A Monero (XMR) Bug Could Have Caused Havoc: Issue Identified and Patch Now Ready for Release
One thing about coding that many people forget is that it is an unimaginable number of lines and coders are but humans. While the technology has made it relatively easier to code the mundane bits by using “subroutines”, there are still complexities involved that make programming so fun and challenging. Thus there was a mixed reaction in the community when it was found that there was a bug in the XMR wallet software that could potentially let miscarents make fake deposits to exchanges.
The problem was shared on the website Medium, by the official Ryo account. It appears the issue was reported in an email to the Monero announce mailing list. The letter was addressed to the various exchanges and service operators who used the coin. It stated that the Monero Vulnerability Response team had been notified of a vulnerability that was a result of an output mishandling coinbase transactions.
This issue could have allowed an attack on the various exchanges that were using or trading XMR. According to a source this stems from an
“apparent insecure design where the amount displayed to the user is different from the amount checked by the network.”
The design in question deals with a transaction that has a plaintext amount and a null rct signature. This means a non-null rct signature will pass on an amount anyway, without any checks, effectively letting an attacker inject a hypothetical amount and still appear as if a deposit has been made.
The email that warned of this also, helpfully, contained a workaround to ensure that no one can be exploited by the bug.
This solution was quickly endorsed and distributed by the official Monero page. Later the same account also confirmed that the fix for the vulnerability was now being reviewed and the patch will be applied soon.
Ryo, who notified this issue is a cryptocurrency derived from Monero. They have been criticized in some quarters after it was found they were aware of the issue and had actioned a fix more than half a year ago. In their defense, it is claimed that their lack of “a responsible disclosure” stems from the not so friendly attitude that the Monero team has taken towards most security researchers, in the past.
To compound their problems Monero seems to have more issues. In fact, the blog which caused all this ruckus notes that in talking about this exploit, on another forum, the writer had unintentionally mentioned another issue. Furthermore, there have been talks of more bugs in the Nano S Monero app.
All this bad press doesn't augur well for the coin that has generally been seen in its ascendency. Yet it must also be remembered that such issues can happen. It is imperative that the industry works with greater cohesion and ensures that such bugs and issues are fixed before they have the potential to do damage, as was the case here.