Monero developers just managed to avert a drastic disaster by fixing a patch bug that would have resulted in the loss of millions of dollars if eventually exploited.
Patched Bug Threatens to Destroy All
The bug, as designated by its attacker, could cause irreparable damage to digital currency exchanges and XMR-friendly merchants. The bug present in the software patch that was circulated privately between different crypto exchanges by the company before it was publicly announced on its official website.
The bug, if it had not been duly detected and addressed, would have provided the leeway for a user to intentionally “burn” XMR just by the making too many payments or transactions to the same address. An attacker meaning to exploit the loophole only has to keep sending payments relentlessly to a particular stealth address, and funds would continue to be accrued steadily.
The wallet software for the privacy-centric cryptocurrency was found to specifically contain the bug, where the Monero software had not been programmed to test for this sort of abnormality in any way. Thus, it would have been practically easy for a wallet serving as a receiver to process the transactions without detecting any discrepancy or problems whatsoever, and subsequently going on to credit the deposit.
On a larger scale, the attack would have proved highly beneficial to the attacker, even if indirectly, assuming the exploitation was successful. A determined onslaught would have led to the reduction of the effective Monero supply and consequently inflating the price of each spendable XMR coin with the corresponding market cap.
Thanks to an open discussion on the XMR sub-Reddit, the potential exploit was identified by the developers and its possible consequences to merchants, exchanges and organizations were brought to attention.
The community moderator dEBRUYNE revealed that the emergency fix that was made to the patch to solve the problem performs its job but is far from the ideal solution. He wrote:
“I (and others) privately notified as many exchanges, services, and merchants as possible with the (private) patch that had to be applied on top of the v0.12.3.0 release branch. To reiterate (from the previous post mortem blog), this is clearly not the preferred method, as it (i) invariably excludes organizations that I (and others) personally do not have contact with, but are an essential part of the Monero ecosystem and (ii) may invoke a view of preferential treatment. However, there had only been limited time to improve the vulnerability report process.”
The developer has called for more ‘intelligent’ minds to provide a more comfortable but efficient solution that would serve as a long-term fix to a fragile situation that only helps to remind users that digital currencies and related software are still very much in the period of infancy.
News of the bug and its recent disclosure have not affected the price of XMR though, as the digital coin currently trades at $114, a decline of about 3 percent; while a few other altcoins have seen more than a 5 percent decrease.