A researcher found that Monero Wallet was carrying a security risk - a bug that allows theft from digital currency exchanges. In order of severity, the bug was ranked nine out of possible ten. It is likely that the exploit is currently carried out, according to the announcement of the bug bounty hunter Jason Rhineland.
Bug Bounty Hunter Identifies Vulnerability In Monero Wallet
The business logic error in Monero was informed in a post on HackerOne by bug bounty hunter Jason Rhineland, who is a Canadian PhD candidate in Economics at Queen’s University with a primary research focusing on agent-based modeling of economic phenomena.
The bounty hunter also disclosed that an already fixed wallet balance display bug which may also extended to exchanges with a potential impact of theft of all coins deposited in an exchange wallet.
“PR #3985 fixed a wallet balance display bug, which seems innocuous enough, but this bug also extends to exchanges: a transfer of, e.g., 1 XMR to an exchange with a duplicated TX pub key will show up on an exchange as a 2 XMR deposit, which then allows the attacker to withdraw 2 XMR from the exchange’s wallet. An attacker could exploit this repeatedly to siphon of all of the exchange’s balance,” said Rhineland.
The bug found in Monero wallet enables creative cybercriminals to counterfeit transaction data with the aim to deceive cryptocurrency operators’ support staff into crediting their accounts manually with Monero (XMR). The amount of Monero shown on the account was multiplied after each line of code was added, forcing staffers to fulfill any user calling to process the transactions manually. Similarly, Monero-based coins also suffered from an identical problem, which was proven by hacking of ARQ coins from the wallet of cryptocurrency operator Altex.
Altex Exchange Sees Big Losses Due To Bug In Monero
The exchange has already informed its users as well as overall virtual currency ecosystem about the bug. However, given the amount of cryptocurrencies remained undisclosed due to the monero codebase and its development team was on holiday, the small operator chose to temporarily stop trading and keep writing updates.
“That bug caused a big loss in coins for the exchange and we have put our main currency under maintenance so the people who exploited the bug can no longer withdraw. After a really long investigation, we found out that we still lost a big amount. This was caused by the coins software, it was not a bug in our system.”