In the past week, reports of private key breaches surrounding Profanity-generated vanity addresses were made public by multiple affected organizations.
The breaches have resulted in combined losses of over $160M to date; there could be more breaches to come, as well as more that have already happened and have not yet been identified.
As DeFi continues to grow, attackers evolve. From a security perspective, it’s important to think through any new processes and products that are introduced into the ecosystem, as they can be highly sensitive.
In this blog post, we’ll walk you through everything you need to know about how the attacks happened – as well as give our recommendations on how to avoid similar incidents when interacting with the DeFi ecosystem.
About Profanity and how the breaches occurred
Profanity is an Ethereum vanity address generating tool that allows users to create addresses with predefined patterns, such as specific numbers in the beginning of an address. The use of vanity addresses has been made popular in DeFi for different reasons – some users want their addresses to look a specific way while others may be looking to improve efficiency and automation.
The ability to choose certain number patterns may decrease the randomization of private key generation, which creates a point of vulnerability for private key holders. With Profanity, attackers managed to reverse-engineer the private key generation process to reach the seed and the private key. This eventually led to victim wallets being drained.
Ultimately, compromises were made in the key generation process in favor of optimization, resulting in private keys being exposed.
The importance of key generation and management in DeFi
If an attacker is able to extract your private keys, whether through hacking your key management system, brute force attacks or reverse-engineering, all your funds are now in their control. This makes key generation and key management a critically important process, especially when dealing with DeFi operations.
The best way to secure your private key is to make sure that it is both completely random and inaccessible to attackers.
With security at the core of our platform and philosophy, Fireblocks utilizes MPC-CMP and hardware isolation technology to ensure that our users never leave their private keys exposed. We deploy a battle-tested, enterprise-grade key generation process, generating private keys in a highly secure, trusted execution environment that prevents both internal and external attackers from manipulating the process. We also utilize a true random generator to prevent reverse-engineering in the key generation process. This eliminates a single point of failure and protects digital assets from external attacks, internal collusion, and human error.
Our key management system has been audited by multiple auditing specialists including NCC Group, Trail of Bits, and Halborn.
Core pillars of DeFi operational security beyond private keys
Ensuring that private keys are safe is only the first step to maximizing security in DeFi. The next step is to make sure they are being used in a safe manner and only as intended by your organization. Here are three core pillars for securing your DeFi operations:
- Establish transaction policies – Define your organization’s business logic, such as authorization amount thresholds and the personnel authorized for each action and approval
- Utilize contract whitelisting – Establish whitelists to ensure you only interact with smart contracts that you know and trust
- Implement DeFi policies – Set controls for any smart contract interaction to better manage risk, including types of assets, actions, and amounts being transferred