A Security Flaw in Monero Could Have Led to Theft in Crypto Exchanges Author: Sherlock Gomes Last Updated: 05 July 2019 Developers recently announced that Monero blockchain had nine scary bugs in its code that could have led to XMR theft from digital currency exchanges. Monero’s code has issues Monero (XMR) is a privacy-focused altcoin that providers better transaction obscurity than Bitcoin. It is the second most popular digital currency on the dark web after Bitcoin. The devs at Monero recently disclosed that the blockchain had nine security vulnerabilities. One of these vulnerabilities could even allow hackers to steal XMR from digital currency exchanges. Security researchers who found these issues concluded their findings in a HackerOne report after they were awarded 45 XMR for their efforts. Note that Monero was facing problems until March, where rogue miners could create “specifically-crafted” blocks and force Monero wallet to accept fake deposits. The attacker could choose the amount to be deposited in the wallets. The researchers also revealed five DoS attack vectors, one of which was categorized as “critical” severity What else could be compromised? One of the bugs is related to CryptoNote, an application layer used by XMR that helps in improving privacy in transactions. If this security flaw was executed by the hackers, they could have taken down XMR nodes by sending large amounts of malicious blockchain data from the network. The researcher who found the bug, Andrey Sabelnikov talked to Hard Fork about the vulnerability saying that the bug could be executed on a bigger blockchain. Hackers can push a protocol request on the chain that can call all blocks from other nodes. As the blockchain is bigger, this could lead to the calling of hundreds of thousands of blocks. However, preparing a response like this could consume unusually high amounts of resources and a typical Linux based system will kill the task because of excessive memory consumptions. He noted that other crypto projects depending on CryptoNote could be susceptible to similar attacks. Monero’s software was also leaking “uninitiated” memory, which could include sensitive cryptographic material and private data, to untrusted peers on the network. A majority of these bugs were reported four months ago, and eight have also been patched. The ninth bug is still undisclosed. Most of the flaws were considered “proof of concept” rather than actual security vulnerabilities that were being exploited on the blockchain. Note that Monero released its blockchain version 0.14.1.0 in June this year. Monero’s wallet software was reported to have bugs last year that could allow hackers to drain XMR from crypto exchange wallets.