Monero Glitch Allowed Hackers to Steal XMR From Crypto Exchanges

Aug 05, 2018 at 10:46 // News
Author
Coin Idol
The inventive hackers form fraudulent transaction data through the copying of an easy line of code from the Monero wallet code base, which is open-sourced and absolutely obtainable online.

The Next Web's in-house crypto column recently reported that Monero, the paramount privacy-centric crypto, was subject to a  somewhat minor cybersecurity vulnerability.

The inventive hackers form fraudulent transaction data through the copying of an easy line of code from the Monero wallet code base, which is open-sourced and absolutely obtainable online. 

Medium of Attack 

These malevolent actors could then influence the amount of crypto indicated by the wallet they needed, with every new line of copied code increasing the amount of Monero displayed. 

As this bug doesn't ease the materialisation of XMR out of an unknown location, attackers could use this advantage as a medium of attack against any crypto exchange. More certainly, malevolent users could trick exchange support staff teams into crediting their account using Monero which doesn't exist, with one coder revealing that people could intimidate a value of up to 8,000 times more than the initial transaction sum. 

A security researcher that initially disclosed this glitch noted: 

“An attacker could exploit this repeatedly to siphon off all of the exchange’s balance.” 

It is also paramount to say that this vulnerability has also impacted an effect on other Monero-based Cryptos, that exploit changes of the CryptoNote protocol to operate adequately. This directed change came about after various cybersecurity experts and researchers revealed that ARQ tokens, a hard-fork of Monero, was also subject to the previously mentioned glitch. 

Altex Exchange Fall Victim 

Nevertheless, the flaw has since been modified, or at least for Monero anywise, as it still stands unclear whether the rest of developers of CryptoNote-based coins reacted to the issue. 

While as developers were fast to patch the issue for Monero, a low profile exchange known as Altex used Twitter to inform users understand that hackers had applied the security flaw to advantage their side. The Altex team noted

“We have been experiencing issues with two of our listed coins (they were still affected by the double-counting bug recently found in the Monero codebase, even after updating the software). That bug caused a big loss in coins for the exchange and we have put our main currency under maintenance so the people who exploited the bug can no longer withdraw… We will suspend trading for now and keep writing updates on our twitter. We are trying to resolve this situation ASAP, we hope you understand.” 

From the investigation, it became evident that the exchange that is in question started to observe this issue in early last month, and tweeted that "every CryptoNote-based coin" will undergo maintenance process due to a bug. 

Since the exchange depends largely on the trading and application of Monero plus other CryproNote Cryptos, they were put in a difficult financial situation because of this very cybersecurity flaw. While as Altex may be facing challenges, there are now no public reports of more exchanges being victims due to the use and application of this bug.