Sep 19, 2022 Frank Stewskid

Hackers drained $3.3M from addresses associated with Profanity tool, despite a warning from 1Inch

Despite a prophetic warning from 1Inch DEX aggregator, hackers looted over $3.3 million from Profanity Tool, an Ethereum vanity address generator.

Launched in 2017, Profanity Tool helps users create vanity wallet addresses with numbers that could be recognized, in contrast to conventional addresses. The idea clicked with crypto users, and Profanity Tool became a popular choice.

1Inch identified a potential vulnerability in the tool on September 15th, and advised users not to rely on Profanity Tool anymore:

Explaining a possible reason behind the vulnerability, 1Inch linked the loophole to Profanity's use of a random 32-bit vector for seeding 256-bit private keys. Suspecting it as an unsafe approach, the aggregator team also highlighted the possibility of calculating private keys through a brute force attack. 1Inch team got its hands on a proof-of-concept code which helped it access all private keys used for generating wallet addresses on Profanity Tool. A significant chunk of these addresses was fake, establishing that the platform's security had been compromised.

But the damage had already been done, as revealed by crypto sleuth ZachXBT. A whopping $3.3 million equivalent of crypto assets were stolen from the wallet provider's addresses:

Profanity Tool works by randomly selecting 1 of 4 billion private keys, expanding it to 2 million private keys, deriving public keys from them, and then performing a repeated increment till the desired vanity address is achieved. The tool's anonymous developer, known by the name ‘johguse’ on Github, shared that he abandoned the project a couple of years ago because of critical security issues discovered in private key generation.

Author:

Frank Stewskid

Frank Stewskid

Last updated: Sep 19, 2022

Recent news:

Video Tutorials