French fry-themed DAO loses $2.3 million due to Profanity exploit

friesDAO describes itself as a "a decentralized social experiment where a crypto community builds and governs a fast food franchise empire via wisdom of the crowd". Welcome to the future.

Anyway, friesDAO seems to have fallen victim to the same Profanity vulnerability that has affected projects who used the tool to generate vanity wallet addresses. friesDAO wanted a wallet address beginning with 51D35 ("SIDES"), and as a result they opened themselves up to a major loss.

The project had previously announced that they had raised $5.4 million in funding, suggesting this attack drained almost half of the project's funds.

QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

Wintermute hacked for $160 million

The algorithmic market maker Wintermute suffered a major hack, according to their CEO. He estimated the loss at around $160 million, also writing that the company is "solvent with twice over that amount in equity left".

Wintermute hasn't disclosed more about the attack, but it's possible that the hacker may have exploited the vulnerability in the vanity wallet address generator Profanity, which was disclosed five days prior. The crypto asset vault admin had a wallet address prefixed with 0x0000000, a vanity address that would have been susceptible to attack if it was created using the Profanity tool.

This is the second incident involving Wintermute in the past few months. In June, the group provided the wrong wallet address to the Optimism project, and Optimism sent 20 million OP tokens to a non-existent address. Another person noticed the error before they did and was able to take the tokens. They ultimately returned 17 million of the tokens to Wintermute, keeping the rest as a "bounty". $OP have been trading at around $1 as of mid-September.

Vulnerability discovered in vanity wallet generator puts millions of dollars at risk

The 1inch Network disclosed a vulnerability that some of their contributors had found in Profanity, a tool used to create "vanity" wallet addresses by Ethereum users. Although most wallet addresses are fairly random-looking, some people use vanity address generators to land on a wallet address like 0xdeadbeef52aa79d383fd61266eaa68609b39038e (beginning with deadbeef), or one with lots of 0s at the end, or some other address the user thinks looks cool.

However, because of the way the Profanity tool generated addresses, researchers discovered that it was fairly easy to reverse the brute force method used to find the keys, allowing hackers to discover the private key for a wallet created with this method.

Attackers have already been exploiting the vulnerability, with one emptying $3.3 million from various vanity addresses. 1inch wrote in their blog post that "It’s not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions."

The maintainer of the Profanity tool removed the code from Github as a result of the vulnerability. Someone had raised a concern about the potential for such an exploit in January, but it had gone unaddressed as the tool was not being actively maintained.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.