Monero Patches 'Burning Bug'

Udgivet den by Cryptoslate | Udgivet den

Nævnt i denne artikel
Released on their website on Tuesday, the developers of Monero say they were able to patch a potentially serious bug that would've allowed malicious users to 'burn' cryptocurrency exchange deposits.

Co/Iqii03G3DJ. - Monero || #xmr September 25, 2018.This burning would be achieved by users flooding the same stealth address with multiple payments, effectively rendering the funds in the account unusable, because after the initial request all other requests would be rejected as suspicious.

The only thing the malicious user would lose is transaction fees paid to whatever exchange the wallet they're attacking is a part of.

"The bug basically entails the wallet not providing a warning when it receives a burnt output. Therefore, a determined attacker could burn the funds of an organization's wallet whilst merely losing network transaction fees."

Because of the way a key image is generated when sending Monero, multiple requests would result in multiple, identical key images, causing every subsequent transaction to be rejected.

An attacker would do this by modifying the code to send the same private key every time, generating the duplicate public keys and causing the system to reject the transactions after the first.

"An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange's wallet does not warn for this particular abnormality, the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker's action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.".

The bug was, according to Monero's report, discovered by a community member's hypothetical description of this attack.

Once the Monero dev team saw the danger in this bug and that it could actually be exploited, they issued a patch and notified as many merchants, exchanges, and services using Monero as they could so they could install it.

Monero says that while some damage was done, the bug has not affected the protocol or the coin supply.

x