The developers of open-source cryptocurrency Monero (XMR) have patched a bug that could allow an attacker to “burn” the funds of an organization’s wallet while only losing network transaction fees, according to an announcement published September 25.
The bug was reportedly discovered after a community member described a hypothetical attack on the XMR subreddit. The bug could purportedly affect merchants and organizations in the XMR ecosystem, enabling an attacker to trigger significant damage. The blog post further describes how the bug would be exploited:
“An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange's hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange's wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR.”
While Monero notes that the attacker would not be able to directly accrue monetary gains with such an attack, “there are probably means to indirectly benefit.”
Following the attack, the hacker sells the XMR for Bitcoin (BTC) and then withdraws the BTC. As a result of the attack, the exchange is left with 999 unspendable or “burnt” outputs of 1 XMR.
Notably, the bug has not affected the protocol or the coin supply. XMR developers subsequently created and included a patch in the code, which was announced via XMR’s official Twitter account:
To any exchanges, services, merchants, and other organizations present in the Monero ecosystem, if you have not received or applied a patch yet, compiling v0.13.0.0-RC1 ensures the patch is included.
— Monero || #xmr (@monero) September 25, 2018
XMR, which claims to be a private and “untraceable” cryptocurrency, was the target of fraudulent activities in the crypto space previously. Earlier this month, the MEGA Chrome extension was compromised, which allowed cybercriminals to steal users’ XMR in addition to other sensitive information.
In June, a report published by security company Palo Alto Networks found that around 5 percent of all XMR in circulation at the time was mined maliciously. XMR reportedly has an “incredible monopoly” on the cryptocurrencies targeted by malware, with a total of $175 million mined maliciously.
XMR is currently the tenth largest digital currency, with a market capitalization of nearly $1.9 billion and a circulating supply of over 16 million, according to CoinMarketCap. At press time, XMR is trading at around $114, up 0.68 percent over the last 24 hours.