Despite what some are calling a ‘bear market’, the adoption of cryptocurrency worldwide still remains above pre-bull market values. According to Chainalysis, while global adoption has leveled off in the last year, it has grown consistently since mid-2019. As expected, emerging markets continue to dominate with the highest adoption rates.
Alongside growing adoption, we see an increase in the number of new cryptocurrencies, dApps, and new players in the market, all hoping to take advantage of this high-growth ‘new frontier’. However, they are not the only ones taking advantage of the new technology, increasing adoption, and limited regulation. Hackers are too.
Cryptocurrency transactions require the use of a public key and a private key to authorize and validate transactions. What some people don’t know is that the public key is derived from the private key, usually using some form of an asymmetric algorithm. Moreover, crypto wallet apps usually generate the wallet address from the public key. So the public key, private key, and wallet address are all interconnected.
Cryptographic keys are usually a long random sequence of bytes, which are randomly generated. Since the wallet addresses are computed based on these random keys, they appear to be random and are usually represented by a hard-to-remember string of letters and digits. While the long addresses often lead to much frustration, they serve another purpose; making the discovery and infiltration impossible.
Similar to the personalization of license plates and telephone numbers, there is a way to personalize wallet addresses too. Personalized wallet addresses, aptly called vanity wallet addresses, are almost as old as Bitcoin itself. They were made popular back in 2011 by a website called Vanitygen which was perhaps the most popular command-line bitcoin address generator.
Lately, Profanity, a vanity address generator for Ethereum has gained popularity, particularly in the land of DeFi. Profanity allows users to create wallet addresses with predefined patterns such as a name, a word, or a series of digits. A Profanity address is computed by running through a variety of public and private keys – looking for those which meet the criteria. And while theoretically sound, in effect Profanity addresses are much less secure than randomly generated addresses.
The problem with Profanity addresses is that they are easier to hack. Specifically, because the random generator they used was based on a 32-bit entropy rather than the accepted 128 or 256-bit generator. This is what makes Profanity addresses susceptible to brute-force attacks.
According to estimates on the issue, raised on Profanity’s GitHub, a set of 1,000 GPUs could theoretically brute force the private keys of every 7-character vanity address generated using Profanity within 50 days. And while this operation would be expensive, the return on investment could be significant.
The issue was originally brought to light by 1inch researchers in early 2022. They further elaborated on the vulnerabilities of Profanity addresses here. The results were not far behind. So far millions of dollars in assets have been drained out of Profanity wallets in the last months. Here are but a few examples:
It is important to note that your private key is your most treasured possession. If a hacker gets hold of your private key, they in effect have signatory authority to transfer or transact in your stead. Hence they will be in control of all of your digital assets.
The GK8 solution was developed with private key security in mind. We believe that the mainstream solution deployed by many financial institutions, MPC (multi-party computation) vault, is just not enough by itself. MPC security is based on dividing each private key into shards: where only by piecing together all shards, the key is revealed. However, no MPC solution is truly unbreachable.
Here is why: 1) MPC vaults are by default connected to the internet. Our experience is that any PC connected to the internet can potentially be hacked. Regardless of how sophisticated its algorithm is, with enough effort and persistence, a skilled hacker will eventually find an attack vector on this device. 2) The MPC network is typically made up of 3-4 computers/cosigners. While hacking an additional computer or two is definitely more complex, history has shown that it can be done.
That is why we at GK8 have developed the world’s only truly, unhackable cold vault, which enables financial institutions to create, sign and send crypto transactions without ever connecting to the internet. The cold vault can then be paired with our MPC solution which can be used for high-frequency, automatic transactions. Together these solutions mitigate threats, removing all attack vectors.
Here are some other steps institutions should take:
For more information about the GK8 solution, click here.