Privacy-oriented cryptocurrency Monero, experienced a vulnerability and fixed it in the past two days.
According to the official blog post, the bug would result in a wallet not flagging the user upon receiving a burnt output. This bug would let an attacker burn through the entire funds of an organization while only losing network transaction fees. Curiously enough, they do not get any monetary benefit out of this activity.
However, the post said, “Nonetheless, there are probably means to indirectly benefit. The notion of burning funds by sending multiple transactions to the same stealth address has been documented for quite some time already.”
Monero as a cryptocurrency is quite alluring to bad actors in the cryptocurrency market as it is one of the easiest to mine, among the others. The fact it is quite privacy-centric makes it an ideal coin. It is not possible to look at wallets and Monero transactions.
Recently, hackers realized they could mine the cryptocurrency from government websites in India and the United States.
A security researcher, Indrajeet Bhuyan had told news portal Economic Times (ET), “Hackers target government websites for mining cryptocurrency because those websites get high traffic and mostly people trust them. Earlier, we saw a lot of government websites getting defaced (hacked). Now, injecting cryptojackers is more fashionable as the hacker can make money.”
Explaining how the bug works, the post said: An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange’s hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR.
However, it added that fortunately, the bug did not either affect the functionality of the protocol or the token supply.
Liked what you read? Join us on Telegram