Many features are developed in parallel with the cryptocurrency and blockchain sector. With the aim of customize some options in order to make them easier to use, or in any case less random. A goodwill that makes the success of the project Ethereum Name Service (ENS), especially since the recent transfer The Merge. But playing with these security settings can sometimes be (very) risky. In any case, this is what the developers of the protocol have just discovered. 1inch about the Profanity tool. And it could be that millions of dollars have already been stolen…
Seek to customize Ethereum addresses has something fun, but also very practical. Because it allows you to escape this series of random alphanumeric symbols generated in order to protect your cryptocurrency funds. Still, just the end of that last sentence should make some users more cautious. Because playing with these settings can quickly carry high risks.
Profanity – Vulnerability in vanity addresses
A conclusion that the developers of the DEX aggregator 1inch (1INCH) have just reached following an investigation lasting several months. The latter initiated last January after the fact that the tool Profanity “used a 32-bit random vector to seed 256-bit private keys”. With the objective, the ability to customize – very slightly – Ethereum addresses by making them less random. But while maintaining effective security due to the selection of the latter from several billion starting private keys.
However, according to the first conclusions of the developers of 1inch, it remained “possible to recalculate all personalized addresses by reseing the initial 4 billion vectors”. But this required the use of substantial hardware (thousands of GPUs) and several months of effort. Reason why this problem was later considered non-existent.
However, in June of this year, other clues contradicted this rather positive conclusion. Because suspicious activity has been detected “on one of the 1inch deployment wallets, as well as Synthetix (SNX) and a few other protocols”.
” It was getting really suspicious. Since there were signs that a hack must have taken place, 1inch contributors spent time investigating. And, a few weeks ago, they discovered that a brute force attack of the vanity address could bring back the original 4 billion seeds more efficiently.. »
Vanity addresses – Millions of dollars exposed?
Because one of the main problems of this Profanity tool is its pure and simple abandonment for several years. And, as a result, the total absence of updates since this period. Because its developer, responding to the pseudonym “johguse” on Github, said following this case that the discovery of “fundamental security problems in the generation of private keys had prompted him to throw in the towel at that time. But that hasn’t stopped new users from using this feature. Nor even the elders to find themselves exposed to possible targeted attacks.
” A few days ago, the 1inch contributors involved got some proof-of-concept code that allows them to retrieve the private keys of any custom address generated with Profanity. And this almost at the same time as that required to generate this personalized address. »
The flaw was therefore discovered. And the latter could well have already been exploited for years by malicious actors.. As a consequence, the discreet and unexplained emptying of the funds held on the wallets linked to these compromised private keys. And “tens of millions of dollars in cryptocurrencies (which) could be stolen, or even hundreds of millions”. Reason why the developers of 1inch advise holders of this type of accounts to transfer their cryptocurrency to a secure wallet as quickly as possible.
You want to invest in the cryptocurrency sector without falling into the many traps set for your attention. Start by registering on the FTX platform to get started safely. There will always be time to start elsewhere, once the basics of this digital economy have been fully understood. Furthermore, you get a lifetime discount on your trading fees (commercial link).