Home / Crypto Currency / Monero Devs Patch Bug Allowing Attackers to ‘Burn’ Cryptocurrency Exchange Deposits

Monero Devs Patch Bug Allowing Attackers to ‘Burn’ Cryptocurrency Exchange Deposits

burn money monero bug cryptocurrency


The developers of privacy-centric cryptocurrency monero have patched a bug that would have allowed an attacker to cause significant damage to cryptocurrency exchanges and XMR-friendly merchants.

Now-Patched Monero Bug Put Cryptocurrency Exchanges, Merchants at Risk

Addressed through a software patch privately distributed to exchanges and merchant and later publicly disclosed through a post-mortem on the project’s website, the bug would have allowed a user to deliberately “burn” XMR by sending multiple payments to the same stealth address. While the recipient would have been able to spend one output (the wallet automatically uses the largest output first), funds sent through subsequent transactions would have been rendered unspendable since these transactions would have resulted in duplicate key images that would would have been rejected by the network as suspected double spend attacks.

A determined attacker could have exploited this bug by sending a series of payments to a single stealth address belonging to a cryptocurrency exchange or merchant. Specifically, the bug was found in the monero wallet software, which did not screen for this particular abnormality. Consequently, the receiving wallet would not have flagged these transactions as problematic and would have credited the deposit or marked the invoice as paid.

Monero bug

In the case of an exploit executed against an exchange, the attacker would have been able to trade the full deposit for other cryptocurrencies and withdraw them to an external wallet. However, when the exchange operator attempted to include the deposited funds in a future transaction they would only have been able to spend the largest output. And though the attacker would not have received a direct material benefit, they could have — for the price of network transactions fees — been able to cause the exchange, and by extension traders holding funds on the platform, to lose a massive amount of funds.

If deployed on a large enough scale, the exploit could have indirectly benefited the attacker by reducing the effective monero supply, i.e. the amount of spendable XMR, thereby theoretically increasing the value of each spendable coin relative to the cryptocurrency’s market cap.

Notably, the basic structure of the exploit had been known for quite some time. However, it was only recently that, spurred by a discussion on the XMR subreddit, developers identified that the bug could be meaningfully exploited to the detriment of cryptocurrency exchanges, merchants, and other organizations.

Disclosure of the bug has not had a noticeable effect on the monero price. Currently trading at $114, XMR is down 3 percent for the day while most other large-cap altcoins are down at least 5 percent.

More Code Review Needed in Cryptocurrency Ecosystem

Reflecting on the process used to disclose the bug and privately circulate the patch to vulnerable organizations, community moderator dEBRUYNE acknowledged that the methods used were less than ideal but noted that the community has not yet implemented a better vulnerability reporting protocol.

From the post:

“I (and others) privately notified as many exchanges, services, and merchants as possible with the (private) patch that had to be applied on top of the v0.12.3.0 release branch. To reiterate (from the previous post mortem blog), this is clearly not the preferred method, as it (i) invariably excludes organizations that I (and others) personally do not have contact with, but are an essential part of the Monero ecosystem and (ii) may invoke a view of preferential treatment. However, there had only been limited time to improve the vulnerability report process.”

Later in the post, dEBRUYNE called for more developers to participate in XMR code review to prevent similar incidents from occurring in the future, adding that “this event is again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs.”

Indeed, not even bitcoin is immune from such incidents. As CCN reported, BTC developers recently patched a vulnerability that, if exploited, would have allowed miners to effectively print new coins, artificially inflating the cryptocurrency’s supply.

