After a vulnerability has been spotted in Monero’s ecosystem, users reported it to the company. As a response to the situation, Monero developing team patched the bug that reportedly allowed hackers to “burn” the funds of the company’s cryptocurrency wallet.
26 September 2018 – The developers of an open-source cryptocurrency Monero (XMR) reportedly fixed a bug that could allow an attacker to “burn” the funds of the company’s wallet while only losing network transaction fees.
What is the “Burning Bug”?
According to the statement from the cryptocurrency company, the bug has been reportedly discovered after a community member described a hypothetical attack on one of the subreddits related to XMR. It could possibly affect merchants and organizations in the XMR ecosystem, thus allowing an attacker to trigger significant damage. The blog post from Monero describes how the bug would be exploited:
“An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange’s hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR.”
Monero Patches the Vulnerability
Monero highlights that the attacker would not be able to obtain monetary gains with such an attack. However, “there are probably means to indirectly benefit.”
After the attack, the hacker would sell the XMR for Bitcoin and withdraw the BTC. As a result of the attack, the exchange would be left with 999 unspendable or “burnt” outputs of 1 XMR. It is worth to mention that the bug has not affected the protocol of the coin supply. The developers of XMR have created and included a fix in the code. The team announced the news via XMR’s official Twitter account:
“To any exchanges, services, merchants, and other organizations present in the Monero ecosystem, if you have not received or applied a patch yet, compiling v0.13.0.0-RC1 ensures the patch is included.”
XMR claims to be a private and “untraceable” cryptocurrency, as this coin was at the center of fraudulent activities in the cryptocurrency sector previously. Earlier this month, cybercriminals stole users’ XMR by having MEGA Chrome extension compromised.
Think we missed something? Let us know in the comments section below.