Vulnerability Details : CVE-2022-40769
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.
Exploit prediction scoring system (EPSS) score for CVE-2022-40769
Probability of exploitation activity in the next 30 days: 0.11%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 44 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-40769
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-40769
-
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-40769
-
https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c
A vulnerability disclosed in Profanity, an Ethereum vanity address tool | by 1inch Network | Sep, 2022 | 1inch NetworkThird Party Advisory
-
https://github.com/johguse/profanity
GitHub - johguse/profanity: Vanity address generator for EthereumThird Party Advisory
-
https://github.com/johguse/profanity/issues/61
Private key safety · Issue #61 · johguse/profanity · GitHubIssue Tracking;Third Party Advisory
Products affected by CVE-2022-40769
- cpe:2.3:a:profanity_project:profanity:*:*:*:*:*:*:*:*