Hackers used a “brute force attack” to exploit a weakness in the vanity address generator Profanity. An Ethereum “vanity adres” was stolen with Profanity, which generated approximately $950,000 in crypto. This exploit was similar to the recent $160,000,000 attack on Wintermute.
A “vanity address” refers to a crypto address that meets certain criteria set by the creator. It is often used to represent a brand or their name.
A vanity address is a username based wallet address made by the wallet owner
A vanity address is human-generated and instead of being random machine-generated strings of numbers or letters, the crypto address will be random. users have stated that vanity addresses are more susceptible to brute force attacks.
According to Peck Shield, the hacker took 732 ETH on September 25, before transferring the funds to the now-sanctioned cryptocurrency mixer Tornado Cash.
Although GitHub users were the first to discover the details of the attack, 1Inch Network then published it telling users to “transfer your assets to a new wallet ASAP.” also sharing a blog about how the exploit may have worked.
The developers of Profanity took steps to ensure no one uses the tool after the attacks.
Profanity’s source code has been archived by its developers. This code will not receive any further updates.
Evgeny Gaevoy, Wintermute CEO, recently acknowledged on Twitter the fact that the massive attack on his company was “likely linked to the Profanity type exploit of our DeFi trading platform.
Gaevoy claimed that his company, which offers algorithmic market-making, used “Profanity” and “an internal tool to generate addresses without zeroes in front”, but maintained that “the reason for this was gas optimization, rather than vanity.”
No one has yet to come forward with information about the Wintermute attack, or the latest incident. Also, no funds have been found. The market maker has threatened legal action and offered \$16 million in bounty for the return of the funds.
Yesterday’s exploits and Wintermute’s may be just the tip of an iceberg.
1Inch posted a blog post claiming that more exploits have not been discovered. It said that 1inch contributors are still trying “to determine all the vanity address which were hacked”, and that it “looks as tens to millions of dollars worth of cryptocurrency could be stolen, or even hundreds of millions.”
