A hacker drained $3.3 million from multiple Ethereum addresses generated with a tool called Profanity, according to on-chain data from Etherscan.
Anonymous security analyst ZachXBT first noticed the exploit, which took place on September 16.
Vanity addresses are a type of custom wallet that contain identifiable names or numbers within them. They are used in the crypto sector primarily to show off, much in the way car drivers pay over the odds for expensive license plates. These addresses can be created using certain tools, one of them being Profanity.
Last week, decentralized exchange aggregator 1inch published a security disclosure report claiming that “vanity addresses” generated with Profanity were not secure. Per 1inch, the private keys linked to Profanity-generated addresses could be extracted with brute force calculations.
But the security issue highlighted by 1inch could not be fixed in time to prevent an exploit. Development work on Profanity stopped a few years ago, according to its anonymous developer who goes by "johguse."
Even before 1inch's report, johguse had recognized the vulnerability in the tool and warned users against its use. In a subsequent investigation, on-chain sleuth ZachXBT last Friday claimed an unknown hacker had seemingly exploited the very same vulnerability to drain an estimated $3.3 million in crypto assets from various Profanity-based addresses soon after the report by 1inch. The stolen funds moved from victims’ addresses to a new Ethereum address believed to be controlled by the hacker.
The $3.3 million exploit has drawn comments from experts who suspect that malicious hackers may have known about the security issue in advance.
“Seems like the attackers were sitting on this vulnerability, trying to find as many private keys as possible of vulnerable Profanity-generated vanity addresses before the vulnerability gets known. Once publicly exposed by 1inch, the attackers cashed out in a few minutes from multiple vanity addresses,” Tal Be'ery, security lead and chief technology officer at ZenGo, said.
Seems like the attackers were sitting on this vuln, trying to find as much private keys as possible of vulnerable profanity generated vanity addresses before the vuln gets known.
— Tal Be'ery (@TalBeerySec) September 18, 2022
Once publicly exposed by @1inch, attackers cashed out in a few minutes from multiple vanity addresses https://t.co/0qefhYdMBU
Notably, 1inch had also stated in its report that the vulnerability had previously been used by hackers for potential exploits worth millions of dollars. To come to its conclusion, 1inch claimed that it was able to recompute some of the private keys of Profanity’s vanity addresses with GPU chips.
"We have proof of concept of recovering a private key from a public key. So you can send us a public key (not address) generated via Profanity and we'll send you back a private one," the team told The Block in a statement.
