The road to decentralized finance (DEFI) for many developers, crypto enthusiasts and retail investors is a slippery slope that can be described as a poignant combination of wild possibilities and tragic history.
Nearly two weeks after decentralized exchange (DEX) aggregator, 1inch Network, published a report on the vulnerability in an Ethereum vanity address tool, Profanity, many wallet addresses created via the tool have become fodder for exploiters, as millions of dollars worth of crypto assets have been reportedly stolen.
In a security alert tweeted by Blockchain security firm, Peckshield, a hacker made away with 723 Eth, around $950,000, from a crypto wallet using the same vanity address vulnerability related to a recent attack on the algorithmic market maker, Wintermute, resulting in a staggering loss of $160 million.
After stealing the crypto assets from the wallet, the exploiter transferred the crypto to the sanctioned crypto tumbler Tornado Cash.
Here, it will have been blended with other crypto assets, to mask the origin and recipient of the transaction.
Vanity addresses are randomized, custom-made crypto wallet addresses that are created to begin or end with special characters. However, some of the 1inch contributors noticed Profanity's failure to create the 256-bit private key with enough randomness, resulting in addresses easier to breach through a brute force attack
Due to its high efficiency, many vanity addresses were created through profanity and have become major targets for hackers. Earlier this month, $3.3 million was drained from multiple profanity-based Ethereum addresses.
The Profanity vanity address generator was abandoned by its anonymous creator years ago. To mitigate the risk attributed to the profanity tool, the developer has left the code in an uncompilable state, with the repository archived, ensuring no one continues to use the tool.