The HackerOne program for finding bugs found several errors in Monero code. With the help of one of them, criminals were given the opportunity to withdraw from the crypto exchanges amounts that were more than the original deposit. To do this, you had to add an open source line from the crypto wallet.
Steps To Reproduce:
- deliberately double-sign a transaction with the tx pub key, e.g. by doubling the
add_tx_pub_key_to_extra(tx, txkey_pub);call in
- Transfer an amount (or send to an exchange)
- See 2x the transferred amount appear on the recipient wallet (or the exchange).
If you have Monero, there’s nothing to worry about – the issue was found and fixed 29 days ago – Jul 5th. The person that found this vulnerability is even rewarded already (10 XMR, by the way). You can check all the details by yourself here.
Even though that the severity of this issue is very high (9 out of 10) it seems that no exchange reported the stolen funds or got affected (there’s no evidence or news on that).
The error also affected the tokens, which used the Monero code base.
Experts have discovered a vulnerability node and an open vector, convenient for the implementation of DoS-attacks in order to create an overload in the Monero blockchain. Currently, the vulnerabilities are eliminated.
In July this year, the international cyber security company Kudelski Security has completed the verification of the new Monero protocol.
Experts have managed to identify only a few minor deviations, which are already corrected by the developers. In other aspects, the result is extremely positive.
The protocol is to be introduced into the main network in the early to mid-autumn of 2018. Monero is waiting for 2 more audits from Quarkslab and Benedikt Bünz, while the protocol is in the test network. Experts believe that after the launch of the protocol, the rate of cryptocurrency may go up.