The hacker managed to steal 732 ETH worth around $950,000 and transferred it to the Tornado Cash mixer.
Another vanity wallet address has been added to the list of DeFi victims, who have altogether lost more than $1.6 billion in 2022 due to hacks and attacks that continue to plague the industry of decentralised finance (DeFi).
According to a warning issued by blockchain security company PeckShield, a hacker was identified after taking 732 Ether (ETH), worth roughly $950,000, from an account created using the Profanity Ethereum vanity wallet address generator. The exploiters transferred the cryptocurrency to the recently authorised crypto mixer Tornado Cash after emptying the wallet.
#PeckShieldAlert Seems like $950k worth of crypto has been stolen by 0x9731F from Ethereum “vanity address” generated with a tool called Profanity. The exploiter already transferred ~732 $ETH into Mixer pic.twitter.com/QOZfnE49H4
— PeckShieldAlert (@PeckShieldAlert) September 26, 2022
Vanity addresses are created cryptocurrency wallet addresses that are customised to contain words or particular characters preferred by the owner. However, the security of vanity addresses is still in doubt, as shown by recent vulnerabilities.
Decentralized exchange (DEX) aggregator 1inch Network alerted community members earlier in September that addresses generated with profanity were not secure. The DEX urged cryptocurrency owners with vanity addresses to move their holdings right away.
The vanity address generator is unsafe, according to 1inch, because it seeded 256-bit private keys with a random 32-bit vector.
Following the DEX aggregator’s warnings, blockchain researcher ZachXBT revealed that some hackers had already been able to steal $3.3 million worth of cryptocurrency via an exploit of the Profanity flaw.
The UK-based cryptocurrency market maker had an exploit on September 20 that cost it $160 million. Ajay Dhingra, a researcher, speculates that the vulnerability may have resulted from the firm’s hot wallet being compromised and used to manipulate a smart contract flaw.
The CEO and creator of the company, Evgeny Gaevoy, issued a request to the attackers to get in touch if they are interested in treating the flaw as a white hat hack.