Multichain DeFi aggregator, ParaSwap has debunked claims that it suffered an exploit today, saying the suspected address had no power after deployment.
✅ No vulnerability found! Please check the facts & Don’t Trust, Verify!
We’ll follow up with analysis & an explanation of what’s a deployer address and how we made sure they have no power at all! https://t.co/uQKVncMZof
— ParaSwap (@paraswap) October 11, 2022
Supremacy raised alarm of profanity vulnerability
Blockchain security company Supremacy Inc. claimed that Paraswap’s deployer address private key might have been compromised due to a profanity exploit, adding that “funds have been stolen on multiple chains.” The firm continued, “the deployer’s address is associated with multiple multi-sign wallets.”
1/ Hi @paraswap ,I heard that you want to see this? your deployer address private key may have been compromised (possibly due to Profanity vulnerability) and funds have been stolen on multiple chains.https://t.co/ijHaTwAj0l
— Supremacy Inc. (@Supremacy_CA) October 11, 2022
An Etherscan link attached to the tweets showed a transfer of 0.4320 ETH ($555.32) to another address tagged QANplatform Bridge Exploiter 2.
Another blockchain security firm BlockSec confirmed that ParaSwap’s and Curve Finance deployer’s addresses were vulnerable to the Profanity vulnerability.
1/ We confirmed that both @paraswap deployer address (0x490ce4616672e93b1c8f5e43aa80312fd73dee8c) and @curve deployer address(0x07a3458ad662fbcdd4fca0b1b37be6a5b1bcd7ac) are vulnerable to the profanity vulnerability. The private keys can be recovered. https://t.co/APRXSt1gJh
— BlockSec (@BlockSecTeam) October 11, 2022
ParaSwap debunks exploit claims
ParaSwap’s investigation into Supremacy revealed that it had “no vulnerability.” According to the DeFi platform, the address “paid the gas and retired,” adding that “Profanity addresses usually have trailing zeros.”
The firm also stated that it would “follow up with analysis & an explanation of what’s a deployer address and how we made sure they have no power at all!”
Curve Finance rehashed ParaSwap’s statement, saying, “both are throwaway deployers, they control nothing. So no reason to worry there.”
Meanwhile, the ParaSwap team’s prompt response to the situation attracted praise from the crypto community.
— CryptoCondom (@crypto_condom) October 11, 2022
Profanity address vulnerability
Several crypto projects using Vanity addresses have lost millions to the Profanity vulnerability since it was identified in September by 1inch. Malicious players could recover private keys of any vanity address generated with Profanity.
Reports have revealed how bad actors have used the vulnerability to hack several crypto projects. Crypto market maker Wintermute lost over $160 million to the profanity address vulnerability.