The creators of Monero (XMR) know it as the "burning bug" and they might have done nothing about it if a faceless user hadn't posed a clumsy hypothetical query on the crypto's subreddit last month.
“What happens if I spend from a specific stealth address and then someone sends more to it? Are the funds inaccessible as the key image has already been used?”
The question must have appeared intuitive until the creators realized that the distinct non-expert had just identified a major flaw in the wallets used to transact the contentious and what is purportedly the world's tenth most popular digital currency.
Amusingly enough, it seems that the same issue was raised in 2017 when it met with a kind of why would anyone do that? reaction.
The TL;DR is that a software patch was officially issued this week to several exchanges on top of the v0.12.3.0 release branch as a source code pull request, that presumably they will apply if they're on the mailing list.
As to the burning hug itself, this shows a big issue formed by the use of stealth wallet addresses, an unknown concept applied across the digital currency community but which has become particularly key to privacy-sensitive Monero customers.
These are mostly applied by recipients of crypto (merchants or exchanges) such that any person sending them crypto must do so by developing their own single-time address to cover lots of transactions from each person on the Blockchain technology apart from themselves.
In the era of digital currencies, however, how this is carried out can have great implications. An attacker using the weakness could theoretically send 1,000 XMR to the same stealth address, each one falsified so they possess the same sui generis key image. Ordinarily, the Blockchain technology would warn around the 999 duplicate or identical keys, but in this matter, it wouldn't detect this due to the way transactions are managed with stealth addresses.
Monero's developers elaborated:
“The attacker then sells his XMR for BTC [Bitcoins] and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable/burnt outputs of 1 XMR.”
As a matter of fact, the attacker would not get a way to use the additional BTCs either due to the fact that they would be logged as a double spend, that would leave the exchange facing huge losses for each batch of scam transactions.
No single direct gains, then, but perhaps indirect gains got by harming exchanges or gaining from changes in the value of Monero emerging from an attack.
The Monero developers concluded that:
“We, as the Monero community, should seek means to get more eyes on the code and especially new pull requests.”