A bug in Monero (XMR) blockchain network, which could be exploited by hackers to “burn” the funds held in an organization’s wallet by spending only network transaction charges, was fixed through a patch by the Monero team.
The vulnerability came to limelight after a XMR community member explained a theoretical attack on the XMR subreddit.
According to the posting, the vulnerability could supposedly affect retail and wholesale merchants and firms which are active in the XMR ecosystem. A hacker will be able to exploit the vulnerability by triggering considerable damage. The blog post further explains how the code could be exploited:
“An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange’s hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR.”
Monero has clarified that a hacker will not be able to monetarily benefit from exploiting the vulnerability. However, according to Monero “there are probably means to indirectly benefit.”
Monero team has explained that following the attack, a hacker can exchange the XMR for Bitcoin (BTC) and then withdraw it, effectively “leaving the exchange with 999 ‘not spendable’ or ‘burnt’ outputs of 1 XMR.”
It can be noted that so far the bug has not affected the protocol or the coin supply. As mentioned earlier, XMR development team has quickly responded to create and implement a patch, which was confirmed via XMR’s official Twitter account.
A Post Mortem of The Burning Bug: https://t.co/Iqii03G3DJ
— Monero || #xmr (@monero) September 25, 2018
XMR, which is focused on privacy and anonymity, was mainly used for fraudulent activities in the crypto space previously. Notably, the MEGA Chrome extension was compromised earlier this month. This enabled cybercriminals to loot XMR and other sensitive information.
Furthermore, in June, a report published by cyber security firm Palo Alto Networks discovered that nearly 5% of all XMR in circulation was mined maliciously. XMR supposedly has an “incredible monopoly” over cryptocurrencies sought by malware, with nearly $175 million mined maliciously.
