Vanity addresses created using the Profanity vanity wallet address generator have suffered yet another hack leading to $966k in losses. The recent exploit follows a previous hack in similar fashion targeting Ethereum vanity addresses, with the Profanity tool as a common denominator.
The hacker moved 732 ETH to Tornado Cash
Leading security entity PeckShield uncovered the exploit through the official Twitter account of its PeckShieldAlert chrome extension. The firm brought the attention of the crypto community to the transfer of approximately 732 ETH (worth $966k against prevailing rates as of press time).
#ПецкСхиелдАлерт Чини се да је 950к0Ф украо криптовалуте у вредности од 9731 долара са Етхереум „испразне адресе“ генерисане помоћу алата под називом Профанити. Експлоататор је већ пренео ~732 $ ЕТХ у миксер пиц.твиттер.цом/КОЗфнЕ49Х4
— ПецкСхиелдАлерт (@ПецкСхиелдАлерт) Септембар 26, 2022
As an attempt to conceal its trail, the wallet address КСНУМКСкКСНУМКСФ involved in the exploit transferred the stolen funds to the OFAC-sanctioned Торнадо Цасх Mixer. The hacker carried out the transfer of the funds to Tornado Cash in successive fashion. The individual has already emptied the wallet as of press time, leaving a balance of 0.05 ETH.
The hack comes shortly after several other vanity addresses generated using Profanity lost over $3 million in an exploit. Last week, reports of a hack leading to the loss of $3.3 million surfaced. The affected addresses appear to have been generated using Profanity.
The profanity tool appears to have a security issue
The exploit from last week followed several calls for caution from decentralized exchange aggregator 1inch, highlighting the vulnerabilities of Profanity. 1inch issued a warning via Twitter, asking investors to transfer their funds in Profanity addresses elsewhere.
According to 1inch, Profanity’s practice of using a 32-bit vector to generate 256-bit seed easily sets it up for an attack. Reports of the hack which surfaced on September 18 came three days after the 1inch warning.
Vanity addresses are typically wallet addresses that contain personalized phrases chosen by the user. Users generate these addresses using a tool such as Vanity-ETH and Profanity. Notwithstanding, it appears Profanity has a vulnerability issue.
One of the developers of the tool саветован people against using it, citing security concerns, as he notes that he has abandoned the project. As previously reported by Coingape, market maker Винтермуте recently suffered a hack. Apparently, the exploit was possible due to a private key compromise resulting from a Profanity vulnerability.
Представљени садржај може садржати лично мишљење аутора и подложан је тржишним условима. Истражите тржиште пре него што инвестирате у крипто валуте. Аутор или публикација не сноси никакву одговорност за ваш лични финансијски губитак.
Source: https://coingape.com/hack-profanity-vanity-addresses/