By Mark Hunter
3 days agoTue Sep 27 2022 09:26:3src
Reading Time: 2 minutes
More funds are being stolen through brute force attacks on Profanity wallets
732 ETH has been stolen from wallets created using the abandoned tool
The creator has warned that the project is not safe
The hack on wallets created using the Profanity address creator has continued, with another 732 ETH stolen. It was thought that the hack had been curtailed when decentralised exchange srcinch exposed the hack, but not everyone has received the message, leaving their funds in compromised wallets and allowing the hackers to take more funds. The developer of the Profanity tool warned users last week that the code hadn’t been updated since being abandoned two years ago, and advised no one to use it in its current form, saying it would be retired but the code would not be patched.
srcinch Discovered Profanity Flaw
Profanity is a tool that can be used to create ‘vanity’ Ethereum addresses, with Profanity itself being responsible for the generation of the private key. However, srcinch contributors found earlier this year that Profanity used a random 32-bit vector to seed 256-bit private keys for addresses and suspected it could be prone to brute force attacks. This supposition was backed up in June this year when a srcinch contributor was pointed towards suspicious action within one of the srcinch deployer wallets.
srcinch rushed its findings out to the public when it was revealed that $3.3 Million in ETH and NFTs had been stolen from wallets generated with Profanity, which was followed by a $src60 million hack on UK-based crypto market maker Wintermute, which was suspected to be linked to the Profanity bug.
732 More ETH Stolen
Now, on-chain data shows that more wallets are being drained, with the funds being sent to Tornado Cash, showing that the mixing service can still be used despite being taken offline. The status of the Profanity tool on Github has been made very clear by its creator, johguse:
I’ve decided to also archive this repository to further reduce risk that someone uses this tool. The code will not recieve [sic] any updates and I’ve left it in an uncompilable state. Use something else!
Hopefully anyone else still using a Profanity-created wallet will get the message and will protect their funds before it’s too late.
