Inside money, markets, and big tech

Devs disclose critical XMR-burning bug in Monero wallets

Hackers could have tricked exchanges into giving up their XMR

Monero developers have disclosed a major bug that could really have been nasty. Until now, attackers could have drained Monero from exchanges (or any organizational wallet), all for the cost of a few transaction fees.

“A bug in the wallet software allowed a determined attacker to cause significant damage to organizations present in the Monero ecosystem with minimal cost,” declares the official statement. “[…] A determined attacker could burn the funds of an organization’s wallet whilst merely losing network transaction fees.”

Without getting too technical – the Monero blockchain can actually “burn” XMR under certain circumstances, as can Bitcoin and Ethereum.

In Monero’s case, the blockchain assumes transactions between identical stealth addresses to be illegitimate transactions, and “burns” one of the them, allowing just a single “correct” transaction through.

Monero’s blockchain doesn’t remove or replace burned XMR – it just makes it unusable.

The Monero community has known about burning when transactions occur between identical stealth addresses for a while – but security researchers have only just discovered that it allows hackers to siphon XMR directly from external wallets.

The disclosure steps through this process. After modifying a Monero wallet to make transactions using the same stealth address as the target wallet, “[attackers] send, say, a thousand transactions of one XMR to an exchange.”

“Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1,000 XMR,” a Monero dev explains.

The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.”

Developers created a private fix to distribute (in secret) to major exchanges and merchants so as not to draw any attention during the patching process. Monero devs note that it appears no losses were incurred due to the bug.

The statement ends with a stern warning: “This event is again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs.”

If you’re interested in everything blockchain, chances are you’ll love Hard Fork Decentralized. Our blockchain and cryptocurrency event is coming up soon – join us to hear from experts about the industry’s future. Check it out!

Published September 25, 2018 — 16:10 UTC