Private Key Safety

[cryptoDevTrader]

It appears as though the private keys generated by vanity-eth may be susceptible to the same attack as reported on the profanity project below, due to vanity-ETH also using 32 bit seeds.

johguse/profanity#61

Vulnerability outlined here:

https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c

[hippopotato]

@cryptoDevTrader hi, can you link to the specific code where 32-bit seeds is used to seed the generator? from what I can tell, vanity-ETH uses the randombytes library which uses crypto.randomBytes in node.js, and crypto.getRandomValues in the browser

[bokub]

Hi,

The article says :

Profanity used a random 32-bit vector to seed 256-bit private keys and suspected it could be unsafe

Then, you say:

due to vanity-ETH also using 32 bit seeds

This is completely wrong, you shouldn't claim such things without doing some research first. As you can see in the code below, Vanity-ETH, generates random keys from scratch, without a seed:

https://github.com/bokub/vanity-eth/blob/master/src/js/vanity.js#L21-L25

randomBytes(32) creates a 32 bytes (=256 bits) random key, which is the right thing to do for private key safety.

[cryptoDevTrader]

Good to know, thank you. I was unsure if this was the case, thus the use of the words “appears as though” and “may be”. I’m glad I was wrong. Thank you for the clarification!