- More funds are being stolen through brute force attacks on Profanity wallets
- 732 ETH has been stolen from wallets created using the abandoned tool
- The creator has warned that the project is not safe
The hack on wallets created using the Profanity address creator has continued, with another 732 ETH stolen. It was thought that the hack had been curtailed when decentralised exchange 1inch exposed the hack, but not everyone has received the message, leaving their funds in compromised wallets and allowing the hackers to take more funds. The developer of the Profanity tool warned users last week that the code hadn’t been updated since being abandoned two years ago, and advised no one to use it in its current form, saying it would be retired but the code would not be patched.
1inch Discovered Profanity Flaw
Profanity is a tool that can be used to create ‘vanity’ Ethereum addresses, with Profanity itself being responsible for the generation of the private key. However, 1inch contributors found earlier this year that Profanity used a random 32-bit vector to seed 256-bit private keys for addresses and suspected it could be prone to brute force attacks. This supposition was backed up in June this year when a 1inch contributor was pointed towards suspicious action within one of the 1inch deployer wallets.
1inch rushed its findings out to the public when it was revealed that $3.3 Million in ETH and NFTs had been stolen from wallets generated with Profanity, which was followed by a $160 million hack on UK-based crypto market maker Wintermute, which was suspected to be linked to the Profanity bug.
732 More ETH Stolen
Now, on-chain data shows that more wallets are being drained, with the funds being sent to Tornado Cash, showing that the mixing service can still be used despite being taken offline. The status of the Profanity tool on Github has been made very clear by its creator, johguse:
I’ve decided to also archive this repository to further reduce risk that someone uses this tool. The code will not recieve [sic] any updates and I’ve left it in an uncompilable state. Use something else!
Hopefully anyone else still using a Profanity-created wallet will get the message and will protect their funds before it’s too late.