The Monero “Burning Bug”
For the second time in two months, the Monero Network has reportedly been susceptible to a bug that would have brought this privacy cryptocurrency to its knees, so to speak. According to a post-mortem of the so-called “Burning Bug,” relayed by The Next Web, a malicious user seeking to wreak havoc on the Monero chain and the ecosystem surrounding it could have accomplished his or her plans “all for the cost of a few transactions fees.
dEBRUYNE, a developer and team member of the project who authored the aforementioned post-mortem, explained that the bug essentially allowed a “determined attacker” to burn the XMR held in an organization’s (exchange, cryptocurrency-friendly merchant, etc.) wallet for the small contribution of some transaction fees, which are approximately $0.5 per the average XMR transaction at the time of writing.
For those who aren’t in the loop, under a specific set of scenarios, certain public blockchains, like Bitcoin and Ethereum, can burn their native tokens, rendering them useless and making them nothing more than expensive digital paperweights.
In the context of Monero’s codebase, to put the specifics of the aforementioned bug into layman language, if an ill-wishing user initiates multiple XMR transactions between identical stealth addresses, the blockchain will classify all but one of these transactions as illegitimate, burning a majority of the XMR sent.
Once the blockchain identifies and subsequently burns the ‘illegitimate’ XMR, it is nigh-impossible for the same cryptocurrency to be used in any productive manner again. While this sounds like an absurd concept, the Monero community has seemingly known about his issue for a while now but never found a proper way to exploit stealth addresses. Now, as discovered by cybersecurity experts, the burning bug can be unfortunately applied to vulnerable exchanges.
Explaining the process which would allow the hacker to utilize this bug to his or her advantage, the Monero team member wrote:
[attackers] send, say, a thousand transactions of one XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1,000 XMR.
In this hypothetical scenario, after a victimized exchange credits the attacker for 1,000 XMR, which would be valued at $115,000 at the time of writing, the user would utilize his or her’s on-exchange credit for an altcoin. This would then allow the attacker to withdraw the full value of the aforementioned XMR while leaving the exchange with nothing but “999 unspendable, burnt outputs of 1 XMR.”
Although any developer worth his or her salt wouldn’t be caught dead releasing the specifics of such a ground-breaking glitch, it was revealed that Monero devs have already distributed a fix for major exchanges and merchants in secret, “as not to draw any attention during the patching process.” Due to the quick thinking of the Monero team, dEBRUYNE also explained that no exchanges or merchants were victimized by this specific bug.
This bug follows another glitch that was discovered in early August, as reported by Ethereum World News previously. Per our previous report, it was discovered that inventive hackers could essentially ‘multiply’ the amount of XMR displayed by a wallet by simply copying a certain line of code. Although this specific bug has since been amended, a lesser-known altcoin-focused exchange saw its wallets drained overnight.
XMR Remains Undeterred, Posts Gain Instead Of Loss
Seeing that the Burning Bug had no apparent effect on vulnerable exchanges, XMR has seemingly remained unaffected by the bug, posting a slight gain in correlation with the hour-to-hour recovery of Bitcoin, the leading cryptocurrency in this budding market. At the time of writing, an XMR is worth $116 a piece and is up 1.5% in the past 24 hours.
Photo by Sagar Chaudhray on Unsplash