Hackers likely employed a “brute force” attack using a previously exploited weakness related to the vanity address generator Profanity.
Roughly $950,000 worth of crypto has been stolen from an Ethereum “vanity address” generated with a tool called Profanity. The exploit leveraged a similar vulnerability related to the recent $160 million attack on market maker Wintermute.
A “vanity address” is a type of crypto address that conforms to certain parameters laid out by the creator, often representing their brand or name.
Instead of the crypto address being a random, machine-generated string of numbers and letters, a vanity address would be human-generated. It’s for this reason that users on GitHub have indicated these types of addresses are more vulnerable to brute force attacks.
The hacker stole 732 Ethereum on September 25 before transferring the funds straight to the now-sanctioned crypto mixer Tornado Cash, according to the data from PeckShield.
#PeckShieldAlert Seems like $950k worth of crypto has been stolen by 0x9731F from Ethereum “vanity address” generated with a tool called Profanity. The exploiter already transferred ~732 $ETH into Mixer pic.twitter.com/QOZfnE49H4
— PeckShieldAlert (@PeckShieldAlert) September 26, 2022
Though it was GitHub’s users who first unearthed details about the attack, it was then publicized by the decentralized exchange (DEX) aggregator 1Inch Network who told users to “transfer all of your assets to a different wallet ASAP,” sharing a blog on how the exploit is likely to have worked.
In the aftermath of the attacks, the developers behind Profanity have taken steps to ensure that no one continues to use the tool.
Profanity’s code has been left in an uncompilable state by its developers, with the repository being archived. The code is not set to receive any more updates.
Vanity addresses and crypto hacks
Wintermute CEO Evgeny Gaevoy recently admitted on Twitter that the mammoth scale attack on his company “was likely linked to the Profanity-type exploit of our DeFi trading wallet.”
Gaevoy said his company, which provides algorithmic market-making services, used “Profanity and an internal tool to generate addresses with many zeroes in front” but maintained “the reason behind this was gas optimization, not vanity.”
We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected
— wishful cynic (@EvgenyGaevoy) September 20, 2022
As of yet, no perpetrator has come forward regarding the Wintermute attack or the most recent incident, and no funds have been recovered. The market maker is threatening legal action and has offered a $16 million bounty reward for the return of the funds.
Yesterday’s exploit and Wintermute’s may also just be the tip of the iceberg.
In its blog post, 1Inch suggested that additional exploits have yet to be uncovered, adding that “1inch contributors are still trying to determine all the vanity addresses which were hacked” and that it “looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions.”