Ethereum’s Vanity Addresses Drained of Over $3M Despite 1inch’s Warning

Please fol­low and like us:
Pin Share

A hack­er man­aged to steal $3.3 mil­lion worth of cryp­tocur­ren­cies from sev­er­al Ethereum address­es gen­er­at­ed with the “Pro­fan­i­ty” tool. The funds were drained even after the decen­tral­ized exchange aggre­ga­tor 1inch warned users about dis­cov­er­ing a severe vul­ner­a­bil­i­ty putting mil­lions of dol­lars at risk.

It had pre­vi­ous­ly advised users own­ing wal­let address­es gen­er­at­ed with the Pro­fan­i­ty tool to trans­fer their assets to a dif­fer­ent wallet.

1inch Security Report

In ear­ly 2022, 1inch con­trib­u­tors observed that Pro­fan­i­ty used a ran­dom 32-bit vec­tor to seed 256-bit pri­vate keys and sus­pect­ed it could be unsafe. Upon fur­ther inves­ti­ga­tion, more sus­pi­cious activ­i­ty was not­ed, sig­nal­ing that Pro­fan­i­ty wal­lets were compromised.

“The 1inch con­trib­u­tors checked the rich­est van­i­ty address­es on pop­u­lar net­works and came to the con­clu­sion that most of them were not cre­at­ed by the Pro­fan­i­ty tool. But Pro­fan­i­ty is one of the most pop­u­lar tools due to its high effi­cien­cy. Sad­ly, that could only mean that most of the Pro­fan­i­ty wal­lets were secret­ly hacked.”

Accord­ing to 1inch, Pro­fan­i­ty hap­pens to be a pop­u­lar and “high­ly effi­cient” tool with which users are able to cre­ate mil­lions of address­es per sec­ond. How­ev­er, the pro­ce­dure used by Pro­fan­i­ty to gen­er­ate the address­es was not flaw­less either and was sus­cep­ti­ble to attacks.

The secu­ri­ty dis­clo­sure report pub­lished by 1inch last week also not­ed that the vul­ner­a­bil­i­ty may have enabled hack­ers to “secret­ly” steal mil­lions of dol­lars from Pro­fan­i­ty users’ wal­lets for years. The con­trib­u­tors are cur­rent­ly try­ing to deter­mine all the com­pro­mised van­i­ty addresses.

Soon after the warn­ing, blockchain inves­ti­ga­tor ZachXBT noti­fied the attack drain­ing over $3 mil­lion in funds. For­tu­nate­ly, his tweet helped a user save $1.2 mil­lion in cryp­to and NFTs from the hack­er who had access to their wallet.

Profanity Devs Abandon Project

Accord­ing to Tal Be’ery, ZenGo’s secu­ri­ty lead and chief tech­nol­o­gy offi­cer, the mali­cious enti­ties could have been “sit­ting” on the vul­ner­a­bil­i­ty in an attempt to get their hands on as many pri­vate keys as pos­si­ble of bug-rid­den Pro­fan­i­ty-gen­er­at­ed van­i­ty address­es before the vul­ner­a­bil­i­ty was detect­ed. How­ev­er, they cashed out after it was pub­licly exposed by 1inch.

Mean­while, one of the Pro­fan­i­ty devel­op­ers, who goes by the pseu­do­nym ‘joh­guse’ on Github, said that they have already “aban­doned” the project a few years ago. The com­ment regard­ing the same read,

“This project was aban­doned by me a cou­ple of years ago. Fun­da­men­tal secu­ri­ty issues in the gen­er­a­tion of pri­vate keys have been brought to my atten­tion. I strong­ly advise against using this tool in its cur­rent state. This repos­i­to­ry will soon be fur­ther updat­ed with addi­tion­al infor­ma­tion regard­ing this crit­i­cal issue.”

SPECIAL OFFER (Spon­sored)

Binance Free $100 (Exclu­sive): Use this link to reg­is­ter and receive $100 free and 10% off fees on Binance Futures first month (terms).

PrimeXBT Spe­cial Offer: Use this link to reg­is­ter & enter POTATO50 code to receive up to $7,000 on your deposits.



Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published.