Private Keys Exploits, the Second Most Lucrative Hack of 2022

Private keys being compromised and allowing hackers to siphon a project or a person’s funds is nothing new in the web3 ecosystem.

Nevertheless, this year brought its share of peculiarities, making it especially bountiful for hackers: 23 incidents were recorded for a $905,3 million in loss.

At large, people tend to think that private keys can not be “hacked” and that there are only two non-hack-ways to compromise private keys: social engineering (scammers trick you into giving them your private keys/mnemonic) & malicious softwares that, once downloaded will steal your keys.

Private key exploits through social engineering and malicious apps made many victims in 2022, like crypto VC Bo Shen who lost a whopping $42 million in November 2022 due to social engineering.

In addition, unaccountable victims were also made by Metamask, forgetting to warn its users that Apple’s cloud service automatically uploads the encrypted passwords for users’ crypto accounts, called MetaMask vaults, if the iCloud backup option is enabled on the app. Ending up in people losing their funds after their iCloud credentials were compromised.

However, private keys are not compromised only through these techniques and can certainly be hacked.

In 2022, supply chain attacks and brute force attacks were responsible for a $175 million loss.

SUPPLY CHAIN ATTACKS

Supply chain attacks are one of the new hacks in web3 town.

In cybersecurity, what qualifies as a supply chain attack is a cyberattack that targets organizations and attempts to inflict damage by exploiting the “weaker link(s)” and their vulnerabilities in the supply chain network.

The “Supply Chain Network” is every intermediary and organization used to operate a business. As a result, supply chain attacks have become one of the most dangerous security threats for businesses and organizations.

Applied to the blockchain, a supply chain attack is when some 9,223 crypto wallets from Phantom, Slope, Solflare, and TrustWallet on the blockchain Solana were drained for almost US$6 million of crypto in August 2022 due to their private keys being compromised.

Per the Solana team, all of the affected addresses, even the crypto wallets from Phantom, Solflare, and TrustWallet, “were at one point created, imported, or used in Slope mobile wallet applications.” Unfortunately for them, one week prior to the exploit, Slope had decided to use Sentry, an event-logging platform used by many websites and mobile apps in the industry, including the Slope wallet for iOS and Android, which turned out to be the” weak link.”

Every new actor in a supply chain brings with it its “points of vulnerability” .

Slope did not anticipate how Sentry could turn into a key point of access for hackers. Based on auditing firms Zellic and OtterSec’s research, “[…] any interaction in the app would trigger an event log. Unfortunately, Slope didn’t configure Sentry to scrub sensitive info. Thus, the seed phrases were leaked to Sentry”. In short, anyone with access to Sentry could access users’ private keys, which allowed the hacker(s) to “recover wallets that do not belong to them and transfer tokens to their own personal wallet,” resulting in almost 10 000 people seeing their funds disappear.

Web3 actors converging toward each other and becoming even more interwoven to provide better services for web3 users will probably turn into an ever-lasting trend.

Thus, it is plausible that supply chain attacks will grow as these web3 actors’ supply chains become even more fragmented, creating multiple new points of vulnerability.

Vulnerabilities that will, in some cases, allow private key exploits like in the Slope/Sentry case.

PROFANITY HACK

The other type of hack that has dominated private key exploits is the brute force attack that claimed $168,6 million.

A brute force attack is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered.

This year brute force attacks were almost solely due to the exploit of Profanity addresses’ vulnerabilities.

Profanity is an Ethereum vanity address generator. Vanity addresses are Ethereum addresses that, instead of looking like an indecipherable sequence of numbers or letters, have some parts of them (prefix and/or suffix generally) created by people to include their name or whatever they choose.

On September 15, 2022, DeFi protocol 1inch Network raised the alarm about Profanity-made vanity addresses that could be possibly drained due to a subsequent inherent vulnerability. The Inch Team closed their argument with a very appropriate “Run, You Fools.” In the following weeks, at the very least, $172 million were lost by individuals and web3 actors alike. The most devastating private key exploit was Algorithmic Market Maker Wintermute, who lost $162,5 million in one of the greatest hacks recorded in 2022.

After the first hacks, it was revealed that Profanity devs had abandoned the project a few years ago after discovering fundamental security issues in creating private keys. To generate these addresses, they had limited possible seed values (232); when the more seed values, the better wallet addresses are protected.

Those limited possible seed values made them highly vulnerable to brute force attacks, which is precisely what has been happening since September 2022.

It was first assumed in January 2022 by Inch co-founder Anton Bukov that within 50 days, a set of 1,000 GPUs could theoretically brute force (~uncover) the private keys of every 7-character vanity address generated by Profanity.

On September 30, crypto firm Amber Group tried to replicate the $162M Wintermute hack with simple hardware, a Macbook M1 with 16GB RAM, which was extremely easy and quick: it took them less than 60 hours total to mimic the hack.

As of now, every person with funds locked in one of their Profanity addresses could be submitted to a swift brute force attack.