Ledger Client Address Issue and Fake Deposits: Community Spots Two Vulnerabilities Related to Monero
At least two seperate bugs related to Monero have been detected.
This week, at least two seperate bugs related to Monero (XMR) were reported by crypto community members. The first one allegedly lead to a Ledger hardware wallet user losing around 1,680 XMR (nearly $80,000, as of press time) of his funds after making a transaction. The other vulnerability allowed hackers to make fake XMR deposits to cryptocurrency exchanges.
Anonymity above all: What is Monero and how it works
Monero is a cryptocurrency with an additional focus on anonymity. It was launched in April 2014, when Bitcointalk.org user thankful_for_today forked the codebase of Bytecoin into the name BitMonero. To create the new coin, he relied on the ideas that were first outlined in a 2013 white paper dubbed “Cryptonote” written by anonymous personality Nicolas van Saberhagen. Ironically, BitMonero was soon forked itself by open-source developers and named “Monero” (which means “coin” in Esperanto). It has remained to be an open-source project ever since.
Indeed, Monero has considerably more privacy features compared to conventional cryptocurrencies like Bitcoin (BTC): On top of being a decentralized coin, Monero is designed to be fully anonymous and virtually untraceable. Specifically, it is based on the CryptoNight proof-of-work (PoW) hash algorithm, which allows it to use “ring signatures” (which mix the spender's address with a group of others, making it more difficult to trace transactions), “stealth addresses” (which are generated for each transaction and make it impossible to discover the actual destination of a transaction by anyone else other than the sender and the receiver), and “ring confidential transactions” (which hide the transferred amount).
In 2016, XMR experienced more growth in market capitalization and transaction volume than any other cryptocurrency, undergoing almost a 2,800 percent increase, as per CoinMarketCap.
Notably, a lot of that gain could have come from the underground economy. Being an altcoin that is tailor-made for fully private transactions, Monero eventually became accepted as a form of currency on darknet markets like Alphabay and Oasis, according to Wired. Specifically, after being integrated on those trading platforms in the summer of 2016, Monero’s value “immediately increased around sixfold.”
"That uptick among people who really need to be private is interesting," Riccardo “Fluffypony” Spagni, one of the Monero core developers, told Wired in January 2017.
"If it’s good enough for a drug dealer, it’s good enough for everyone else."
Currently, XMR is the 13th-biggest cryptocurrency by market cap, with equivalent of over $800 million, according to CoinMarketCap data.
Monero’s alleged privacy remains to be a controversial topic, as some suggest that the coin is not, in fact, fully anonymous. In an interview with Bloomberg, United States Drug Enforcement Administration (DEA) Special Agent Lilita Infante noted that, although privacy-focused currencies are less liquid and more anonymous than BTC, the DEA “still has ways of tracking” altcoins such as Monero and Zcash. Infante concluded:
“The blockchain actually gives us a lot of tools to be able to identify people. I actually want them to keep using them [cryptocurrencies].”
Moreover, as previously reported by Cointelegraph, Monero has been endorsed as “The Official Currency of the Alt Right” by white supremacists like Christopher Cantwell for its focus on anonymity.
The privacy-focused nature of Monero has also driven compliance-oriented crypto exchanges to turn the coin down. For instance, in June 2018, Japan-based Coincheck delisted XMR and three other anonymity-focused altcoins to follow Counter-Terrorist Financing (CTF) and Anti-Money Laundering (AML) procedures issued by the local financial regulator.
Bug #1: change address bug with Ledger
On March 3, user MoneroDontCheeseMe started a Reddit thread, claiming that he or she believes to “have just lost ~1680 Monero [around $80,000] due to a bug” while using the Monero app with his or her Ledger hardware wallet.
According to the post, the user transferred about 0.000001 XMR from his or her wallet to a view-only wallet, sent another 10, 200 and then 141.9 XMR. Allegedly, before sending the last transaction, MoneroDontCheeseMe had about 1,690 XMR in the wallet and 141.95 XMR in an unlocked balance, which is why he or she decided to send 141.9 XMR. However, after the transaction had been sent, the user’s wallet is reportedly showing a balance of 0 XMR.
