Decentralized exchange aggregator 1inch has published a security disclosure report that claims certain Ethereum addresses created via a tool called Profanity suffers from a critical vulnerability.
The Thursday report — based on 1inch's own security research — alleged this vulnerability may have allowed hackers to secretly drain tens of millions of dollars from Profanity users’ wallets over the last few years, though the team did not provide evidence of this claim.
"It’s not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions. One good thing is that proofs of hacks are available on-chain forever," 1inch said in its report.
Launched in 2017, Profanity is a tool that allows Ethereum users to generate “vanity addresses,” a type of custom wallets that contain identifiable names or numbers within them.
According to 1inch, the private keys to these Profanity-based addresses could be calculated using brute force attacks. It advised users who generated their addresses with Profanity to transfer out their assets to fresh wallets.
"Your money is NOT SAFU if your wallet address was generated with the Profanity tool. Transfer all of your assets to a different wallet ASAP," 1inch wrote.
Meanwhile, the anonymous developer of Profanity tool who goes by "johguse" on GitHub recognized the security issue was real and warned users to not use Profanity. The person further clarified that the development work on Profanity had already stopped a few years ago.
Ethereum uses public/private keys to enforce ownership of funds. If you have the private key for an address, you can sign a transaction proving you own the funds at that address.
Most addresses are truly randomly-generated containing a string of random characters. Vanity addresses, on the other hand, have to be generated using a special method. In its report, 1inch explained that the Profanity tool created millions of addresses per second and searched for the desired letters or digits that were requested by users as custom wallet addresses.
To come to its conclusion, 1inch claimed that it was able to recompute some of the private keys of Profanity-generated vanity addresses with GPU chips.
"We have proof of concept of recovering a private key from a public key. So you can send us a public key (not address) generated via Profanity and we'll send you back a private one," the team told The Block in a statement.
© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.