Decentralized exchange aggregator 1inch claimed on Aug. 15 to have discovered a severe vulnerability in Ethereum vanity address generating tool Profanity. This has the potential to put millions of dollars in user money at risk.
1inch founder and CEO Anton Bukov warned ethereum users in a tweet that “funds are not Safu,” crypto lingo used to express that user funds are at risk of loss following a hack or exploit.
⚠️ Attention, Ethereans! Funds are not SAFU! Beware of using vanity addresses generated by the “profanity” tool! Moreover, check the ownership of your deployer wallets of vanity contracts. https://t.co/5D9obk2tP9
— Anton Bukov 🦇🔊 ⚖️ (@k06a) September 15, 2022
“Transfer all of your assets to a different wallet as soon as possible,” 1inch Network later said in a security report. “If you used Profanity to get a vanity smart contract address, make sure to change the owners of that smart contract.”
Hundreds of millions of dollars at risk
Profanity is a tool that allows Ethereum users to create “vanity addresses,” a type of custom crypto wallets that contain recognizable names or numbers within them. The popular tool was launched sometime in 2017.
In its report, 1inch explained that the private keys to addresses generated on Profanity could be calculated using brute force attacks. It claimed the vulnerability may have allowed hackers to “secretly” siphon millions of dollars from Profanity users’ wallets for years.
“1inch contributors are still trying to determine all the vanity addresses which were hacked,” said the outfit, adding:
“It’s not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions. One good thing is that proofs of hacks are available on-chain forever.”
Profanity developer: don’t use this tool!
Profanity anonymous developer, who goes by the moniker ‘johguse’ on Github, said that they “abandoned” the project a few years ago after finding out about “fundamental security issues in the generation of private keys.”
“I strongly advise against using this tool in its current state. The code will not receive any updates and I’ve left it in an uncompilable state. Use something else” the developer added.
Ethereum uses a combination of public and private keys to generate wallet addresses – a long list of random alphanumeric characters. Those that have the private key to an address are able to authorize the transfer of funds from one account to another, proving they own the money.
Vanity addresses, however, are generated somewhat differently. 1inch detailed that Profanity, a popular and “highly efficient” tool, allowed users to create millions of addresses per second and searched for those strings of letters and numbers requested by users for a bespoke wallet address.
1inch said the method used by Profanity to generate the addresses was not foolproof and that public keys from vanity addresses could be calculated with brute force attacks.
“A few days ago, 1inch contributors achieved proof-of-concept code allowing them to recover private keys from any vanity address generated with Profanity at almost the same time that was required to generate that vanity address,” it explained.
>> Related: 4 possible risks of Ethereum Merge