A Back Door to Your Digital Assets?

Attempts to exploit back doors

Despite what some are calling a ‘bear market’, the adoption of cryptocurrency worldwide still remains above pre-bull market values. According to Chainalysis, while global adoption has leveled off in the last year, it has grown consistently since mid-2019. As expected, emerging markets continue to dominate with the highest adoption rates.

Alongside growing adoption, we see an increase in the number of new cryptocurrencies, dApps, and new players in the market, all hoping to take advantage of this high-growth ‘new frontier’. However, they are not the only ones taking advantage of the new technology, increasing adoption, and limited regulation. Hackers are too.

The rise of vanity addresses

Cryptocurrency transactions require the use of a public key and a private key to authorize and validate transactions. What some people don’t know is that the public key is derived from the private key, usually using some form of an asymmetric algorithm. Moreover, crypto wallet apps usually generate the wallet address from the public key. So the public key, private key, and wallet address are all interconnected.

Cryptographic keys are usually a long random sequence of bytes, which are randomly generated. Since the wallet addresses are computed based on these random keys, they appear to be random and are usually represented by a hard-to-remember string of letters and digits. While the long addresses often lead to much frustration, they serve another purpose; making the discovery and infiltration impossible.

Similar to the personalization of license plates and telephone numbers, there is a way to personalize wallet addresses too. Personalized wallet addresses, aptly called vanity wallet addresses, are almost as old as Bitcoin itself. They were made popular back in 2011 by a website called Vanitygen which was perhaps the most popular command-line bitcoin address generator.

Lately, Profanity, a vanity address generator for Ethereum has gained popularity, particularly in the land of DeFi. Profanity allows users to create wallet addresses with predefined patterns such as a name, a word, or a series of digits. A Profanity address is computed by running through a variety of public and private keys – looking for those which meet the criteria. And while theoretically sound, in effect Profanity addresses are much less secure than randomly generated addresses.

But vanity addresses, particularly Profanity generated addresses, are easier to hack

The problem with Profanity addresses is that they are easier to hack. Specifically, because the random generator they used was based on a 32-bit entropy rather than the accepted 128 or 256-bit generator. This is what makes Profanity addresses susceptible to brute-force attacks.

According to estimates on the issue, raised on Profanity’s GitHub, a set of 1,000 GPUs could theoretically brute force the private keys of every 7-character vanity address generated using Profanity within 50 days. And while this operation would be expensive, the return on investment could be significant.

The issue was originally brought to light by 1inch researchers in early 2022. They further elaborated on the vulnerabilities of Profanity addresses here. The results were not far behind. So far millions of dollars in assets have been drained out of Profanity wallets in the last months. Here are but a few examples:

• Sept 27th – $966K drained: https://coingape.com/hack-profanity-vanity-addresses/
• Sept 20th – $160M Wintermute attack: How Profanity caused the $160 million Wintermute hack Articles (metaschool.so)
• Sept 19th – $3.3M drained: https://www.theblock.co/post/170971/hacker-stole-3-3-million-from-ethereum-vanity-addresses-created-with-profanity-tool
• And the list goes on….

It is important to note that your private key is your most treasured possession. If a hacker gets hold of your private key, they in effect have signatory authority to transfer or transact in your stead. Hence they will be in control of all of your digital assets.

At the heart of our solution lies your private key security

The GK8 solution was developed with private key security in mind. We believe that the mainstream solution deployed by many financial institutions, MPC (multi-party computation) vault, is just not enough by itself. MPC security is based on dividing each private key into shards: where only by piecing together all shards, the key is revealed. However, no MPC solution is truly unbreachable.

Here is why: 1) MPC vaults are by default connected to the internet. Our experience is that any PC connected to the internet can potentially be hacked. Regardless of how sophisticated its algorithm is, with enough effort and persistence, a skilled hacker will eventually find an attack vector on this device. 2) The MPC network is typically made up of 3-4 computers/cosigners. While hacking an additional computer or two is definitely more complex, history has shown that it can be done.

That is why we at GK8 have developed the world’s only truly, unhackable cold vault, which enables financial institutions to create, sign and send crypto transactions without ever connecting to the internet. The cold vault can then be paired with our MPC solution which can be used for high-frequency, automatic transactions. Together these solutions mitigate threats, removing all attack vectors.

Mitigating risks with a combination of Cold and MPC vaults is the first step, but definitely not the last

Here are some other steps institutions should take:

• Make sure your key is generated using a ‘real random’ generator – there are many generators out there. Today it is accepted practice to use a 128-bit or 256-bit generator for security purposes. Also, some ‘real random number generators’ generate numbers that are even more difficult to hack. Like the one used by the GK8 HSM module.
• Robust policy engine, based on your own business logic and workflows – the GK8 policy can be tailored to your unique needs. Control all aspects of account outflows including whitelists, transaction thresholds, hierarchies, administrative policy, and more.
• Mandatory customer-controlled cosigner policy – as opposed to some of the other solutions, the GK8 solution requires a mandatory customer-controlled co-signer. This means that any transaction must receive at least one human approval before it goes into play over the network.
• Deploy DeFi directly from the MPC vault without exposing your private keys – with GK8’s universal smart contract support and integration of Metamask Institutional, customers can access DeFi securely for revenue-generating opportunities directly from their MPC vault.

For more information about the GK8 solution, click here.