Monero developers patch bug that allow user to deliberately “burn” XMR
Developers of Monero (XMR) recently patched a bug that would have been damaging to crypto exchanges and XMR-friendly merchants. A software patch was privately distributed to exchanges and merchants. However, a detailed explanation of how the bug could be used to cause harm to merchants, services, and exchanges, and how it Monero (dev) community handled it was publicly disclosed in a blog post.
According to the post, the bug could have allowed users to deliberately “burn” XMR by sending multiple transactions to the same stealth address. “The bug basically entails the wallet not providing a warning when it receives a burnt output. Therefore, a determined attacker could burn the funds of an organization’s wallet whilst merely losing network transaction fees,” the post mentioned.
As the wallet automatically uses the largest output first, the recipient would have been able to spend one output. However, funds sent through following transactions would have been unspendable/burnt since it would have resulted in duplicate key images, and the network would have rejected it considering it to be suspected double spend attacks.
In addition, the transactions to the same stealth address will be linkable. So, an attacker could have exploited the bug by multiple payments to a single stealth address belonging to a merchant or cryptocurrency exchange. Specifically, the bug was found in the Monero wallet software where this particular abnormality is not screened.
The bug was discovered after a Monero community member described it as a (hypothetical) attack on Monero subreddit. Soon after this, a private patch was created.
“I (and others) privately notified as many exchanges, services, and merchants as possible with the (private) patch that had to be applied on top of the v0.12.3.0 release branch. To reiterate (from the previous post mortem blog), this is clearly not the preferred method, as it (i) invariably excludes organizations that I (and others) personally do not have contact with, but are an essential part of the Monero ecosystem and (ii) may invoke a view of preferential treatment. However, there had only been limited time to improve the vulnerability report process,” the post mentioned.
Though the bug in the wallet software could have caused significant damage to organizations present in the Monero ecosystem, it fortunately did not affect the protocol and the coin supply remained unaffected.
Image via Shutterstock
Join our Telegram group