Ethereum addresses generated by an abandoned Ethereum vanity tool have been stripped of over $3 million in assets by exploiters.
The tool – called “Profanity” – used an insecure method for generating public keys, from which users’ private keys could be extracted.
The popular decentralized exchange aggregator 1Inch first noted the vulnerability on Thursday, just hours before it started being exploited.
“Run, you fools,” tweeted 1Inch. “Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP!”
Profanity lets users generate vanity addresses – blockchain addresses with identifiable information baked into them. They are usually used in crypto by people looking to show off their net worth, and who do not desire privacy.
All blockchain addresses (aka public keys) are derived from a given seed (aka private key). Whereas public keys let users let a user receive cryptocurrency from another person, only the associated private keys can grant someone access to the assets parked at a specific address.
Whereas a private key can be used to produce or verify an attached public key, cryptography ensures that the reverse is impossible to deduce.
However, as 1Inch explained in a blog post, the same cannot be said for Profanity-produced addresses. Instead, the DEX aggregator discovered last week that such addresses could be deconstructed back into their private key using “brute force” calculations.
On-chain data shows that a hacker drained multiple addresses generated by the tool of hundreds of ETH at a time on Thursday. ZachXBT on Twitter reported that over $3.3 million had already been drained by Friday.
1Inch said that according to its research, the highest net worth vanity addresses on Ethereum do not appear to be created through Profanity. Furthermore, the “Eradicate” tool from the same creator does not seem to possess the same vulnerability.
The anonymous creator – johguse – hasn’t worked on Profanity for years, having previously cited a similar vulnerability.
“Fundamental security issues in the generation of private keys have been brought to my attention,” he wrote on its GitHub page. “I strongly advise against using this tool in its current state.”
In August, a widespread private key exploit allowed a hacker to steal over $8 million from more than 8000 addresses linked to Solana’s Slope wallet. The wallet contained a centralizing security vulnerability that allowed anybody with access to its Sentry server to steal thousands of user’s seeds.
Stay up to date with our latest articles