Monero Developers Patch Bug Allowing Attackers to ‘Burn’ Crypto Exchange Deposits.
The developers of privacy-minded cryptocurrency monero have patched a bug that would have allowed an attacker to cause significant damage to cryptocurrency exchanges as well as XMR-friendly merchants.
The Now-Patched Monero Bug Put Cryptocurrency Exchanges, Merchants at Great Risk:
Addressed through a software patch privately distributed to exchanges and merchant and later publicly disclosed through a post-mortem on the project’s website, the bug would have allowed a user to deliberately “burn” XMR by sending multiple payments to the exact same stealth address.
While the recipient would have been able to spend one output (the wallet automatically uses the largest output first), funds sent through subsequent transactions would have been rendered un-spendable since these transactions would have resulted in duplicate key images that would would have been rejected by the network as suspected double spend attacks.
A determined attacker could have exploited this bug by sending a series of payments to a single stealth address belonging to a cryptocurrency exchange. Specifically, this bug was found in the Monero wallet software, which did not screen for this particular abnormality. Consequently, the receiving wallet would not have flagged these transactions as problematic and would have credited the deposit or rather marked the invoice as paid.
In the case of an exploit executed against an exchange, the attacker would have been able to trade the full deposit for other cryptocurrencies and withdraw them to an external wallet. However, when the crypto exchange operator attempted to include the deposited funds in a future transaction they would only have been able to spend the largest output. Though the attacker would not have received a direct material benefit, they could have — for the price of network transactions fees — been able to cause said exchange, and by extension traders holding funds on the platform, to lose a huge amount of funds.
If it is deployed on a large enough scale, the exploit could have indirectly benefited the attacker by reducing the effective monero supply (i.e. the amount of spendable XMR) thereby theoretically increasing the value of each spendable coin relative to the cryptocurrency’s market cap.
Interestingly, the basic structure of the exploit had been known for quite some time. However, it was only recently that, spurred by a discussion on the XMR subreddit, developers identified that the bug could be meaningfully exploited to the detriment of cryptocurrency exchanges and other organizations.
Disclosure of the bug has not had a noticeable effect on the monero price. Currently trading at $119, XMR is down 1 percent for the day while most other large-cap altcoins are down at least 3 percent.