Monero encounters bug attacks in its accounting functionality
Monero has discovered its vulnerability to multiple counting bug attack which was directed towards wallet software’s accounting functions. The revelation comes through a report released on 5th September that sheds light on the nature of the bug and the manner in which it has brought about the exploitation of the exchanges, merchants and services. However, the Monero protocol and its native cryptocurrency remain unaffected.
The bug characteristic
The bug is characterised by two variants that need unique form of transaction public key. Along with the subaddress, this was introduced. The first variant did not include an inspection inflicted by the code to protect against the duplication of public keys. Such kind of vulnerability made the attackers make a transaction which would be including transaction public key, a number of times. This paved the way for duplicating transaction public key.
The code of the bug’s second variant did not examine the dummy transaction public keys. This enabled the hacker to scan the outputs twice in the transaction by leveraging the alternative transaction public key. Consequently, the wallet would report it has received twice the amount which actually receive. Previously, on the GitHub platform, the first variant was reported. The report, however, failed to rightfully estimate the bug’s seriousness.
As a result, the organisation under Monero system encountered theft of funds and also the exchanges were exploited. Furthermore, a security researcher at HackerOne has given a vivid description in a report about the way in which the bug was used to loot funds from different exchanges. HackerOne’s Phiren reported about the bug’s second variant. Once, the two patches got merged, a new version called V0.12.3.0 was released by Fluffypony, the Lead Maintainer of Monero.
Image via Shutterstock
Join our Telegram group