Images from Shutterstock

Follow us on Telegram or subscribe to our newsletter here.
Join CCN's crypto community for $9.99 per month, click here.
Want exclusive analysis and crypto insights from Hacked.com? Click here.
Open Positions at CCN: Full Time and Part Time Journalists Wanted.
Read more

Check Also

Former Goldman Sachs Exec Launches Crypto Startup Amid Bear Market

Although many are enamored with bashing the colloquial term “BUIDL,” for many Bitcoin diehards, 2018’s crypto market lull has been a time to unironically bolster this industry’s underlying infrastructure. This isn’t just hearsay, as 2018 has arguably been crypto’s strongest year yet, in terms of promising products, platforms, and startups, rather than day-to-day price action. Some of the world’s largest corporations and financial entities, such as the Intercontinental Exchange, Citigroup, Nasdaq, Microsoft, IBM, and Goldman Sachs, have all instituted crypto-centric initiatives. Yet, while these efforts are undeniably valiant, there remain entry barriers for a majority of keen parties, which curtails the growth of this industry. This issue isn’t flying under the radar, however, as startups have continued to crop up, seemingly in a bid to usher household names into this embryonic ecosystem. Meet Peter Thiel-backed Tagomi Peter Thiel, the head honcho of the so-called “Paypal Mafia” — ex-Paypal executives turned hotshots in Silicon Valley and Wall Street — has long been open to the concept of Bitcoin. On multiple occasions, Thiel, an advocate for libertarian principles, claimed that Bitcoin could become a hedge against economic downturns. So, it should as no surprise that his illustrious venture capital group, the San Francisco-based Founders Fund, has made notable capital allocations into crypto startups. As reported by NewsBTC in early-May, one of the fund’s allocations into this industry took the form of a multi-million dollar financing of Tagomi, a little-known firm at the time, with not much more than an ambitious vision. Now, over half a year since Tagomi secured Thiel’s rare stamp of approval, the startup has put its grandiose plan into action. On Monday, Tagomi, potentially slated to become the Fidelity Investments of the cryptosphere, launched its prime broker-dealer services — purportedly the first of its kind. For those who missed the memo, the startup is primarily focused on executing large orders for its bigwig clients. Speaking with Bloomberg, the upstart’s co-founder, Greg Tusar, and other key executives explained how its system operates. Tagomi takes advantage of its access to an array of exchanges to produce a liquidity pool, easing slippage for gargantuan block orders, while ensuring that transparency and proper trade reporting is upheld. Tusar, a former Goldman Sachs magnate, explained that there currently are pertinent issues plaguing crypto-friendly high net-worth investors today, namely custody, security, and a lack of liquidity. He stated: “The current environment is challenging, for sure, but we think there’s a lot of longer-term demand for digital assets and helping clients understand the transformative impact of crypto and blockchain.” In a separate interview with The Block, Tusar alluded to the fact that Tagomi is, or is aiming to, fill that gaping hole in this industry, and quick. He explained that there hasn’t been a single platform that has shepherded clients from depositing fiat, deciding on an investment thesis, allocating capital to cryptocurrencies, securing holdings, and all the way to managing these investments for the long haul. This is, of course, where the Peter Thiel-backed entity aims to come in and lend a helping hand. Institutions Look To Buy The Crypto Dip This launch of this innovative platform only underscores the fact that institutions see value in cryptocurrencies, but have resorted to staying on the sidelines due to the blockades that remain. Still, a number of startups backed by well-known institutions, like Fidelity and TD Ameritrade, have aimed to solve this problem. Related Reading: Why Are Novogratz, Fidelity, And Bakkt Banking On Institutional Crypto Investors? Fidelity, for instance, recently launched a crypto-centric subsidiary — Fidelity Digital Asset Services (FDAS) — after downing the Bitcoin red pill in 2014, when the firm’s launched its in-house blockchain research group. FDAS has its eyes on becoming a spiritual successor of its parent, but specifically in the context of crypto. More specifically, the fledgling arm has ambitions to launch top-notch cryptocurrency custody, coupled with trade execution for Fidelity’s 13,000 institutional clients. Similar moves from Bakkt, which has close ties to the parent of the New York Stock Exchange, and ErisX, a similar offering funded in part by TD Ameritrade, have again, only accentuated abounding institutional interest for digital assets. But the question that remains on everyone’s mind is — who will be the one to capture that demand? Featured Image from The post Former Goldman Sachs Exec Launches Crypto Startup Amid Bear Market appeared first on NewsBTC.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.