A total of nine bugs were identified by Hackerone users. No cases were detected in which a hacker took advantage of Monero’s vulnerabilities.
Nine vulnerabilities or bugs were recently discovered in the system of the cryptocurrency that is focused on privacy, Monero (XMR). Among them, there was one that allowed sending false transactions to the wallets of Monero. It should be noted that the bugs were reported and solved thanks to Hackerone users.
The main flaw, which is described in a long report, implies that by mining a special and vulnerable block, the hacker would have been able to send fake transactions to Monero wallets, in any amount of XMR. This would allow the attacker to transfer counterfeit XMRs to wallets in cryptocurrency exchange houses and, once the balance is credited, convert it into other cryptocurrencies and withdraw it.
According to another report from a user of Hackerone, a platform that offers computer security solutions, the system was exposed to attacks through denial-of-service (DoS) vectors. In one case, the bug allowed a Monero sender to scam the recipient, sending transactions with erroneous reports of the amount received. The error was capable of showing an amount up to eight times higher than the actual amount sent.
Another similar failure, also recorded in an additional report, is related to Cryptonote. This protocol, which is used by Monero as a privacy layer, would have a base failure that makes the platform susceptible to DoS attacks, capable of destroying its network nodes.
Regarding the case of the other failures, these are hypothetical risks, and the respective patch was created to solve them. However, Monero is not the only platform in danger, since all its versions until the recent v0.14.0.2 showed the vulnerability. In this sense, all platforms that work with Cryptonote may be at risk.
This was the situation of security within the system until the month of March, from which the previously mentioned failures were solved. The bugs were described as proof of concept (PoC), which implies that these latent vulnerabilities in the system were not exploited. Consequently, these only existed as a probability, not as a fact.
This is happening less than a year after the project faced a similar situation of risk. In September 2018, a patch was released for a bug found in the blockchain code of Monero, which allowed extracting money from users’ wallets in exchange houses. Fortunately, no case of exploitation of the vulnerability of the system was recorded.
In any case, dEBRUYNE, developer of Monero, emphasized that the vulnerabilities that were discovered are a reminder that cryptocurrency and its corresponding software are still in their infant stage, and are susceptible to unpredictable critical failures.
By Willmen Blanco