOU FOOLS 🚨— 1inch Network (@1inch) September 15, 2022
⚠️ Spoiler: Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP!
➡️ Read more: https://t.co/oczK6tlEqG#Ethereum #crypto #vulnerability #1inch
Explaining a possible reason behind the vulnerability, 1Inch linked the loophole to Profanity's use of a random 32-bit vector for seeding 256-bit private keys. Suspecting it as an unsafe approach, the aggregator team also highlighted the possibility of calculating private keys through a brute force attack. 1Inch team got its hands on a proof-of-concept code which helped it access all private keys used for generating wallet addresses on Profanity Tool. A significant chunk of these addresses was fake, establishing that the platform's security had been compromised.
But the damage had already been done, as revealed by crypto sleuth ZachXBT. A whopping $3.3 million equivalent of crypto assets were stolen from the wallet provider's addresses:
Appears $3.3m worth of crypto has been exploited by 0x6ae from this vulnerability.— ZachXBT (@zachxbt) September 17, 2022
Interestingly the Indexed Finance Exploiter was the first address drained by 0x6ae.
0x6AE09AC63487FCf63117A6D6FAFa894473d47b93 https://t.co/gnQHHytI1m pic.twitter.com/5TYccNIpdq
Profanity Tool works by randomly selecting 1 of 4 billion private keys, expanding it to 2 million private keys, deriving public keys from them, and then performing a repeated increment till the desired vanity address is achieved. The tool's anonymous developer, known by the name ‘johguse’ on Github, shared that he abandoned the project a couple of years ago because of critical security issues discovered in private key generation.