Wintermute wallet is exploited, probably due to the vanity wallet created with Profanity

GoPlus Security
2 min readSep 20, 2022

--

The vanity wallet of a well-known marketer @Wintermute_t was hacked. And GoPlus researcher has briefly analyzed the principle of the hack based on 1inch’s previous report.

The vanity wallet address is https://etherscan.io/address/0x0000000fe6a514a32abdcdfcc076c85243de899b…

Wintermute uses the vanity wallet generated by Profanity. Profanity selects a seed private key among 2³² (about 4 billion) seeds, then uses the seed to derive 2 million private keys and see if there are any vanity addresses(the process is deterministic, similar to HD wallet)

Obviously, the easiest way is to brute force. Run these 4 billion seeds, each corresponding 2 million according to the rules, to get all the Profanity wallets. But this requires giga computation power running for a month, which is extremely difficult for ordinary hackers.

But a simplified process can reduce the complexity:

① Extract the public key (not address) from a tx of the target vanity wallet.

② Expand 2 million public keys according to the rules.

③ Find the master public key and its seed = > The private key.

Here GoPlus remind everyone DO NOT use Profanity to generate vanity wallets. If you need one, you must pay attention to the generation tool. Because most users don’t have the ability to verify, it is not recommended to store large capital in it.

--

--

GoPlus Security
GoPlus Security

Written by GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.