Another wallet address is added to the growing list of wallet addresses that have fallen victim to hacks and attacks in the decentralized finance industry, which as a whole, has lost more than $1.6 billion in 2022.
According to blockchain security company PeckShield, on-chain data from EtherScan confirms an assault using the vanity address generator Profanity, which resulted in the theft of about $950,000 worth of ETH.
On September 25, a hacker took 732 ETH and delivered it straight to Tornado Cash’s cryptocurrency blending service. The service makes it very difficult to track down crypto wallets, which allow for anonymous transactions. The stolen ETH will have been combined with other cryptocurrencies and transferred to the hacker’s personal wallet without a trace.
PeckShieldAlert stated in a Tweet that it “Seems like $950k worth of crypto has been stolen by 0x9731F from Ethereum “vanity address” generated with a tool called Profanity. The exploiter already transferred ~732 $ETH into Mixer”
The hacker in question exploited a recent “vanity” address weakness which was discovered on GitHub in January but only made widely aware by DEX aggregator 1inch Network on September 15. The Decentralized exchange then alerted community members that addresses generated with Profanity were not secure. The DEX urged cryptocurrency owners with vanity addresses to move their holdings forthwith.
The Exploit In Question
Similar to a personalized license plate on a car, a vanity address is a crypto wallet address with a “human readable” address aside from the typical long string of alphanumerical characters. Because these addresses are human-generated rather than a machine-generated random string of letters and numbers, they are more susceptible to brute force attacks, as GitHub users discovered earlier this year.
The exploit in question stems from how Proifaniy generates its addresses. Profanity generates a vanity address for its users by randomly selecting an initial private key out of 4 billion possibilities. According to 1inch Network, this makes the generator unsafe because it seeded 256-bit private keys with a random 32-bit vector.
The Bigger Picture
News of the vanity address hack comes as just last week; hackers stole $160 million from the crypto algorithmic market maker Wintermute. According to a tweet from Wintermute’s CEO Evgeny Gaevoy, the attack targeted the company’s decentralized finance DeFi operations.
A bug in Profanity is also responsible for facilitating the Wintermute hack. In that instance, the attacker took advantage of a Profanity-generated address that had a number of zeros at the beginning of it.