Monero: Wallet Bug Potentially Enables Exchange Hacks, Team Prepares Patch Release

A bug in the Monero (XMR) wallet software that could enable fake deposits to exchanges has been recently brought to public attention through a Medium post, published by the official Ryo (RYO) account on March 3.

According to the post, an email reportedly sent to the Monero-announce mailing list warns exchanges and service operators using the coin that the Monero Vulnerability Response team received a disclosure concerning a vulnerability. The vulnerability consists of the mishandling of outputs in coinbase transactions (the first transactions in a block, always made by miners).

This mishandling could potentially allow an attacker to fake the deposit of an arbitrary amount of XMR to an exchange. Still, the email also contained parameters for the wallet, which are effectively a workaround preventing the vulnerability from being exploitable. The official Monero profile also tweeted the same workaround on March 3.

About ten hours later, the Monero account tweeted that the fix for the vulnerability has been written and was awaiting review. From the GitHub page dedicated to the patch, it appears that the code has been already merged with the main branch, which means that the fix is ready and only needs the new release to be published.

Ryo, a cryptocurrency derived from Monero, reports in its Medium post that its team fixed this vulnerability seven months ago. The post justifies the lack of a responsible disclosure towards the Monero team earlier by noting Monero’s “long history of toxic behaviour towards security researchers.”

Furthermore, the post also claims that when discussing the exploit in the Ryo public channel, the author of the post accidentally also disclosed a different issue, concluding:

“Monero might want to get that one patched too.”

As Cointelegraph reported earlier today, the Ledger developers team have posted a warning on Monero’s subreddit on March 4 advising users not to use the Nano S Monero app after another apparent bug reportedly lead to a user losing 1,680 XMR (equivalent to about $80.000).