Published
5 years ago on
September 26, 2018
“A bug in the wallet software allowed a determined attacker to cause significant damage to organizations present in the Monero ecosystem with minimal cost. A determined attacker could burn the funds of an organization’s wallet whilst merely losing network transaction fees.”How does the bug work? This all comes down to the fact that Monero can ‘burn’ XMR on the network, in the same way Bitcoin and Ethereum can, hence the name burning bug (burning is not in reference to the bug being on fire I’m afraid). Burns can occur when the Monero blockchain detects transactions between identical stealth addresses, it assumes these are illegitimate and ‘burns’ one of the transactions, allowing just one ‘legitimate’ transaction to remain.When this happens, the XMR isn’t removed, it’s simply just made unusable. It is this burning process that allows hackers to directly extract XMR straight off the blockchain via external wallets, such as those that may be found at cryptocurrency exchanges. According to The Next Web, the report by the Monero developers states:
“After modifying a Monero wallet to make transactions using the same stealth address as the target wallet, attackers send, say, a thousand transactions of one XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1,000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.”What happens now?Well, as a result of this, Monero developers have had to create a fix which has now been sent out to the various Monero exchanges. This was carried out in secret, in order to stop hackers taking advantage of the bug whilst the exchanges ran updates to patch the error. Thankfully, now a fix has been rolled out, the Monero development team have confirmed that no XMR had been lost of manipulated as a result of the burning bug.Finally, the burning bug has now been extinguished. To close their statement, the Monero development team have issued a warning to all who indulge in cryptocurrencies:
“This event is again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs.”Bugs can exist in many forms, even when a crypto project is looking to be running smoothly (as Monero is) critical and devastating bugs could still exist on the network that in turn could be used to totally bring it down. It’s simply just a case of a race between developers and hackers, who gets there first will determine the future for the project. If the hacker gets there first, the consequences are devastating. If the developers get there first, as they have in this instance, the bug is fixed and the community is left protected, with their assets secured.We do expect more bugs like this to crop up across the industry. Just because this one has been fixed, it doesn’t mean Monero is totally resistant to these bugs going forward. Thankfully, the development team will be working hard to ensure this doesn’t happen ever again. References The Next Web Investment Disclaimer
