Connect with us

Altcoins

Monero [XMR] witnesses vulnerability in its accounting functionality, patch released by handler

Ajay Narayan

Published

on

Monero [XMR] witnesses vulnerability in its accounting functionality, patch released by handler
Source: Unsplash

On 5th September, Monero released a report in which they announced a post mortem of the multiple counting bug that they faced recently. The report provided a detailed information about the bug and how it was used to exploit services, merchants and exchanges.

The multiple counting bug had two variants, which required a different structure of the transaction public key. It was introduced in conjunction with the subaddress feature.

A Post Mortem of the multiple counting bug | Source: Twitter

In the first variant of the bug, the code did not impose an inspection to guard against duplicate public keys. This vulnerability resulted in attackers creating a transaction in which the transaction public key would be included multiple times. This resulted in the duplication of the particular transaction public key.

In the second variant of the bug, the code did not impose a check against dummy transaction public keys. Therefore, a hacker could trick the wallet into scanning the outputs in a transaction twice by utilizing the alternative transaction public key feature. As a result, the receiving wallet would report that it had received two times the amount that it had actually received.

The first variant of the bug was earlier reported on GitHub, and the severity of the bug was underestimated. This resulted in the exploitation of exchanges, and funds being stolen from organizations in the Monero ecosystem.

Moreover, a security researcher for HackerOne provided an elaborate report on how the bug was being utilized to steal funds from exchanges. The second variant of the bug was reported by Phiren on HackerOne.

After merging both the patches, Fluffypony, Monero’s Lead Maintainer released a new version V0.12.3.0. The severity of a critical bug in the wallet software was initially underestimated which allowed an attacker to steal funds from organizations in the Monero ecosystem.



Fortunately, the bug was confined to the accounting functions of the wallet software, and thus the protocol and coin supply were not affected. The Monero community also spoke about the adequate measures taken to solve the problem. DubsNC stated on Reddit:

“Yeah, the mailing list doesn’t sound like a good idea to me. It does sound like a high value target list for an adversary. How about just a signed update flag in the protocol that tells all full nodes to update at the sale time?”

Flenst, an enthusiastic Redditor stated:

“I am really glad to see that mistakes that have been done won’t be repeated and there will be better solutions in the future to disclose vulnerabilities like this to services in a more reliable way.”





Subscribe to AMBCrypto’s Newsletter




Follow us on Telegram | Twitter | Facebook



Ajay Narayan is a full-time journalist at AMBCrypto. He has majored in Economics, Political Science and Sociology. His interests are inclined towards writing and investing in cryptocurrencies.

News

Tether’s [USDT] market capitalization hits all-time high, Facebook in talks with Winklevoss twins, trading firms over new cryptocurrency and more

Guest Author

Published

on

Tether’s [USDT] market capitalization hits all-time high, Facebook in talks with Winklevoss twins, trading firms over new cryptocurrency and more

Daily Crypto News – May 25

1) Bitcoin Wallet receives part of 5,000 BTC: A recent Whale Alert highlighted a transaction on May 24, where a large sum of Bitcoin [BTC] exchanged hands between two anonymous wallets. According to the alert the transaction took place at 22:13:23 + 1 minutes and 5,000.00001092 BTC was transferred from an unknown wallet, with address 19SiCYaYKZh9A8HUjuh14eg5wtYzKxiFbB, to another unknown wallet with address 14GcjGjxwadzcpmq9EG3KUgTKATjurbnWt.

Read more at https://bit.ly/2VRQwb0

2) Bitwise Report 2.0: Bitcoin [BTC] futures continues growth: On a month-on-month basis, Bitcoin Futures saw a massive bump in April trading at an average of 10,000 contracts daily, peaking on April 4, with over 22,000 contracts traded. To put that number in perspective, in March 2019, the average contracts traded was less than 4,000. Despite the high standards set in April, the average daily contracts traded in May, with 25 days gone has exceeded 14,000 and still looks to grow, given the price performance of Bitcoin.

Read more at https://bit.ly/2W40sTR

3) Craig Wright on private keys: Craig S Wright has, for years, claimed he is the true creator of Bitcoin [BTC] without providing a shred of evidence to support the same. With the crypto-community levelling, Wright could prove his worth by sending BTC from Satoshi Nakamoto’s touted wallet containing around 980,000 BTCs, the BSV man in a twisted cause and effect situation, stated he will “sign” into his wallet only when he proves he is the creator.

Read more at https://bit.ly/2X6fdlw

4) Tether’s [USDT] market cap hits ATH: Tether and Bitfinex are being closely scrutinized now more than ever due to the NYAG’s lawsuit; however, the scrutiny doesn’t seem to have affected Tether as the market cap of USDT has increased by over $100 million in approximately 70 days.

Read more at https://bit.ly/2McaTjE

5) Tether volume shift: Another controversial topic in the cryptocurrency industry was the issue of fake transaction volumes on many of the popular cryptocurrency exchanges. The magnitude of the topic was so large that even Changpeng Zhao, the Chief Executive Officer [CEO] of Binance had raised red flags. This topic and Tether as a whole received another twist when Larry Cermack, the Director of Research at The Block, pointed out a few parameters when it came to the said volume.

Read more at https://bit.ly/2wmk4mJ

6) Bitfinex’s LEO tokens listed on Delta Exchange: Bitfinex’s Leo tokens faced quite a lot of criticism when they were announced, due to the missing $850 million funds from Bitfinex. The private investment round by Bitfinex also faced a lot of heat from the media. However, in a recent development, Leo tokens are being listed on various exchanges for trading.

Read more at https://bit.ly/2HUEnNB



7) Robinhood en-route a projected valuation of $7 billion: Robinhood, the California-based cryptocurrency exchange made headlines recently when a source close to the organization revealed that it was on the verge of closing their latest round of funding at a valuation of a whopping $7 billion – $8 billion. Sources even claimed that the current round of funding could act as a precursor to an even bigger round of funding, which would pit Robinhood with the bigwigs like Coinbase and Binance.

Read more at https://bit.ly/2W64KKj





Subscribe to AMBCrypto’s Newsletter


Continue Reading

Trending