The Bug That Took Down Wintermute Is Still at Large – Blockworks
DAS: London Tickets Are 90% Sold Out. Get Your Tickets Today.
From the rapid growth of crypto to the dramatic volatility of the asset class, governments around the world are responding through regulatory and legislative actions. Some jurisdictions have announced clear and accommodating frameworks in the hope to create the crypto hubs […]
Though no funds were lost, ParaSwap is the latest protocol found to have a vulnerable deployer address
Blockchain security infrastructure company BlockSec confirmed on Twitter that decentralized exchange aggregator ParaSwap’s deployer address was vulnerable to what’s become known as the Profanity vulnerability.
ParaSwap was first alerted of the vulnerability early Tuesday morning after Web3 ecosystem security team Supremacy Inc. learned that the deployer address was associated with multiple multi-signature wallets.
1/ Hi @paraswap ,I heard that you want to see this? your deployer address private key may have been compromised (possibly due to Profanity vulnerability) and funds have been stolen on multiple chains.https://t.co/ijHaTwAj0l
Profanity once was one of the most popular tools used to generate wallet addresses, but the project was abandoned due to fundamental security flaws.
Most recently, global crypto market maker Wintermute was set back $160 million due to a suspected Profanity bug.
A Supremacy Inc. developer, Zach — who didn’t provide his last name — told Blockworks that Profanity generated addresses are vulnerable to hacks because it uses weak random numbers to generate private keys.
“If these addresses initiate transactions on the chain, exploiters can recover their public keys through transactions and then obtain the private keys by continuously back-propelling collisions on the public keys,” Zach told Blockworks via Telegram on Tuesday.
“There is one and only one solution [to this problem], which is to transfer the assets and change the wallet address immediately,” he said.
After looking into the incident, ParaSwap said that no vulnerabilities were found and denied that Profanity generated its deployer.
Although it is true that Profanity did not generate the deployer, BlockSec co-founder Andy Zhou told Blockworks that the tool that generated ParaSwap’s smart contract was still at risk of Profanity vulnerability.
“They didn’t realize they used a vulnerable tool to generate the address,” Zhou said. “The tool did not have enough randomness which made it possible to crack the private key address.”
Knowledge of the vulnerability has also been able to help BlockSec recover funds. This was true for DeFi protocols BabySwap and TransitSwap, which were both attacked on Oct. 1.
“We were able to retrieve the funds and return them to the protocols,” Zhou said.
After noticing that some attack transactions had been front run by a bot susceptible to Profanity vulnerability, BlockSec developers were able to effectively steal from the thieves.
Despite its popularity as an efficient tool for generating addresses, the developer of Profanity cautioned on Github that wallet security is paramount. “The code will not receive any updates, and I’ve left it in an uncompilable state,” the developer wrote. “Use something else!”
Attend DAS:LONDON and hear how the largest TradFi and crypto institutions see the future of crypto’s institutional adoption. Register here.
Monday & Tuesday, October 17 & 18, 2022
The Royal Lancaster Hotel, London
The attacker who saddled the Solana-based DeFi-protocol with bad debt wants to cut a deal
The region, now a hub for crypto companies, is “a market of significant strategic importance,” exec says
OpenSea now supports seven blockchains with NFT trading
Agoric is developing a stablecoin, IST, ahead of its mainnet launch
GMI PAC, a new crypto-focused political action committee, is preparing for Election Day