No products in the cart.
The Ethereum community has been weighing the nature of the recently announced $160 million Wintermute hack and has come across a potential attack vector. One of Wintermute’s addresses has the characteristics of a vanity address, which could be the root of the vulnerability.
wintermute’s address had 7 leading 0’s
according to @k06aestimate that you can brute this in 50 days with 1000 GPUs
The attacker was definitely a pro pic.twitter.com/JNOQ3qdXiV
Tuba (@0xtuba) September 20, 2022
Vanity addresses are cryptographically generated by assigning a specific prefix or suffix to a program. The program will potentially generate millions of addresses until it finds one that matches the specified criteria.
One such tool blasphemy is available on GitHub, but has been a serious security concern for some time. According to the readme.md file, the repository was abandoned due to “fundamental security issues in private key generation”.
a blog post The markup contains some potential code vulnerabilities by the 1 inch team. The codebase is said to have been updated to remove “all affected binaries”, but there may be a fundamental flaw in that methodology.
According to research by 1inch contributor k06a, 0xtuba was able to calculate that it could only take 50 days to brute force an address with 7 leading zeros using 1,000 GPUs. Given Ethereum’s recent move to proof-of-stake, many miners are now looking for places to apply GPU power.
The image below shows the estimated time it takes to generate an Ethereum address with seven leading zeros using an RTX 3070TI GPU home gaming computer.
YOU MAY ALSO LIKE
If this attack vector proves viable, some miners may choose to move to malicious means to ensure their farms remain profitable. I have a concern.
One inch blog post contains the following warning:
“Attention: Your money is not SAFU if your wallet address was generated with a blasphemy tool. Please transfer all assets to another wallet ASAP!”
CryptoSlte reached out to Wintermute for comment on the method used to generate the addresses, but did not immediately receive a response.
