1inch team warns about vulnerability in Ethereum vanity address generating tool Profanity

What’s new? On September 15, representatives of decentralized exchange (DEX) aggregator 1inch warned that Ethereum accounts created with the Profanity tool are under threat. Anton Bukov, the founder and CEO of 1inch, reported on Twitter that users’ assets are at risk of loss following a hack or exploit. He urged ETH holders not to use personalized addresses created through the Profanity service. The 1inch team later recommended transferring all assets to another wallet “as soon as possible.”

1inch Blog

⚠️ Attention, Ethereans! Funds are not SAFU! Beware of using vanity addresses generated by the “profanity” tool! Moreover, check the ownership of your deployer wallets of vanity contracts. https://t.co/5D9obk2tP9— Anton Bukov 🦇🔊 ⚖️ (@k06a) September 15, 2022

What is known about the vulnerability? According to a 1inch report, keys to addresses created through Profanity can be calculated by brute force. The company said that the vulnerability may have allowed hackers to “secretly” siphon millions of dollars from the wallets of generator users for years. 1inch developers are working to identify all the hacked wallets.

An anonymous developer of Profanity, registered on GitHub under the pseudonym johguse, reported that the project was “abandoned” several years ago. This happened after the team found out about “fundamental security issues in the generation of private keys.”

Ethereum uses a combination of public and private keys to generate wallet addresses, a long list of random alphanumeric characters. Those with a private key to an address can authorize the transfer of funds from one account to another. Profanity, in turn, allows users not only to create human-readable addresses but also to search through them. Experts at 1inch called Profanity’s address generation method unreliable.

In June, MetaMask and Phantom crypto wallets fixed a critical vulnerability in a browser software extension. The bug, discovered by Halborn back in September 2021, allowed hackers to extract seed phrases from users’ computers.

In September, developer Péter Szilágyi published a report on fixing the vulnerability on the Avalanche network. The problem was discovered on March 29, 2022, and threatened to completely disable the blockchain.