• World CyberCon India
Firewall Daily Hacks

Profanity Tool Vulnerability Leads to Crypto Loss of $3.3 Million

The hackers have allegedly stolen crypto worth $3.3 million from Profanity despite the warning from 1inch Network about the lack of safety protocols on Profanity.

Profanity Tool Vulnerability Leads to Crypto Loss of $3.3 Million
  • PublishedSeptember 19, 2022
Listen to this story

The Ethereum (ETH) vanity address generating tool, Profanity, has been hit by a cyberattack. Decentralized exchange aggregator 1inch Network reported the vulnerability wherein the company issued a warning to users involved in buying and selling crypto on the tool. The hackers have allegedly stolen crypto worth $3.3 million from Profanity despite the warning from 1inch Network, and the company, along with several industry experts, are now investigating the case.

On September 15, 2022, 1inch Network revealed the lack of safety protocols on Profanity via a blog Medium postAccording to the exchange aggregator, Profanity uses a random 32-bit vector to seed 256-bit private keys, and its ambiguity in creating vanity addresses might lead hackers to users’ wallet accounts. 

ZachXBT Tweets about Profanity tool vulnerability

After 1inch Network warnings, a blockchain investigator ZachXBT Tweeted about the vulnerability and the stolen funds from the Profanity. In the Tweet, ZachXBT reported, “Appears $3.3m worth of crypto has been exploited by 0x6ae from this vulnerability.” The Tweet also mentioned the attacker’s address, and 1inch replied to the Tweet stating, “RUN, YOU FOOLS, Spoiler: Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP!”. 

However, despite all the losses, ZachXBT posted another Tweet wherein it mentioned that the attackers didn’t fully drain one of the wallets it interacted with while hacking into Profanity. The blockchain investigator shared that their report about the Profanity vulnerability helped an account holder to save 1.2m+ worth of crypto & NFTs. 

1Inch explains the Profanity tool vulnerability

1inch contributor noticed the vulnerability in Profanity in early 2022 when the company was using a random 32-bit vector to seed 256-bit private keys. The users suspected that it could lead to hackers getting access to the personal accounts of Profanity users. 

The first encounter that led to the overall depletion of $3.3M worth of crypto and NFTs started in June 2022, wherein a contributor received a message from @samczsun. The message was directed towards suspicious activity in one of the 1inch deployer wallets and Synthetix and others.

After investigating a potential scam, 1inch contributors realized that vanity address brute force could be utilized to reverse it back to the original four bln of seeds more efficiently. This includes getting a public key from a vanity address, expanding it to 2 mln public keys, and decrementing them until they reach the seed public key.

1inch concludes that Profanity is one of the most popular tools on the market, and with its high efficiency, it could mean that “most of the Profanity wallets were hacked secretly.” However, the company claims that despite the stolen funds, the wallet address and proofs of the hacker are available on-chain and can be used to track the defaulters who stole the funds. 

Written By
Ashish Khaitan

Ashish is a technical writer at The Cyber Express. He adores writing about the latest technologies and covering the latest cybersecurity events. In his free time, he likes to play horror and open-world video games.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.