Vanity addresses Explained!
How hackers use them to steal your cryptocurrencies
When you access or set up your own Bitcoin or Ethereum wallet, you may notice that it simply becomes a collection of numbers and letters that have no relevance to you or anything associated with you.
Considering your wallet address is like your bank account number, which you give or show to others so that they can send you cryptocurrencies, what if you could personalize that address so it wasn't just another random string of numbers and letters?
Well, that's exactly what vanity addresses are for.
A vanity address is a unique personalized address. It is an address that has parts of it chosen rather than being generated at random. Adding vanity to an address is used to distinguish it from other (random) addresses, to give it personality, to reinforce a brand, to send a message, and to make the owner(s) feel cool.
Now, let’s take a look at some live examples.
A popular vanity address is 0x000000000000000000000000000000000000dead.
Notice the “dead” at the end? It is sometimes used in place of the standard null address, 0x0000000000000000000000000000000000000000.
Another popular vanity address most of you have interacted with is the @1inch router, 0x1111111254fb6c44bAC0beD2854e76F90643097d. Notice the 7 “1”s at the beginning?
Another new yet popular vanity address that just appeared on the chain is the @ConcaveFi $CNV token address, 0x000000007a58f5f58E697e51Ab0357BC9e260A04. Notice the 8 “0”s at the beginning.
In any case, you get the idea: a vanity address is one that has parts of it chosen rather than being generated at random. (It should not be confused with .eth addresses.
History of Vanity Addresses
Vanity Addresses first appeared in 2011. Its main propagator was a site called Vanitygen.
Vanitygen is a command-line vanity bitcoin address generator. It first appeared in a Bitcointalk forum thread in 2011, making it nearly as old as Bitcoin itself.
It offered a service that searched for exact prefixes or expression matches. The search initiated for a matching public key. And since this is probabilistic, the longer the name desired, the longer it will take your computer to hash an address that meets the criteria.
How long does it take to create a vanity address?
According to the Vanitygen wiki page, it would take about a week to compute a vanity address beginning with the characters "1Bitcoin," whereas an address beginning with the characters "1BitcoinEat" would take approximately 3,500 years.
How Can I Make My Own Vanity Address?
You can make your own vanity address in two ways. The first method is to do it yourself. This method is the most secure because no one can see the private key and public key pair (this does necessitate some computer knowledge and the installation of the necessary software).
You can then specify how much of your processing power to devote to the process, but keep in mind that dedicating a large portion of your CPU may cause the program to crash. However, when using third-party code, use caution, especially with services whose Github repository hasn't been updated in years.
The other method, which may be less secure, is to join a pool and outsource the work to Bitcoin vanity address miners. These miners devote their CPU and GPU power to locating the desired address and sending it to you via email or postal mail (if you are paying for it).
Although this is a quick process, miners risk keeping the private key that generated the address and using it in the future to hack your funds and steal the millions stored in your vanity address.
The next safest option is to use a service like Vante.me, which generates split-key addresses
It is important to note that the most significant disadvantage of creating and using a vanity address is that it is a poor privacy practice. If you do decide to use one, it's a good idea to send funds to a separate address that you control on a regular basis for privacy and security reasons.
Since we’re already talking about security practices, we need to ask ourselves some questions.
How can they be used by hackers to steal your coins? How can dapps use them to keep you safe? What can wallets do to keep you safe? What can you do to safeguard yourself?
Today, we'll go over some obscure information, things you didn't know you didn't know.
Security risks of Vanity Addresses
Degen Spartan (above) is referring to something that 99% of crypto users do not do, even though they should.
Most crypto users do not double-check what the Dapp and (or) browser wallet are displaying. They don’t bother to check if wallet transaction is displaying exactly the same thing as what they are expecting. The word "exactly" is stressed.
For example, if you want to send $100 to a friend, you would copy-paste their address, enter "100 $DAI," double-check and triple-check everything to ensure you are sending the correct amount to the correct address, and then press "Sign TX."
For most crypto users, the “Review transaction” notification pops up on your wallet screen, and you just go through the familiar motions: RIGHT, RIGHT, RIGHT, RIGHT, RIGHT, LEFT+RIGHT.
But you don't check to see if the address displayed by your wallet is the same as the one you have on file, or if the amount is "100" (rather than "1000"). You do not check if you are interacting with $DAI or sending them 100 $ETH instead. You simply sign the Tnx, confident that you have triple-checked everything on your PC.
That, as Degen Spartan points out, is a recipe for disaster. Everything displayed by the dapp you're using or the browser wallet you're using can be tampered with.
Do you double-check the address you're interacting with on your HW before signing the TX (unlike the vast majority of CT)? Or do you only look at the first and last few (3-4) characters of the address?
Because otherwise, you may be wasting your time in exchange for a false sense of security.
Let’s look at some examples:
Take note of how MetaMask only displays the first and last few characters of the address, rather than the entire address. If you only check that with your HW, you are wasting your time in exchange for a false sense of security.
On the MetaMask window shown above, if you click "Confirm”, this is then reflected in your Ledger.
Everything seems in working order. You signed the TX.
But guess what?…
I just stole your money!
How?!
Aside from the well-known use of vanity addresses, there is a lesser-known (and evil) use case: making addresses blend in.
If you check the chain, you will see that the address you should have interacted with is 0x4678f0a6958e4D2Bc4F1BAF7Bc52E8F3564f3fE4.
Instead, the address displayed by your Ledger was 0x4679E467A5fAe7687bFff70996A9649Be2C13fE4.
Both addresses begin and end with the same characters as those displayed by your MetaMask, but they are otherwise completely different.
And since you only verified what your MetaMask showed you, you lost your money!
Now, Instead of using vanity to create an address that stands out, I used vanity to create an address that blends in. In fact, it only took my laptop 5 seconds (!) to find another address that begins and ends with the same characters that are displayed by @MetaMask for you to check.
My “fake” address is completely legitimate.
Its PK is even visible in the SS above. Try importing it into your wallet if you don’t believe me. You will see, it works. I used a vanity address generator to generate a name that blends in rather than stands out.
And because MetaMask only displays the first and last few characters, and you only checked the first and last few characters, I was able to make you interact with another address that happens to begin and end the same way you expected.
Credits for the security risks and examples go to StefanPatatu. He’s a jolly good Chad. Give him a follow while you’re at it!
Thanks!