Ethereum “The Merge”

Vanity Address Generator “Profanity” Vulnerability

1inch has claimed to have discovered a severe vulnerability in the Profanity tool.

Profanity is a tool that allows Ethereum users to create “vanity addresses,” a type of custom crypto wallets that contain recognizable names or numbers within them. The popular tool was launched sometime in 2017.

In its report, 1inch explained that the private keys to addresses generated on Profanity could be calculated using brute force attacks. It claimed the vulnerability may have allowed hackers to “secretly” siphon millions of dollars from Profanity users’ wallets for years.

“1inch contributors are still trying to determine all the vanity addresses which were hacked,”

Profanity anonymous developer, who goes by the moniker ‘johguse’ on Github, said that they “abandoned” the project a few years ago after finding out about “fundamental security issues in the generation of private keys.”

“I strongly advise against using this tool in its current state. The code will not receive any updates and I’ve left it in an uncompilable state. Use something else!” the developer added.

This is how Profanity works:

Randomly select 1 of 4 bln seed private keys.
Expand it deterministically to 2 mln private keys.
Derive public keys from these private keys.
Repeatedly increment them until they reach the desired vanity address.

1inch contributors achieved proof-of-concept code allowing them to recover private keys from any vanity address generated with Profanity at almost the same time that was required to generate that vanity address.

1inch contributors are still trying to determine all the vanity addresses which were hacked.

Wintermute Hack - $160 Million stolen

Crypto Trading Firm Wintermute has lost $160 Million in a Hacking Incident

The hack involved a series of unauthorized transactions that transferred USD Coin, Binance USD, Tether USD, Wrapped ETH, and 66 other cryptocurrencies to the attacker's wallet.

The company said that its centralized finance (CeFi) and over-the-counter (OTC) operations have not been impacted by the security incident. It did not disclose when the hack took place.

Details surrounding the exact exploit method used to perpetuate the hack is unknown at the moment, although Gaevoy said the attack was likely caused by a "Profanity-type exploit" in its trading wallet.

Wintermute further acknowledged it did use Profanity, an Ethereum vanity address generation software, alongside an in-house tool to generate addresses with many zeros in front as recently as June.

The open-source project is currently abandoned by its anonymous maintainer, who goes by the moniker johguse, citing "fundamental security issues in the generation of private keys."

Profanity, incidentally, also came under spotlight last week after decentralized exchange (DEX) aggregator 1inch Network disclosed a vulnerability that could be abused to recompute the private wallet keys from addresses created using the utility.

Shiba Inu Cloud Creds Leak

Shiba Inu developers leak AWS Access keys on a public code repository, resulting in a compromise of their infrastructure. Shiba Inu (ticker: SHIB) is a crypto token with a market capitalization of $6.7B. Created in August 2020 by an anonymous person or group known as Ryoshi, it is currently the 14th largest token by market cap.

On Aug 22, 2022, 2:11 PM IST, Pingsafe’s research framework discovered a leaked Shiba Inu AWS account credential on a public code repository. The credentials were valid for two days, post which they became invalid. This vulnerability severely exposed the company’s AWS account.

This commit was done on the official Shiba Inu repository by one of their developers.

Pingsafe tried to find a bug bounty program or responsible disclosure policy to contact the Shiba Inu team, but to no avail. We also reached out to a few core developers in the Shiba project over Twitter/Telegram, since their public profiles are anonymous with no emails, but no response was received.

SudoRare Rug Pull

NFT exchange SudoRare suffers $800,000 ‘rug pull’ six hours after launch.

SudoRare, a decentralized non-fungible token (NFT) exchange, has gone offline — six hours after it launched — with tokens worth over $800,000 removed from the platform’s wallet address.

The exchange, which was spun up as a fork of the NFT marketplaces LooksRare and sudoswap by an anonymous team, was supposed to allow users to create liquidity pools for NFT collections and collect fees by staking the project’s native token SR.

The culprits behind the attack withdrew about $315,700 in WETH, $200,000 in XMON, and $314,700 worth of LOOKS tokens from the exchange before swapping the assets for ETH and moving the funds to three Ethereum wallets. Blockchain security firm PeckShield has traced the attacker to a wallet funded by the centralized exchange Kraken. “The actor behind SudoRare rugpull seems a @krakenfx user,” the firm said on Twitter today, providing on-chain evidence of the connection.

As a regulated U.S.-based exchange, Kraken is subject to “Know Your Customer” requirements that enforce compulsory identification checks of all of its customers. That means at least one person linked to the attack could be known to the exchange.

The theft occurred despite multiple warnings on Crypto Twitter that SudoRare could be a scam.