Monero Developers Disclose Catastrophic XMR-Burning Bug in Wallets
Monero developers just publicly disclosed a potentially devastating XMR-burning bug. If exploited, the bug would have allowed attackers to drain Monero from exchange wallets for the cost of a few transaction fees.
Here’s how Monero’s developers explained the latest exploit:
“A bug in the wallet software allowed a determined attacker to cause significant damage to organizations present in the Monero ecosystem with minimal cost…A determined attacker could burn the funds of an organization’s wallet whilst merely losing network transaction fees.”
The exploit had been available in Monero’s code for a significant amount of time. It wasn’t actually discovered, however, until a Reddditor proposed a possible attack vector on /r/Monero last week. That post didn’t attract much attention at the time, but Monero developers clearly noticed.
Fortunately for the XMR community, Monero developers were able to quietly patch the issue before it was exploited.
How the Exploit Worked
Monero’s blockchain, just like bitcoin and Ethereum, allows users to “burn” XMR if they chose to do so. Like other blockchains, these tokens aren’t technically “deleted” – they’re just made unusable.
With Monero’s latest exploit, the blockchain assumes transactions between identical stealth addresses to be illegitimate transactions, burning one of the addresses and allowing just a single “correct” transaction to make it through.
In other words, if you’re sending a transaction between two identical stealth addresses, then that transaction will be declared illegitimate, and the Monero network will burn one of the addresses.
In theory, this would have allowed an attacker to replicate a high-value XMR wallet, then create a transaction to that address. The Monero network would have seen that as a transaction between two identical stealth addresses, and one of the addresses – like the exchange’s XMR wallet worth millions of dollars – would be burned.
This isn’t technically the exploit. However, a Redditor proposed a new way to use that exploit to steal funds.
The Identical Stealth Address Problem Has Been Public Knowledge for a While
The Monero community has been aware about the identical stealth address problem for some time.
However, security researchers only just discovered a new element to the problem: it allows hackers to siphon XMR directly from external wallets.
Monero’s developers explained the process in their latest writeup on the topic.
After modifying a Monero wallet so the stealth address is the same as the target wallet, the attackers would send, say, a thousand transactions of one XMR to the exchange.
“Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1,000 XMR.”
The attacker would then sell his XMR for BTC and withdraw the BTC. The exchange is left with 999 unspendable or burnt outputs of 1 XMR.
In other words, the exploit doesn’t allow the attacker to create XMR out of thin air. Instead, it makes the exchange’s wallet look like it has received 1,000 XMR, which would then allow the attacker to sell his “fake” XMR for real BTC and withdraw it from the exchange before the exchange checked the XMR wallet.
The Exploit Was Discovered by a Redditor
Surprisingly, this exploit wasn’t revealed until 9 days ago when Redditor /u/GasDoves published his theory on the /r/Monero subreddit:
“What happens if I spend from a specific stealth address and then someone sends more to it? Are the funds inaccessible as the key image has already been used?”
In response, one Redditor theorized the exact process an attacker could use to exploit this flaw. Redditor /u/s_c_m_l wrote:
“So if B cant spend those funds , i can imagine an attack where A procures large amount of XMR and send it to Exchange B in many transactions with the same key image stealth address. “A” then exchanges that XMR for other currency and cashes out, leaving the exchange paralyzed unable to use that XMR.”
This is the exact security flaw that was later patched by Monero developers. Fortunately, no malicious actors read the Reddit post and exploited the flaw before it was patched. The original Reddit post, meanwhile didn’t attract much attention to begin with, getting just 14 upvotes and 18 comments.
Fortunately for the Monero community, developers were alerted to the post and were able to patch the issue before hackers decided to exploit it.
Monero Developers Secretly Patched the Issue and Alerted Crypto Exchanges
After discovering the exploit, Monero developers quietly created a private fix, then sent that fix to major exchanges in merchants.
The need for secrecy was obvious: Monero’s developers wanted to avoid drawing attention to the patching process.
The end result was that no money was lost to this exploit. As far as Monero’s developers can tell, nobody was successfully able to exploit this issue before it was patched.
Monero’s developers, however, are taking the issue seriously, saying:
“This event is again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs.”
You can view the full disclosure from the Monero team at GetMonero.org.