Furthermore, according to the Reddit user, the amounts sent and the transactions recorded on the blockchain “don’t line up.” MoneroDontCheeseMe wrote that the 200 XMR transaction actually deducted 1691.001 XMR from the Ledger Wallet, and also that the amounts reported for the 10 XMR transaction are incongruous. Monero core developer nicknamed binaryfate told Cointelegraph over email:
“My understanding is that the Ledger may have sent the ‘change’ amount to an erroneous one-time destination that the user did not control. For more details you should ask the Ledger team directly, they are working on it and already identified and fixed the bug as far as I know, so it should be pushed shortly.”
Initially, in the comments to the post, Nicolas Bacca, chief technical officer at Ledger, said that their app has been extensively tested, suggesting that could be a synchronization issue.
However, several hours later, Ledger developers published a warning on the Monero subreddit, advising users not to use the Nano S Monero app because “it seems there is a bug with the change address.”
“The change seems to not be correctly send. Do not use Ledger Nano S with client 0.14 until more information is provided.”
The official Monero Twitter account has since retweeted Ledger’s tweet containing a link to the warning.
Thus, according to Monero’s binaryfate, the Ledger team has prepared a patch to fix the issue, and is expected to release it in the near future. Cointelegraph reached out to MoneroDontCheeseMe to ask him or her whether this issue is being fixed by Monero or Ledger developers, but he or she appeared hesitant to answer straight away and requested more time.
Cointelegraph has also contacted Ledger developers for further comment, but they have not prepared any statement as of press time.
Bug #2: wallet bug enabling hackers to make fake deposits to crypto exchanges
On March 3, the official account of the Ryo (RYO) cryptocurrency published a Medium post, highlighting a bug in the XMR wallet software that could allow for sending fake deposits to crypto exchanges.
According to the post, an email reportedly sent to the Monero Announce mailing list warned platforms using the coin that the Monero Vulnerability Response team received a disclosure concerning a vulnerability. The bug was reportedly related to coinbase transactions (the first transaction in a block, created by miners).
“This essentially means that the attacker can make it appear as if he deposited any sum of his choosing to an exchange,” the post read. The mentioned email also contained the patch preventing the vulnerability from being exploitable.
As binaryfate explained to Cointelegraph, first, somebody made a responsible disclosure following the Monero Vulnerability Response Process. Then, an email was sent to the Monero Announce mailing list “warning in advance that both a patch and details of the bug would be released together on the 6th of March.” After that, the Monero developer added that Ryo published details “right away”:
“Due to this article, the details had been made public and delaying would have caused unnecessary risk. Hence a patch was publicly merged on github, and a new version of Monero tagged right away.”
Indeed, a few hours later, the official Monero account tweeted that the fix for the vulnerability had been written and was awaiting review. As per the GitHub page dedicated to the patch, it appears that the code has been already merged with the main branch, which means that the fix is ready and only needs the new release to be published.
Ryo is a code fork of Monero, as per its website. According to the Medium entry, its team fixed the same vulnerability seven months ago. The post also notes that they avoided making a responsible disclosure to the Monero team earlier because of Monero’s “long history of toxic behaviour towards security researchers.”
Furthermore, the post also claims that when discussing the exploit in the Ryo public channel, the author of the post accidentally disclosed another vulnerability, concluding that “Monero might want to get that one patched too.” When asked whether they knew anything about such a bug, the Monero representative answered by saying “you would have to ask the author of the article.” Ryo has not returned Cointelegraph’s request for comment as of press time.
Previous Monero bugs and cryptojacking problems
Monero, being an open-source project, tends to collaborate with its community members to tackle security breaches. Thus, in September 2018, Monero developers successfully eliminated at least two bugs that were reported on its subreddit page.
First, there was a burning bug, which Monero promptly fixed and notified “as many exchanges, services and merchants as possible,” to apply the new patch. Secondly, the XMR community reported that the Mega Chrome extension was compromised, leading to its quick removal from the Chrome webstore.
Further, Monero’s privacy features have made it popular among cryptojackers. Thus, last year, more than 526,000 computers were reportedly infected with a cryptocurrency botnet malware called Smominru, which allowed hackers to mine more than $2 million worth of XMR.
In February 2019, tech corporation Microsoft removed eight Windows 10 applications from its official app store after cybersecurity firm Symantec identified the presence of hidden XMR coin mining code. The firm’s analysis identified the strain of mining malware enclosed in the apps as being the web browser-based Coinhive XMR mining code. Later that month, Coinhive announced it will stop all its operations on March 8, saying that the project is not “economically viable anymore.”