On September 15, 1inch claimed to have discovered a critical vulnerability in the Ethereum Vanity address. This can put millions of dollars in user’s funds at risk.
1inch founder and CEO Anton Bukov has warned Ethereum users about the risk of loss following a hack or exploit.
⚠️ Attention, Ethereans! Funds are not SAFU! Beware of using vanity addresses generated by the “profanity” tool! Moreover, check the ownership of your deployer wallets of vanity contracts. https://t.co/5D9obk2tP9
— Anton Bukov 🦇🔊 ⚖️ (@k06a) September 15, 2022
“Transfer all of your assets to a different wallet as soon as possible. If you used Profanity to get a vanity Smart contract address, make sure to change the owners of that smart contract.”, 1inch Network later said in a security report.
Hundreds of millions of dollars at risk
Profanity is a tool launched in 2017 that allows Ethereum users to create vanity addresses, a custom cryptocurrency wallet consisting of recognizable names or numbers within them.
1inch explains that the private keys of addresses generated on Profanity can be calculated using brute force attacks. The vulnerability could allow hackers to steal millions of dollars from users’ wallets for years.
“1inch contributors are still trying to determine all the vanity addresses which were hacked. “It’s not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions. One good thing is that proofs of hacks are available on-chain forever.”
Developer cautions against using Profanity tool
Anonymous Profanity developer, ‘johguse’ left the project a few years ago after discovering basic security issues during the Private Key generation process.
“I strongly advise against using this tool in its current state. The code will not receive any updates and I’ve left it in an uncompilable state. Use something else!” the developer added.
Ethereum uses a combination of public and private keys to generate wallet addresses. Those who have a private key to an address can allow the transfer of funds from one account to another, verifying ownership of funds.
However, vanity addresses are created differently. Profanity allows users to generate millions of addresses per second to meet their requirements.
Because of the mechanism of creating a series of wallets to filter out the right letters to satisfy user needs, 1inch said they can emulate to retrieve Profanity wallet private keys using GPU chips.
