Monero (XMR) Wallet Software Has A Bug That Could Enable Exchange Hacks – A Patch Release Is On Its Way
It seems that the Monero (XMR) wallet software has a bug that could enable fake deposits to crypto exchanges.
This was brought into the highlight via a Medium post that was published by the official Ryo (RYO) account a few days ago, reports Cointelegraph.
How does the exploit work?
The Medium post offers a detailed explanation of how this exploit works.
The post begins by saying that “RingCT has an extremely insecure design where the amount displayed to the user (from now called masked amount) is different from the amount checked by the network (from now called commitment).”
The Medium post continues and explains that “When a Coinbase transaction is minted it will include a plaintext amount and a null rct signature. Network will construct commitment from this plaintext amount.”
We recommend that you head over to Medium and continue reading the whole detailed explanation.
Cointelegraph explains that this mishandling could allow an attacker to fake the deposit of an arbitrary amount of XMR to an exchange.
A fix is on its way
It also seems that an email was reportedly sent to the Monero-announce mailing list and it warns exchanges and service operators about the whole thing.
The email also includes parameters for the wallet which are “effectively a workaround preventing the vulnerability from being exploitable. The official Monero profile also tweeted the same workaround on March 3,” according to Cointelegraph.
The same online publication reports that a few hours later, the Monero account posted that the fix for this vulnerability has already been written and waiting to be reviewed.
Monero was in the spotlight recently again after 400 servers which are running Docker, a visualization software, have been found to be vulnerable to exploit.
Most of them are running Monero (XMR) mining software, according to the latest reports coming from cybersecurity company Imperva.
Coinbase is a digital currency exchange headquartered in San Francisco, California.
Andreas Townsend Author
I am a technical writer, author and blogger since 2005. An industry watcher that stays on top of the latest features, extremely passionate about finance news and everything related to crypto.