Monero Releases Malware Response, Patches Burn Bug

Monero has officially released its Malware Response Workgroup website yesterday.

In an effort to help protect Monero’s community, the website aims to provide resources to educate about the types of malware that may take advantage of users. It provides support for problems including unwanted in-browser and system mining (cryptojacking) and ransomware, all which have been a growing problem as of late.

In a blog post by Justin Ehrenhofer on the Monero website, the Malware Response Workgroup is “a self-organized set of volunteers that maintains these resources and provides live support.”

The post goes on to describe future efforts to provide support directly through the website; however, volunteers are currently available for live support at #monero-mrw.

The Burn Bug:

The announcement of the working group is a second bit of positive news from the Monero community, coming cryptoshortly after it successfully patched a bug in its wallet code.

The “burn bug” never affected the actual protocol or the coin supply, but, if exploited, it would have allowed a malicious actor to profit significantly from inflicting damages on organizations within the Monero ecosystem, such as exchanges and any entity using a Monero wallet.

The bug could have been exploited as follows: An attacker first generates a random private transaction key. Then, they modify the code to use this particular private transaction key, which ensures multiple transactions to the same public address are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality, the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.

In the simplest sense, the bug allowed for funds to be sent in such a way that the recipient could not spend them, and the wallet would still report these as properly received funds.

It would have been possible to send multiple transactions to the same one time address, each transaction with a different key image. Since the one-time address can only be used once, it could only claim one of those outputs sent to it — but the wallet software was accumulating the amounts of all of those transactions.

While the concept of burning funds by sending multiple transactions to the same stealth address is nothing new in the Monero community, the consequences were never properly thought through if a third party, like an exchange, is involved. In May 2017, the topic was lightly discussed in a Monero SE Q&A. Users tossed around the idea, concluding they are “not sure of the implications or whether the protocol guards against this.” It was not until the hypothetical scenario included an exchange where the community realized the true implications of such an exploit.

The Discovery and Fix:

The exploit was discovered on September 16, 2018, after Reddit user s_c_m_l described a hypothetical attack on exchanges that support the Monero’s XMR token. The scenario presented User A sending XMR to Exchange B via many transactions with the same stealth address, allowing User A to then exchange the currency he sent and proceed to cash out. This was the first time anyone had imagined such a situation.

Less than 24 hours after s_c_m_l proposed the attack in a Monero subreddit, another Reddit user, Vespco, posted the idea in the official Monero subreddit. Shortly after, a patch was created by the Monero developer team and applied on top of the v0.12.3.0 release branch. The patch was implemented via a pull request.

After pull request #4438 was implemented, the developer community privately notified as many exchanges, services and merchants in order to minimize the number of organizations that would be exposed when the official announcement was made.

Monero Community Responses:

As dEBRUYNE mentions in his blog post, this practice was not ideal because there were inevitably organizations that they weren’t able to notify. The behind-the-scenes notifications could also have been viewed as preferential treatment, which is never ideal for a community fostering decentralization and fairness.

Following the patch release, community members on Reddit were unsure how to perceive the outcome of the situation and were debating if the Monero developer team should have disclosed that there was a bug while they were working on a patch instead of after.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.