Ethereum’s Vanity Addresses Drained of Over $3M Despite 1inch’s Warning

A hacker managed to steal $3.3 million worth of cryptocurrencies from several Ethereum addresses generated with the “Profanity” tool. The funds were drained even after the decentralized exchange aggregator 1inch warned users about discovering a severe vulnerability putting millions of dollars at risk.

It had previously advised users owning wallet addresses generated with the Profanity tool to transfer their assets to a different wallet.

1inch Security Report

In early 2022, 1inch contributors observed that Profanity used a random 32-bit vector to seed 256-bit private keys and suspected it could be unsafe. Upon further investigation, more suspicious activity was noted, signaling that Profanity wallets were compromised.

“The 1inch contributors checked the richest vanity addresses on popular networks and came to the conclusion that most of them were not created by the Profanity tool. But Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.”

According to 1inch, Profanity happens to be a popular and “highly efficient” tool with which users are able to create millions of addresses per second. However, the procedure used by Profanity to generate the addresses was not flawless either and was susceptible to attacks.

The security disclosure report published by 1inch last week also noted that the vulnerability may have enabled hackers to “secretly” steal millions of dollars from Profanity users’ wallets for years. The contributors are currently trying to determine all the compromised vanity addresses.

Soon after the warning, blockchain investigator ZachXBT notified the attack draining over $3 million in funds. Fortunately, his tweet helped a user save $1.2 million in crypto and NFTs from the hacker who had access to their wallet.

Profanity Devs Abandon Project

According to Tal Be’ery, ZenGo’s security lead and chief technology officer, the malicious entities could have been “sitting” on the vulnerability in an attempt to get their hands on as many private keys as possible of bug-ridden Profanity-generated vanity addresses before the vulnerability was detected. However, they cashed out after it was publicly exposed by 1inch.

Meanwhile, one of the Profanity developers, who goes by the pseudonym ‘johguse’ on Github, said that they have already “abandoned” the project a few years ago. The comment regarding the same read,

“This project was abandoned by me a couple of years ago. Fundamental security issues in the generation of private keys have been brought to my attention. I strongly advise against using this tool in its current state. This repository will soon be further updated with additional information regarding this critical issue.”

The article was first published on: Sep 19, 2022