CVE-2022-40769
published 2022-09-18CVE-2022-40769: profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal…
PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.04%
59.6th percentile
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| profanity_project | profanity | <= 1.60 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Ethereum private keys generated by Profanity through version 1.60 can be brute-forced by exhausting the ~4 billion RNG seed space. Monitor for unauthorized transfers from known Profanity-generated vanity addresses. ↗
- ·The vulnerability is specific to Profanity versions through 1.60, where the RNG is seeded with only a 32-bit value, limiting the keyspace to approximately 4 billion possibilities rather than the cryptographically required 256-bit entropy. ↗
- ·Exploitation was confirmed in the wild as early as June 2022, meaning affected vanity addresses generated by Profanity prior to patching should be considered compromised. ↗
- ·The root cause is use of a small (32-bit) random seed for RNG initialization in vanity address generation; any tool with a similar design flaw would be equally vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9q2f-7hm7-62h6: profanity through 1
ghsa_unreviewed·2022-09-19
CVE-2022-40769 [HIGH] CWE-338 GHSA-9q2f-7hm7-62h6: profanity through 1
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.
VulnCheck
profanity_project profanity Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
vulncheck·2022·CVSS 7.5
CVE-2022-40769 [HIGH] profanity_project profanity Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
profanity_project profanity Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.
Affected: profanity_project profanity
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2022-40769
No detection rules found.
No public exploits indexed.
https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8chttps://github.com/johguse/profanityhttps://github.com/johguse/profanity/issues/61https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8chttps://github.com/johguse/profanityhttps://github.com/johguse/profanity/issues/61
2022-09-18
Published
Exploited in the wild