This new hack of Wintermute for ~ $160MM according to reports, is fascinating. It's apparently a result of using a *vanity address*!
As you can see in this github comment, they were seeding the random number generator with a 32 bit integer.
.. as I was saying at Bitcoinology the other week, 32 bits is something your laptop can crack easily in seconds (depending on what each operation is, of course). So, with a *lot* of hardware, you can search the space of those randoms.
Here is the vanity address the Wintermute guys were using:
.. apparently they wanted the leading zeros to save on gas fees; I'm not sure how that works in Eth but it could make sense.
The attack is a really interesting practical example of why cryptographers sometimes obsess over 'how many bits of security'. Here, an attack could cost a lot in hardware rental, but it has one super-favourable feature: you can see on the blockchain *exactly* how much you will get ...
.. by cracking, so it's super-easy for the attacker to make an economic assessment of if it's worth their while.
As usual rekt.news has a good write up of some facts.
And finally, I particularly liked this recent github comment: https://github.com/johguse/profanity/issues/61#issuecomment-1247706911 😂
(I suppose it's pretty easy to argue that this mistake is not really forgivable: having had experience writing code to generate private keys, the *first* thing i would make double/triple sure is that whatever my source of entropy is, has (at least) the number of bits i intend it to. The rd() call here returns unsigned int, and it's 4 bytes or 32 bits. Not enough for any real world use. Maybe I'm missing something though).
(The 2nd thing: cryptographically secure random, not just any random!)
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!