Almost $1M in crypto stolen from vanity address exploit

Published at: Sept. 26, 2022

Hacks and exploits continue to plague the decentralized finance (DeFi) sector as another vanity wallet address joins the roster of DeFi victims that collectively lost more than $1.6 billion in 2022

In an alert published by blockchain security firm PeckShield, a hacker was detected after stealing 732 Ether (ETH), around $950,000, from an address created at the Ethereum vanity wallet address generator called Profanity. After draining the wallet, the exploiters have sent the crypto to the recently sanctioned crypto mixer Tornado Cash.

#PeckShieldAlert Seems like $950k worth of crypto has been stolen by 0x9731F from Ethereum “vanity address” generated with a tool called Profanity. The exploiter already transferred ~732 $ETH into Mixer pic.twitter.com/QOZfnE49H4

— PeckShieldAlert (@PeckShieldAlert) September 26, 2022

Vanity addresses are customized crypto wallet addresses that are generated to include words or specific characters chosen by the owner. However, as pointed out by recent exploits, the safety of vanity addresses remains questionable.

Earlier in September, decentralized exchange (DEX) 1inch Network warned community members that their addresses were not safe if it was generated using Profanity. The DEX called out crypto holders with vanity addresses to transfer their assets immediately. According to 1inch, the vanity address generator used a random 32-bit vector to seed 256-bit private keys, which means that it lacks safety.

Following the DEX's warnings, ZachXBT, a blockchain investigator, has announced that an exploit of the vulnerability in Profanity has already allowed some hackers to get away with $3.3 million worth of digital assets. 

Related: White hat: I returned most of the stolen Nomad funds and all I got was this silly NFT

On Sept. 20, the United Kingdom-based crypto market maker suffered an exploit that led to $160 million in losses. According to researcher Ajay Dhingra, the exploit may be due to the firm's hot wallet being compromised and manipulating a bug in the smart contract. Evgeny Gaevoy, the firm's founder and CEO, called out the attackers to get in touch as they are open to treating the exploit as a white hat hack.

Tags
Related Posts
THORSwap relaunches cross-chain trading on four of five networks
Cross-chain decentralized exchange (DEX) THORSwap appears to be on the path to recovery after the THORChain network was taken offline following major exploits just three months after entering its guarded launch. The Cosmos-powered network aims to support decentralized trades executed across different blockchain networks such as Bitcoin and Ethereum. According to a Tuesday progress report, the team behind the project’s DEX, THORSwap, has so far restored functionality for four of the five networks it supported prior to going down in July. The update states that THORSwap has resumed swap functionality across the Bitcoin, Bitcoin Cash, Litecoin and Binance Smart Chain …
Blockchain / Oct. 12, 2021
THORChain loses up to $7.6M in ‘Chaosnet’ exploit, offers hacker a bounty to return funds
Popular cross-chain decentralized exchange THORChain has suffered a multi-million-dollar breach. Estimates as to the scale of the damage vary, with THORChain revising the initial estimate that 13,000 Ether (ETH) (worth $25.1 million) had been stolen, bringing the total down to 4,000 ETH (roughly $7.6 million) as a ballpark for damages. A subsequent community-provided rundown of stolen assets suggests the figure is closer to $6 million. At this stage the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be …
Altcoin / July 16, 2021
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit
Decentralized finance transaction combination tool Furucombo will compensate the victims of a recent “evil contract” exploit that cost the protocol $15 million in stolen funds. Following an internal call with affected users last week, Furucombo released a compensation plan Tuesday, announcing that they will issue 5 million iouCOMBO tokens to the victims of the breach. Issued in the form of ERC-20 tokens, iouCOMBO tokens will represent the rights to claim Furucombo’s COMBO tokens in the recovery pool. Out of a total of 100 million COMBO tokens, 5 million coins have been allocated to the recovery pool, and are subject to …
Technology / March 9, 2021
The aftermath of Axie Infinity’s $650M Ronin Bridge hack
In late March, Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for a combined value of over $600 million. The breach on the Ronin bridge was confirmed by Sky Mavis, the developers behind the popular play-to-earn (P2E) game: There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP — Ronin (@Ronin_Network) March 29, 2022 The official report from the company noted that the hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator …
Blockchain / April 12, 2022
Another depeg — Acala trace report reveals 3B aUSD erroneously minted
High-profile security incidents continue to be a theme in 2022 as the Acala Network joined a long list of stricken platforms to fall prey to exploits. Acala’s aUSD token, which acts as the native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Aug. 14. Initial estimates from Acala noted that 1.2 billion aUSD were minted without the necessary collateral - seeing the token’s value depeg from its 1:1 USD ratio to a bottom of $.01. Acala put its network in maintenance mode …
Blockchain / Aug. 17, 2022