Closed cryptoDevTrader closed 2 years ago
hippopotato
commented
2 years ago @cryptoDevTrader hi, can you link to the specific code where 32-bit seeds is used to seed the generator? from what I can tell, vanity-ETH uses the randombytes library which uses crypto.randomBytes in node.js, and crypto.getRandomValues in the browser
bokub
commented
2 years ago Hi,
The article says :
Profanity used a random 32-bit vector to seed 256-bit private keys and suspected it could be unsafe
Then, you say:
due to vanity-ETH also using 32 bit seeds
This is completely wrong, you shouldn't claim such things without doing some research first. As you can see in the code below, Vanity-ETH, generates random keys from scratch, without a seed:
https://github.com/bokub/vanity-eth/blob/master/src/js/vanity.js#L21-L25
randomBytes(32) creates a 32 bytes (=256 bits) random key, which is the right thing to do for private key safety.
cryptoDevTrader
commented
2 years ago Good to know, thank you. I was unsure if this was the case, thus the use of the words “appears as though” and “may be”. I’m glad I was wrong. Thank you for the clarification!
It appears as though the private keys generated by vanity-eth may be susceptible to the same attack as reported on the profanity project below, due to vanity-ETH also using 32 bit seeds.
https://github.com/johguse/profanity/issues/61
Vulnerability outlined here:
https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c