Updated on 2022-10-31: One month later, the Profanity vulnerability is still making new victims
More than a month after 1inch Network disclosed a severe vulnerability in Profanity, a tool to generate vanity (customized) Ethereum addresses, cryptocurrency platforms are still getting hacked and losing funds to a vulnerability everyone told them to take seriously.
The latest platform to add its name to the list of Profanity victims is DeFi platform FriesDAO, which confirmed on Friday that it lost $2.3 million worth of cryptocurrency tokens after an attacker took control over one of its smart contracts through “a profanity attack vector.”
Please see our post mortem report of the recent exploit. https://t.co/aBbAB6eYTW
— friesDAO (🍟,🍟) (@friesdao) October 29, 2022
FriesDAO joins the likes of Wintermute (which lost $160 million), QANplatform (lost $2 million), Indexed Finance (lost $3.3 million), and REFI (lost $300,000).
The Profanity tool allows users to generate Ethereum addresses that contain custom text in the public address. The tool was typically used for branding purposes, to generate addresses that contained a person or company’s name, either at the start, middle, or end of the address.
Profanity did this by rotating and computing through millions of private encryption keys until it found one that generated a public Ethereum address of a user’s liking.
The user would then take this public address and use it to store funds or smart contracts and use the private key to authenticate themselves as the owner of that address or smart contract.
Explained in layman terms, the Profanity vulnerability allows a threat actor to reproduce this process and determine the private key of a vanity Ethereum address that was generated in the past through the app.
This entire process is pretty fast and simple, according to reports, and all an attacker has to do is identify vanity addresses on the Ethereum blockchain.
For cryptocurrency platforms, scanning their own infrastructure for vanity addresses should be pretty simple since, well, it’s their own infrastructure, and they should know what exactly they are running. But as new hacks come to light, it’s apparently something that the cryptocurrency community can’t be bothered with these days.
1/ We confirmed that both @paraswap deployer address (0x490ce4616672e93b1c8f5e43aa80312fd73dee8c) and @curve deployer address(0x07a3458ad662fbcdd4fca0b1b37be6a5b1bcd7ac) are vulnerable to the profanity vulnerability. The private keys can be recovered. https://t.co/APRXSt1gJh
— BlockSec (@BlockSecTeam) October 11, 2022
Updated on 2022-09-25: Wintermute hacked, $160 million stolen
The only thing more frequent than a Twitter security incident is a web3 security incident. This week’s heist landed at Wintermute’s door, with $160 million in crypto funds stolen. Per The Record, Wintermute is a “market maker” for cryptocurrency platforms, an organization that holds a large inventory of a particular asset to keep the market liquid by ensuring that traders have someone to buy and sell with. Read more: Cryptocurrency company Wintermute says hackers stole $160 million
We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Updated on 2022-09-23
A large scale attack on the cryptocurrency trading company Wintermute has meant that an estimated $160 million has slipped into the hands of the adversary. Although it is unclear how the attacker or attackers will proceed, you can see their (very full!) wallet here.
Updated on 2022-09-21: Crypto Trader Wintermute Loses $160M to Hackers
London-based cryptocurrency trader Wintermute has reportedly lost about $162 million of its decentralised finance (DeFi) operations in digital assets to hackers. The company remains solvent. CEO Evgeny Gaevoy tweeted “We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected”. “We are solvent with over twice that amount in equity left”. Blockchain cybersecurity company Certik has said a that a vulnerability known about since at least January was likely behind the hack. Certik said the hack was due to a leaked or brute-forced private key, and not a smart contract vulnerability, and that hat a vulnerability in the popular Profanity vanity address generator was probably at fault in the hack. Read more
- Report: Crypto Trader Wintermute Loses $160M to Hackers
- Well-known vulnerability in private keys likely exploited in $160M Wintermute hack
Cryptocurrency DeFi platform Wintermute said it was hacked and lost $160 million in a security breach that took place on Tuesday, September 20.
We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Most of the cryptocurrency security space appears to believe the attacker exploited a recently-disclosed vulnerability in an Ethereum vanity address generator tool to steal funds from Wintermute’s main ETH wallet.
The fallout from profanity vulnerability seems to continue.
In this #Wintermute case, attackers took over a vanity address of a deployer.
While funds were recently removed from address, the deployer still had admin privileges on the contract and attackers used it to drain $160M. https://t.co/596UqN1BTy— Tal Be'ery (@TalBeerySec) September 20, 2022
Wintermute’s CEO said the company remains solvent and said they are still open to the idea of offering a bug bounty payout to the attacker if they return the stolen funds.
We are (still) open to treat this a s a white hat, so if you are the attacker – get in touch
— wishful cynic (@EvgenyGaevoy) September 20, 2022
Wintermute is named after the AI in the cyberpunk novel Neuromancer, written by William Gibson.https://t.co/38ZjuemTOj
— web3 is going just great (@web3isgreat) September 20, 2022
