ແຮກເກີໄດ້ລັກເອົາ $3.3 ລ້ານຈາກ Ethereum 'vanity addresses' ທີ່ສ້າງຂຶ້ນດ້ວຍເຄື່ອງມືຫຍາບຄາຍ

A hacker drained $3.3 million from multiple Ethereum addresses generated with a tool called Profanity, ຕາມ to ຂໍ້ມູນລະບົບຕ່ອງໂສ້ ຈາກ Etherscan.

Anonymous security analyst ZachXBT first ສັງເກດເຫັນ the exploit, which took place on September 16. 

Vanity addresses are a type of custom wallet that contain identifiable names or numbers within them. They are used in the crypto sector primarily to show off, much in the way car drivers pay over the odds for expensive license plates. These addresses can be created using certain tools, one of them being Profanity.

Last week, decentralized exchange aggregator 1inch ຈັດພີມມາ a security disclosure report claiming that “vanity addresses” generated with Profanity were not secure. Per 1inch, the private keys linked to Profanity-generated addresses could be extracted with brute force calculations.

But the security issue highlighted by 1inch could not be fixed in time to prevent an exploit. Development work on Profanity stopped a few years ago, according to its anonymous developer who goes by “johguse.”

Even before 1inch’s report, johguse had recognized the vulnerability in the tool and ເຕືອນ users against its use. In a subsequent investigation, on-chain sleuth ZachXBT last Friday claimed an unknown hacker had seemingly exploited the very same vulnerability to drain an estimated $3.3 million in crypto assets from various Profanity-based addresses soon after the report by 1inch. The stolen funds moved from victims’ addresses to a new Ethereum ທີ່ຢູ່ believed to be controlled by the hacker

The $3.3 million exploit has drawn comments from experts who suspect that malicious hackers may have known about the security issue in advance. 

“Seems like the attackers were sitting on this vulnerability, trying to find as many private keys as possible of vulnerable Profanity-generated vanity addresses before the vulnerability gets known. Once publicly exposed by 1inch, the attackers cashed out in a few minutes from multiple vanity addresses,” Tal Be’ery, security lead and chief technology officer at ZenGo, ກ່າວວ່າ.

Notably, 1inch had also stated in its report that the vulnerability had previously been used by hackers for potential exploits worth millions of dollars. To come to its conclusion, 1inch claimed that it was able to recompute some of the private keys of Profanity’s vanity addresses with GPU chips. 

“We have proof of concept of recovering a private key from a public key. So you can send us a public key (not address) generated via Profanity and we’ll send you back a private one,” the team told The Block in a statement.

© 2022 The Block Crypto, Inc. ສະຫງວນລິຂະສິດທຸກປະການ. ບົດຂຽນນີ້ແມ່ນສະ ໜອງ ໃຫ້ເພື່ອຈຸດປະສົງຂໍ້ມູນເທົ່ານັ້ນ. ມັນບໍ່ໄດ້ຖືກສະ ເໜີ ຫຼືມີຈຸດປະສົງທີ່ຈະ ນຳ ໃຊ້ເປັນກົດ ໝາຍ, ພາສີ, ການລົງທືນ, ການເງິນ, ຫລື ຄຳ ແນະ ນຳ ອື່ນໆ.