Vanity Blockie Miner for Ethereum
Brute force generate Ethereum identicons to match an image
When I was contributing to EthAvatar I was worried about an attacker replicating an Ethereum identicon (Blockie). I wanted to test how easy it would be to brute force replicate a similar enough blockie that you could use it to phish an account.
An identicon should really only be used to make sure you didn’t mistype an address; a quick, deterministic, procedurally generated, human identifiable picture. You copy and paste an address or shoot a QR code and give it a quick inspection between the two windows/screens to make sure they are the same. One small character change will result in an obviously different image:
However, if you don’t pay close enough attention, an attacker could craft an identicon to look similar to your trusted account:
The script is very simple and the source code is available here. It consists of a backend, frontend, and miner. The miner will generate Ethereum accounts as fast as possible, translate them to Blockies, and do a color compare with a target image. Plus, the frontend has a nice drag and drop UX:
Once you have an icon you like, you can click on it to get the private key. Paste that private key into MetaMask and you can start making transactions. Don’t forget to hit the “X” in the UI to delete the key from the miner. Even after covering your tracks, it’s probably best not to move a lot of money in and out of accounts where the private key was tossed around like this.
My all time favorite ‘mined’ blockie is Boba Fett. I was trying to put together something Ethereum based for a May 4th hackathon, but ended up going a different direction.
Another reason to make a vanity blockie would be to fit a certain theme within a Dapp that uses identicons. For example, my game Galleass.io uses blockies as the flags of ships and buildings:
I’m currently trying to mine a “Jolly Roger” blockie for a pirate ship, but it isn’t going very well…
Be careful out there and remember that blockies are great for quick visual inspection but similar identicons can easily be generated by attackers. If you follow Alex Van de Sande, you know there are some neat new things on the horizon for account and key management. Here is his talk on “Universal Logins”:
We have an awesome community of really smart people and I’m excited to see how the ecosystem continues to evolve, especially around identity.