Wintermute hack replicated on simple laptop in under 48 hours by exploiting Profanity flaw
A standard M1 Macbook with 32GB of RAM was able to crack the Wintermute private key in less than 48 hours
Amber Group, a blockchain technology provider, replicated the Wintermute hack in less than 48 hours using a basic laptop. A report by the Amber Group stated,
“We used a Macbook M1 with 16GB RAM to precompute a dataset in less than 10 hours… We finished the implementation and were able to crack the private key of 0x0000000fe6a514a32abdcdfcc076c85243de899b in less than 48 hours.”
The hack was attributed to vanity addresses created with the Profanity tool, allowing users to generate specific ethereum addresses with particular characters. In the case of Wintermute, the address contained seven leading zeros. Vanity addresses allow accounts to have similar characters making it easier to identify the public addresses on the blockchain.
Another impact of an Ethereum address with several leading zeros is a reduction in gas fees due to the reduced space needed to store the information on the blockchain. However, removing an element of randomness from the cryptographic process used in generating the address comes at the cost of reduced security.
Initial analysis suggested that it would take 1,000 GPUs just 50 days to generate every possible private key for addresses that start with seven leading zeros. However, Amber Group now claims it can be achieved using just a single laptop in under 48 hours.
The cryptography explained
Profanity is an address generation tool for the Ethereum ecosystem. The codebase can be easily downloaded from GitHub and has been available since 2017. However, the current codebase version includes a warning advising against the use of the tool. The tool’s creator, Johguse, added the following message to the readme.md file on Sept. 15, 2022.
“I strongly advice against using this tool in its current state. This repository will soon be further updated with additional information regarding this critical issue.”
Further, core binaries were removed to stop users from being able to compile the codebase “to prevent further unsafe use of this tool.”
The Profanity uses local “GPU power with OpenCL through a simple algorithm” to generate Ethereum private and public keys until it finds an address that matches the rules set by the user. For instance, if a user wishes to create an Ethereum address ending in ‘AAA,’ it will continue to work until it generates an address with these characters as its suffix.
When an address is generated that does not match the conditions detailed in the ruleset, Profanity “adds 1 to the private key and derives a new Ethereum address until it finds the one that matches the rules.”
Ethereum addresses are usually generated locally using elliptical curve cryptography. When generating an Ethereum address, there is no computation to check whether the private key has been used in the past for another address. However, this is due to the sheer number of possible Ethereum addresses.
This video explains the true magnitude of 256bit encryption used in Ethereum’s cryptography. A simple comparison can also be made in that there are roughly 2^76 grains of sand in the world but 2^160 possible Ethereum addresses.
However, when any characters of the Ethereum addresses are pre-determined, the calculation to generate the private key becomes significantly more straightforward, and the number of possible addresses is reduced dramatically.
Amber Grouped explained that the Profanity method’s flaw comes from using a 32-bit seed to generate addresses.
“To generate a random private key, Profanity first uses the random device to generate a seed. But sadly the seed is 32-bit, which cannot be used as a private key directly.”
The 32-bit seed is fed through a pseudo-random number generator (PRNG) that uses a deterministic function. This PRNG method results in a straightforward way to determine all viable public key seeds used within Profanity.
“Since there are only 2^32 possible initial key pairs (d_0,0, Q_0,0) and the iteration on each round is reversible, it is possible to crack the private key from any public key generated by Profanity.”
The method used by Amber Group was to acquire the public key of the address, precompute the possible Profanity public keys, compute the public keys using OpenCL, compare the computed public keys, and then reconstruct the private key once a match is found.
Due to the simplicity of the method, Amber Group recommends that “your funds are not safe if your address was generated by Profanity.”
Amber Group told CryptoSlate that, in relation to whether a better cryptographic algorithm is needed, “the answer is obviously yes…the industry can see how vulnerable this type of design is.”