Tech security and disclosure platform HackerOne published a bombshell report which detailed the recent vulnerabilities disclosed by popular privacy coin Monero (XMR). While security flaws are not uncommon in the crypto community, one of these flaws, in particular, would have made it possible for criminals to steal XMR directly from cryptocurrency exchanges. The flaw has since been resolved, but it rings ironic nonetheless; Monero has never been the first choice for newbie investors who buy cryptocurrency, as its appeal has primarily been because of its security. The fact that it has such a gaping security error is quite worrying.
Essentially, the presence of this flaw meant that scam XRM miners would be able to create “specially crafted” blocks and force wallets and exchanges into accepting fake deposits, the amount of which the scam miners could even choose.
“So to exploit the vulnerability an attacker will need to modify the daemon to create blocktemplates with zero amount in the miner tx, with a valid-enough RCT signatures so the amount will decode. The attacker will need to mine a block directly to an exchange wallet. Most exchanges identify their users by payment id. Including the said field in miner tx is not available functionality. While this seems to be trivial to implement, it was not attempted by us,” the report reads.
In addition, the report also detailed several DoS attacks. One of these attacks was related to CryptoNode, an application infrastructure to ensure the privacy of transactions over the network. By taking advantage of the flaw, scammers could potentially request large amounts of blockchain data from the Monero network, therefore bringing down some of the network’s nodes.
The bug was discovered by Andrey Sabelnikov, a researcher with HackerOne. In a statement, he claimed that large blockchains with long histories like Monero’s have protocol requests that can be pushed to call blocks from different nodes. In some cases, these blocks could number in their hundreds of thousands, and this is a significant security breach.
The researcher also warned that there could be other crypto assets or projects that rely on CryptoNote and which, by extension, could be susceptible to these attacks as well.
The report continues in what seems to be a year of massive corrections for Monero regarding the general safety of its network. Back in April, the operators of the currency announced on Reddit that they had fixed a flaw on the Ledger wallet, which made it look like customers’ funds weren’t being moved.
Ledger first reported the flaw to Monero’s subreddit in March, as it affected customers who couldn’t access their XMR on the Ledger Nano S hardware wallet. The initial complaint saw a lot of about 1,680 XMR (worth about $115,000 at the time), although Monero confirmed that losses were minimal.
Monero eventually promised to be more thorough in their code reviews, and given how they’ve handled the recent security flaws, it seems they plan on keeping to their word.