Monero was found to be carrying a bug which allowed theft from digital currency exchanges, according to the researcher who found the security hazard. In order of severity, the bug was ranked nine out of a possible 10. Bug bounty hunter Jason Rhineland disclosed that the exploit may be currently underway.
Bug Bounty Hunter Discovers Vulnerability in Monero Wallet
Jason Rhineland, a Canadian PhD candidate in Economics at Queen’s University with a primary research interest in agent-based modeling of economic phenomena, has submitted a post on HackerOne where he disclosed a business logic error in Monero.
It seems that an already fixed wallet balance display bug also extended to exchanges with a potential impact of theft of all coins deposited in an exchange wallet, according to Rhineland.
“PR #3985 fixed a wallet balance display bug, which seems innocuous enough, but this bug also extends to exchanges: a transfer of, e.g., 1 XMR to an exchange with a duplicated TX pub key will show up on an exchange as a 2 XMR deposit, which then allows the attacker to withdraw 2 XMR from the exchange’s wallet. An attacker could exploit this repeatedly to siphon of all of the exchange’s balance.”
The bug allowed creative cybercriminals to fake transaction data in order to trick virtual currency operators’ support staff into crediting their user account manually with XMR. Each additional line of code multiplied the amount of Monero shown on the account, leaving staffers obliged to fulfill any user calling to process the transactions manually. Monero-based coins were also vulnerable to the same bug, as was proven by the hacking of ARQ coins from the wallet of cryptocurrency operator Altex.
Altex Exchange Suffers Big Losses Due to Bug in Monero
Altex has already told its users and overall virtual currency ecosystem about the issue. Facing an undisclosed amount of cryptocurrencies due to the monero codebase and having its development team on holiday, the small operator chose to suspend trading and kept writing updates.
“That bug caused a big loss in coins for the exchange and we have put our main currency under maintenance so the people who exploited the bug can no longer withdraw. After a really long investigation, we found out that we still lost a big amount. This was caused by the coins software, it was not a bug in our system.”
The HackerOne bug bounty program published five other vulnerabilities in Monero in the last 24 hours – every single one already fixed – including a Denial of Service attack vector able to clog the Monero blockchain.
Featured image from Shutterstock.