Barely one week after the Wintermute hack, $950,000 in Ether (ETH) has been stolen from a crypto wallet through a “vanity address” exploit, according to reports on September 26, 2022.
Profanity-Generated Vanity Addresses Under Attack
On September 26, Peckshield, a blockchain security firm tweeted that a hacker stole $950,000 worth of Ether (ETH) from a cryptocurrency wallet. The hack bore a lot of similarities to the $160 million breach on Wintermute last week.
PeckShield says the hacker stole 732 ETH from a cryptocurrency wallet on September 25 and mixed it with other crypto funds using the sanctioned crypto-mixing service, Tornado Cash. The funds were then successfully transferred to the bad actor’s crypto wallet.
The experts have revealed that the latest heist was successful due to a weakness in the vanity address generator, which was first discovered on GitHub in January 2022. The vulnerabilities became publicized in September when decentralized exchange aggregator, 1inch discovered fundamental security issues with the Profanity tool.
For the uninitiated, the Profanity tool is a vanity wallet address generator, as was already mentioned. While the majority of Ethereum wallet addresses are generated at random, these vanity addresses are created with a specific term, like someone’s name, somewhere within the address.
According to 1inch, A lot of vanity addresses that were generated by the Profanity tool are at risk of these exploits which would require a brute force attack. While executing this attack would require a huge amount of computing power, hackers would still find carrying out these attacks a rewarding exercise if a large amount of crypto is contained in the wallet.
Crypto and DeFi Heists Continue
Security breaches and hacks have become rampant in the crypto sector, with DeFi protocols taking the biggest hit so far. A week ago, hackers stole $160 million from the crypto market maker Wintermute. It was later revealed that the hack was made possible due to one of Wintermute’s addresses having the properties of a vanity address, which could be the root of the vulnerability.
Seemingly, the problem looks to get even worse. According to reports, Over $1.9 billion in crypto has been stolen by cybercriminal hacks as of July 2022, which is significantly more than the $1.2 billion stolen at the same time frame in 2021.
Ethereum Devs Float the “Undo Button” Proposal
The increasing frequency of crypto hacks in 2022 has led a group of researchers to formulate a fresh proposal for two new Ethereum token standards: ERC20R and ERC721R. The new token standards proposed are extensions of the existing ERC20 and ERC721 and would now include the ability to reverse malicious transactions.
The proposed token standards would combine a token contract and a governance contract where the latter is controlled by a decentralized judiciary system. According to the proposal, Users who are victims of a hack could make a freeze request to the governance smart contract with supportive evidence.
The freeze request will then be tendered to a panel of decentralized judges, who will then vote to decide if there is substantial evidence to freeze the funds or otherwise.
If the majority of the judges vote in favor of a freeze then a trial will be initiated. During the trial, both parties (the victim and the hacker) can submit their evidence to the decentralized judges, who will again vote on the outcome.
Although the idea has the potential to reduce the risk of security breaches, many in the crypto space have criticized the proposal, saying that such initiatives go against the founding principles of blockchain technology. Some critics also pointed out that adding a reversibility feature to ERC20 token contracts could make it challenging to integrate them into decentralized applications.
Source: https://crypto.news/hacker-exploits-profanitys-vanity-address-to-steal-950-in-eth/