1inch discovers severe vulnerability in Ethereum vanity address, funds not safe.
1inch, a decentralized exchange aggregator, claims to have discovered a severe vulnerability in Ethereum vanity address generating tool Profanity. This may put millions of dollars in user money at the risk of a hack or exploit.
Anton Bukov, the CEO and founder of 1inch tweeted a warning that funds are not safe. He urged users to beware of using vanity addresses generated by the profanity tool. Bukov also advised users to check the ownership of their deployer wallets of vanity contracts.
The 1inch blog post explained that addresses usually look randomized, but the more addresses one generates, the higher the chances are for one to find any prefix, suffix, or middle part. There are tools available that allow users to generate millions of addresses per second – one such tool is Profanity. Some users earlier in the year noticed that Profanity used a random 32-bit vector to seed 256-bit private keys and suspected that it could be unsafe. Profanity works by randomly selecting 1 of 4 bln seed private keys, expanding it deterministically to 2 mln private keys, deriving public keys from the private keys, and repeatedly incrementing them until they reach the desired vanity address.
Initially, users thought it was possible to recompute all the vanity addresses by reseeding all 4 bln initial vectors. They said it would have required thousands of GPUs and months of time to recalculate all the 6 to 7-character vanity addresses. 1inch said private keys to addresses generated on Profanity could be calculated using brute force attacks. It added that the vulnerability may have allowed hackers to secretly siphon millions of dollars from Profanity users’ wallets for years.