{"id":231825,"date":"2019-07-06T21:05:12","date_gmt":"2019-07-07T01:05:12","guid":{"rendered":"http:\/\/insidebitcoins.com\/?p=231825"},"modified":"2019-07-06T21:08:16","modified_gmt":"2019-07-07T01:08:16","slug":"moneros-recent-security-fix","status":"publish","type":"post","link":"https:\/\/insidebitcoins.com\/news\/moneros-recent-security-fix","title":{"rendered":"Monero\u2019s Recent Security Fix Could Have Gone Sideways"},"content":{"rendered":"
Tech security and disclosure platform HackerOne published<\/a> a bombshell report which detailed the recent vulnerabilities disclosed by popular privacy coin Monero (XMR). While security flaws are not uncommon in the crypto community, one of these flaws, in particular, would have made it possible for criminals to steal XMR directly from cryptocurrency exchanges<\/a>. The flaw has since been resolved, but it rings ironic nonetheless; Monero has never been the first choice for newbie investors who buy cryptocurrency, as its appeal has primarily been because of its security. The fact that it has such a gaping security error is quite worrying.<\/p>\n Essentially, the presence of this flaw meant that scam XRM miners would be able to create \u201cspecially crafted\u201d blocks and force wallets and exchanges into accepting fake deposits, the amount of which the scam miners could even choose.<\/p>\n \u201cSo to exploit the vulnerability an attacker will need to modify the daemon to create blocktemplates with zero amount in the miner tx, with a valid-enough RCT signatures so the amount will decode. The attacker will need to mine a block directly to an exchange wallet. Most exchanges identify their users by payment id. Including the said field in miner tx is not available functionality. While this seems to be trivial to implement, it was not attempted by us,\u201d the report reads.<\/p>\n In addition, the report also detailed several DoS attacks. One of these attacks was related to CryptoNode, an application infrastructure to ensure the privacy of transactions over the network. By taking advantage of the flaw, scammers could potentially request large amounts of blockchain data from the Monero network, therefore bringing down some of the network\u2019s nodes.<\/p>\n The bug was discovered by Andrey Sabelnikov, a researcher with HackerOne. In a statement, he claimed that large blockchains with long histories like Monero\u2019s have protocol requests that can be pushed to call blocks from different nodes. In some cases, these blocks could number in their hundreds of thousands, and this is a significant security breach.<\/p>\n The researcher also warned that there could be other crypto assets or projects that rely on CryptoNote and which, by extension, could be susceptible to these attacks as well.<\/p>\n The report continues in what seems to be a year of massive corrections for Monero regarding the general safety of its network. Back in April, the operators of the currency announced<\/a> on Reddit that they had fixed a flaw on the Ledger wallet, which made it look like customers\u2019 funds weren\u2019t being moved.<\/p>\n Ledger first reported the flaw to Monero\u2019s subreddit in March, as it affected customers who couldn’t access their XMR on the Ledger Nano S hardware wallet. The initial complaint saw a lot of about 1,680 XMR (worth about $115,000 at the time), although Monero confirmed that losses were minimal.<\/p>\n Monero eventually promised to be more thorough in their code reviews, and given how they\u2019ve handled the recent security flaws, it seems they plan on keeping to their word.<\/p>\n","protected":false},"excerpt":{"rendered":"