- $3.3 million worth of cryptocurrencies were stolen from vanity Ethereum wallets last week
- Anyone using the Profanity tool to generate their addresses was at risk
- Exchange 1inch alerted users and forced the hackers to withdraw funds early
$3.3 million worth of cryptocurrencies have been stolen from users of a vanity Ethereum wallet creator that developers have since said was abandoned years ago. The hacker managed to steal the coins from a number of Ethereum addresses that were generated with the Profanity tool, months after decentralised exchange aggregator 1inch learned about a vulnerability within Profantiy which was putting hundreds millions of dollars at risk.
Profanity Weakness Allowed Brute Force Attacks
The potential for a theft of this size was first mooted by 1inch earlier in 2022, when some of its contributors noticed that Profanity used a random 32-bit vector to seed 256-bit private keys for addresses and suspected it could be unsafe. This supposition was backed up in June this year when a 1inch contributor was pointed towards suspicious action within one of the 1inch deployer wallets.
An investigation led to 1inch realising a few weeks ago that vanity addresses whose private keys had been created through Profanity were at risk through brute force attacks, and indeed some had already been hacked. The exchange posted about this last week, warning that “at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions.”
Fortunately this doesn’t seem to have been the case, with $3.3 million identified as having been stolen, with quick reactions from 1inch and other crypto community members saving some from losing seven figures worth of crypto and NFTs.
1inch Exposé Forced Hackers’ Hand
A Profanity developer on Github noted on the day of 1inch’s report that the project had been abandoned some time ago and that, as a result, there may well have been vulnerabilities in the code:
This project was abandoned by me a couple of years ago. Fundamental security issues in the generation of private keys have been brought to my attention. I strongly advice against using this tool in its current state. This repository will soon be further updated with additional information regarding this critical issue.
Further conclusions were drawn that the hackers could have been squatting in wallets for some time, trying to get access to as many as possible before withdrawing all at once, but that 1inch’s report forced their hand. This certainly reduced the amount that was stolen.