Profanity is a tool that is used to generate vanity addresses in Ethereum. What is a vanity address? It's an address that is generated taking into account the personal requirements of the user. This can be compared to how we choose an “attractive” phone number when buying a SIM card. That is, the address that is generated using Profanity has personalized properties. At the same time, in theory, this address still complies with security standards.
Profanity is an open source tool that you can find on Github. For the most part, Profanity code is written in C++. It is also noted on Github that the developer has abandoned his creation.
How does Profanity work? There are several steps in the operation of this tool (data from the 1inch Network blog):
- Randomly select 1 of 4 bln seed private keys.
- Expand it deterministically to 2 mln private keys.
- Derive public keys from these private keys.
- Repeatedly increment them until they reach the desired vanity address.
What happened to Profanity and why should you change your addresses if they were generated using Profanity? At the beginning of the year “some of the 1inch contributors noticed that Profanity used a random 32-bit vector to seed 256-bit private keys and suspected it could be unsafe.”
At first, the 1inch participants planned “to recompute all the vanity addresses by reseeding all 4 bln initial vectors.” It would be long, it would require a lot of computing power. Also, at first, it was believed that “8+ character vanity addresses were quite safe.”
But, problems began to appear in June. One of the 1inch participants received “a strange message” from @samczsun – researcher from Paradigm (a crypto/Web3 investment firm). The message described “suspicious activity of one of the 1inch deployer wallets, as well as Synthetix’ and some others.”
Suspicious activity was also reported by users on Twitter.
It shows clearly 3 transactions
— YettyWapp 🦇🔊 (💙,🧡) (@YettyWapp) June 16, 2022
1. claim airdrop
2. transfer to 0xee9bd0e71681ee6e9aa9f1ba46d2d1149f7bd054
3. Dump⁰ for ETH
- Initiated by deployer wallet
- Claim, transfer and dump are initiated by EOA
The 1inch team checked the richest vanity addresses and found that these addresses were most likely covertly hacked.
“The 1inch contributors checked the richest vanity addresses on popular networks and came to the conclusion that most of them were not created by the Profanity tool. But Profanity is one of the most popular tools due to its high efficiency. Sadly, that could only mean that most of the Profanity wallets were secretly hacked.”
The problem now is to figure out the hacked addresses. According to 1inch, “it’s not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions.”
We recently wrote that Wintermute lost $160M during a hacker attack. In addition to internal tools, they used Profanity to generate addresses too.
In addition to the losses of Wintermute, according to Twitter user @zachxbt, another $3.3m in crypto are drained from various wallets.
Appears $3.3m worth of crypto has been exploited by 0x6ae from this vulnerability.
— ZachXBT (@zachxbt) September 17, 2022
Interestingly the Indexed Finance Exploiter was the first address drained by 0x6ae.
Attackers address:
0x6AE09AC63487FCf63117A6D6FAFa894473d47b93 https://t.co/gnQHHytI1m pic.twitter.com/5TYccNIpdq
We, like 1inch, advise our dear readers to transfer your assets from the addresses that were generated using Profanity. Also, it is worth changing the owners of a smart contract if its address was created using Profanity. And we continue to observe.
