Serious bug in Monero allowed theft from cryptocurrency exchanges

Fibo Quantum

In a case of potential irony given that Monero is the favored cryptocurrency of hackers worldwide, a recently discovered bug in its code could have allowed bad actors to obtain funds from exchanges illegally.

Described as a “burning bug,” the vulnerability potentially allowed a user to deliberately “burn” Monero, also known as XMR, by sending multiple payments to the same stealth address.

As CCN explained, a person sends the payment and while the recipient would have been able to spend one output (the wallet automatically uses the largest output first), funds sent through subsequent transactions would have been rendered unspendable. That’s because these transactions would have resulted in duplicate key images that would have been rejected by the network as suspected double-spend attacks.

In a blog post, the Monero developer explained that “because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1,000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable/burnt outputs of 1 XMR.”

Although the bug has been rectified with a patch being offered to exchanges, the fact that it existed to begin with may have caused Monero some longer-term damage.

According to Unhashed, Bittrex, Poloniex, Cryptopia and all suspended trading in Monero as news of the vulnerability became known. Trading has returned on most of those exchanges, but bigger exchanges now look poorly on risky cryptocurrency.

Bittrex delisted Bitcoin Gold earlier this month after a hack and a quick glance through its history shows it has delisted other cryptocurrencies as well.

Monero, already gaining lots of government attention thanks to its use by hackers and other bad actors, is already a risky cryptocurrency for licensed exchanges to handle. Bad press such as this bug is not going to help its cause.

Image: 159526894@N02/Flickr


Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.  

The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsorstweet your support, and keep coming back to SiliconANGLE: