Key Takeaways:
- Investigations by 1Inch revealed the complexity in vanity address construction, which suggested profanity wallets may have been discreetly compromised.
- By seeding 256-bit private keys with a random 32-bit vector on September 15, 1Inch exposed the lack of security in the use of profanity.
One Inch Network, a decentralized exchange aggregator, has issued a warning to cryptocurrency investors after discovering flaws in Profanity, its Ethereum (ETH) vanity address generator. Despite repeated warnings, the hacker appears to have stolen $3.3 million in cryptocurrencies from him.
On September 15, 1Inch highlighted the lack of security in employing Profanity by seeding 256-bit private keys using a random 32-bit vector. Further analysis revealed ambiguity in vanity address construction, implying that Profanity wallets were secretly hijacked.
Initially, the 1inch contributors believed that reseeding all four bln starting vectors would allow them to recompute all of the vanity addresses. Recalculating all of the 6-7 character vanity addresses would have required hundreds of GPUs and months of time.
However, hackers typically target larger wallets before moving on to smaller wallets. 1Inch has encouraged users using wallet addresses produced by the Profanity program to “Transfer all of your assets to a new wallet ASAP!”
Following an examination by blockchain investigator ZachXBT, it was discovered that a successful exploit of the vulnerability allowed hackers to steal $3.3 million in cryptocurrency.
As there were indications that a hack had occurred, 1inch contributors spent some time exploring and realized a few weeks ago that vanity address brute force could be switched back to the original 4 billion seeds in a more efficient manner:
- Obtain a public key using a vanity address (recover from the transaction signature).
- Deterministically expand it to 2 million public keys.
- Decrement them continuously until they achieve the seed public key.
According to a blog post published by 1inch, contributors investigated the richest vanity addresses on social networks and discovered that the majority of them were not generated via the Profanity tool.
However, because of its high efficiency, profanity is one of the most popular tools. Unfortunately, this may only suggest that the majority of Profanity wallets were discreetly hacked.
The 1inch contributors are still working to identify all of the compromised vanity addresses in the meanwhile. Although it’s not an easy operation, it appears that tens of millions of dollars—if not hundreds of millions—in bitcoin might be taken. The fact that hack proofs are always accessible on-chain is a plus.
Another bizarre scam emerged earlier this year, TheOriginalAce, a Twitter user, tweeted that his YouTube account, Legobuilder9000, had been compromised on April 21.
He claimed that the hacker renamed the channel “Tesla” and streamed some cryptocurrency fraud for roughly six hours.
It’s interesting that he said he was able to restore the account and reverse all changes made by the hacker to his YouTube channel.
Unfortunately, he received a message from YouTube informing him that his YouTube channel had been permanently suspended as soon as he had recovered and changed everything back to normal.
