Vanity address: A recent hack of a customisable Ethereum wallet address saw one unlucky DeFi user lose roughly US$950,000 bringing the total amount hacked crypto to a little over US$2 billion for the year.
According to a Twitter post from blockchain security agency, PeckShieldAlert, a hacker stole roughly 732 ETH (US$950,000) from what’s known as a “vanity” address, created by a third party service called Profanity. The hacker proceeded to send the stolen ETH into the now heavily-sanctioned mixing service Tornado Cash.
WTF is a vanity address?
To clear up any confusion, the now-defunct Profanity address generator allowed users to generate a new, customised Ethereum wallet address. Instead of just having a random 20-digit hexadecimal address like everyone else, vanity addresses are generated to include specific words, phrases and numbers.
For example, The Chainsaw could choose to generate a new Ethereum wallet address to look something like the following: “0xTheChainsawRules420”. Although it may not seem like it, this is quite different from an ENS domain, which simply points to a user’s Ethereum wallet address by allowing users to display their 20-digit public address in a simplified way like “TheChainsaw.eth”.
ENS domains are for all intents and purposes, far more secure than custom-generated vanity addresses. They simply help crypto users turn machine-readable numbers like ‘0xAb5801a7D398351b8bE11C439e05C3B3259aeC9B’ into human-readable alternatives.
Earlier this week, US-based crypto exchange Coinbase, announced a partnership with the ENS organisation, and would be handing out free domains to Coinbase users as a result.
The recent exploit however, has once again called the security of vanity addresses into question, particularly when it comes to the Profanity address generator.
Earlier this month on September 17, blockchain detective ZachXBT found that the Profanity generator has already been responsible for roughly US$3.3 million in exploits.
This post came just days after decentralised exchange 1inch Network (1INCH), published a blog post outlining a vulnerability that had been found in the Profanity address generator tool.