Ad
CryptoSlate on Substack
Daily digest of top crypto stories and market insights. Never miss out.
Join 75k subscribers
 Ad
News
Morgan Stanley considers allowing brokers to recommend Bitcoin ETFs to clients Ex-Binance CEO CZ seeks forgiveness and a fresh start in pre-sentencing apology letter Authorities shut down Samourai Wallet, arrest founders over money laundering charges in $2 billion DOJ case KPMG survey reveals significant uptick in institutional adoption of crypto in Canada Amazon, Microsoft AI partnerships face potential UK antitrust probe
Monero Patches ‘Burning Bug’ Monero Patches ‘Burning Bug’ John Bogna · 6 years ago · 2 min read
🚨 This article is 6 years old...
NewsCrypto

Monero Patches ‘Burning Bug’

John Bogna
Sep. 26, 2018 at 1:00 am UTC
2 min read
Updated: Nov. 7, 2019 at 2:34 am UTC
Monero Patches ‘Burning Bug’

Photo by Josh Boot on Unsplash

In a post-mortem report released on their website on Tuesday, the developers of Monero say they were able to patch a potentially serious bug that would’ve allowed malicious users to ‘burn’ cryptocurrency exchange deposits.

This burning would be achieved by users flooding the same stealth address with multiple payments, effectively rendering the funds in the account unusable, because after the initial request all other requests would be rejected as suspicious. The only thing the malicious user would lose is transaction fees paid to whatever exchange the wallet they’re attacking is a part of.

Breaking down the bug

The report explains the bug as follows:

“The bug basically entails the wallet not providing a warning when it receives a burnt output. Therefore, a determined attacker could burn the funds of an organization’s wallet whilst merely losing network transaction fees.”

Because of the way a key image is generated when sending Monero, multiple requests would result in multiple, identical key images, causing every subsequent transaction to be rejected. An attacker would do this by modifying the code to send the same private key every time, generating the duplicate public keys and causing the system to reject the transactions after the first.

The burnt stealth address the requests are being sent to would only be usable once, rendering everything else as good as gone.

This is how Monero breaks it down in detail:

“An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange’s hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.”

How they found it

The bug was, according to Monero’s report, discovered by a community member’s hypothetical description of this attack on the Monero subreddit.

Once the Monero dev team saw the danger in this bug and that it could actually be exploited, they issued a patch and notified as many merchants, exchanges, and services using Monero as they could so they could install it. The developers also informed everyone on their public mailing list of the danger and patch.

Monero says that while some damage was done, the bug has not affected the protocol or the coin supply. They ended their post-mortem with a word of caution: that cryptocurrency technology is still vulnerable to critical bugs, and that everyone in the community should do their best to stay informed.

Mentioned in this article
Monero
Posted In: , Crypto
Latest Monero Stories
Monero rebounds with 23% gain, marking recovery from news of Binance delisting

Monero rebounds with 23% gain, marking recovery from news of Binance delisting

Analysis 3 months ago

Monero recovers in a bullish response to news of Binance's delisting decision.

Binance’s delisting move sends Monero and Multichain values tumbling 20%

Binance’s delisting move sends Monero and Multichain values tumbling 20%

Exchanges 3 months ago

The delisted assets have encountered varying challenges, ranging from regulatory issues to system hack, during the past year.

OKX delisting triggers price fall for privacy coins Zcash and Monero

OKX delisting triggers price fall for privacy coins Zcash and Monero

Exchanges 4 months ago

Observers suggested that the move might be part of the exchange's regulatory compliance efforts.

Ransomware group known to use Monero and Bitcoin targets Italian asset manager

Ransomware group known to use Monero and Bitcoin targets Italian asset manager

Crime 9 months ago

The cybercrime group BlackCat tried but largely failed to attack Azimut.

Latest Press Releases
View All

Disclaimer: Our writers' opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.

Latest Alpha

In this article

Monero XMR (24h)
$118.983 -1.96%

Monero is an open-source cryptocurrency that focuses on privacy, decentralization, and scalability..

More about Monero
 Ad
CryptoSlate on X x.com/cryptoslate
Join our X community for real-time crypto news and expert insights.
Join 50k followers
 Ad