Vulnerability Details : CVE-2022-40769
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.
Products affected by CVE-2022-40769
- cpe:2.3:a:profanity_project:profanity:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-40769
1.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-40769
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-40769
-
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-40769
-
https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c
A vulnerability disclosed in Profanity, an Ethereum vanity address tool | by 1inch Network | Sep, 2022 | 1inch NetworkThird Party Advisory
-
https://github.com/johguse/profanity
GitHub - johguse/profanity: Vanity address generator for EthereumThird Party Advisory
-
https://github.com/johguse/profanity/issues/61
Private key safety · Issue #61 · johguse/profanity · GitHubIssue Tracking;Third Party Advisory
Jump to