Serious bug in Monero allowed theft from cryptocurrency exchanges
In a case of potential irony given that Monero is the favored cryptocurrency of hackers worldwide, a recently discovered bug in its code could have allowed bad actors to obtain funds from exchanges illegally.
Described as a “burning bug,” the vulnerability potentially allowed a user to deliberately “burn” Monero, also known as XMR, by sending multiple payments to the same stealth address.
As CCN explained, a person sends the payment and while the recipient would have been able to spend one output (the wallet automatically uses the largest output first), funds sent through subsequent transactions would have been rendered unspendable. That’s because these transactions would have resulted in duplicate key images that would have been rejected by the network as suspected double-spend attacks.
In a blog post, the Monero developer explained that “because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1,000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable/burnt outputs of 1 XMR.”
Although the bug has been rectified with a patch being offered to exchanges, the fact that it existed to begin with may have caused Monero some longer-term damage.
According to Unhashed, Bittrex, Poloniex, Cryptopia and XMR.to all suspended trading in Monero as news of the vulnerability became known. Trading has returned on most of those exchanges, but bigger exchanges now look poorly on risky cryptocurrency.
Bittrex delisted Bitcoin Gold earlier this month after a hack and a quick glance through its history shows it has delisted other cryptocurrencies as well.
Monero, already gaining lots of government attention thanks to its use by hackers and other bad actors, is already a risky cryptocurrency for licensed exchanges to handle. Bad press such as this bug is not going to help its cause.
Image: 159526894@N02/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU