1 Inch: Serious Vulnerability in Ethereum Vanity Address Tool Risks Millions of Dollars

Decentralized exchange aggregator 1inch claimed on August 15 to have discovered a serious vulnerability in Ethereum’s vanity address generation tool Profanity. This has the potential to put millions of dollars in user money at risk.

1inch founder and CEO Anton Bukov warned ethereum users in a chirping that “funds are not Safu”, crypto language used to express that user funds are at risk of loss after hacking or exploitation.

“Transfer all your assets to another wallet as soon as possible,” 1inch Network later said in a security report. “If you used Profanity to get a vanity smart contract address, make sure to change the owners of the smart contract.”

Hundreds of millions of dollars at risk

Banning is a tool that allows Ethereum users to create “vanity addresses”, a type of custom crypto wallets that contain recognizable names or numbers in them. The popular tool was launched sometime in 2017.

In its report, 1inch explained that the private keys of addresses generated on Profanity could be calculated using brute force attacks. It claimed the vulnerability may have allowed hackers to “secretly” siphon millions of dollars from Profanity users’ wallets for years.

“1-inch contributors are still trying to find all the vanity addresses that were hacked,” the outfit said, adding:

“It is not an easy task, but at this point it appears that tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions. One good thing is that proof of hack is available on chain forever.”

Banning developer: do not use this tool!

Profanity’s anonymous developer, who goes by the moniker ‘johguse’ on Github, said they “abandoned” the project a few years ago after learning about “fundamental security issues in private key generation.”

“I strongly advise against using this tool in its current state. The code will not receive any updates and I have left it in an uncompileable state. Use something else!” the developer added.

Ethereum uses a combination of public and private keys to generate wallet addresses – a long list of random alphanumeric characters. Those who have the private key to an address can authorize the transfer of funds from one account to another, proving that they own the money.

However, vanity addresses are generated somewhat differently. 1inch described Profanity, a popular and “highly efficient” tool, allowing users to create millions of addresses per second and searching for the strings of letters and numbers requested by users for a customized wallet address.

1inch said the method used by Profanity to generate the addresses was not foolproof and that public keys from vanity addresses could be calculated with brute force attacks.

“A few days ago, 1″ contributors achieved proof-of-concept code that allowed them to recover private keys from any vanity address generated with Profanity at nearly the same time it took to generate that vanity address,” it explained.


All information on our website is published in good faith and for general information purposes only. Any action the reader takes on the information contained on our website is strictly at their own risk.

Leave a Reply

Your email address will not be published.