Monero's (XMR) Developers Fix Major Double Spending "Burning Bug"

  • Serious bug in Monero's XMR crypto platform was recently fixed.
  • The "burning bug" would have allowed an attacker to double spend and destroy the digital currency in an organization's wallet.

The developers of Monero (XMR) have reportedly fixed a bug in the crypto platform’s codebase that could have potentially led to its users losing their funds or double spending. Referred to as the “burning bug”, it would have allowed an attacker to send the privacy-oriented cryptocurrency to a stealth (for one-time only use) address numerous times.

"Burning Bug"

Should this have happened, the digital funds would not be usable, or spendable, ever again. The Monero development team said if the attacker used a normal (permanent) address, the cryptocurrency sent would have been “burned” or destroyed.

As noted in a September 25th blog post by the Monero team, crypto exchange operated wallets would have been vulnerable to the now patched “burning bug.” The vulnerability’s post mortem report explained that exchanges are set up so that they quickly deposit XMR to wallets so users can issue buy or sell orders.

However, the deposited funds cannot be spent as the digital currency they’ve received may not be usable for an outgoing transaction. As described in the Monero team’s blog, the bug “entails the wallet not providing a warning” if it is sent “burnt output.”

"Means To Indirectly Benefit"

This vulnerability could potentially have allowed a bad actor to burn funds belonging to an organization’s crypto wallet, the blog explained. The attacker would not gain any monetary benefit from this malicious activity and they would also have to pay small transaction fees. However, Monero team’s blog said “there are probably means to indirectly benefit.”

As mentioned, the bug would have allowed XMR to be transferred to the same stealth address multiple times. As a result, “multiple duplicate key images” would be generated but the blockchain network will reject a key image if it was previously found on its ledger - as this would be seen as “an attempt” to double spend.

"Unspendable/Burnt Outputs"

So, this particular bug could have been exploited as the stealth address would allow a user to only spend from it once. In other words, it would only allow one valid output (or outgoing) transaction to be issued “by selecting the largest denomination” (default) from all the transactions.

“The remainder of the outputs would be unspendable/burnt”, the Monero team wrote. They also explained how the attacker could have “practically” exploited the bug had it not been fixed:

An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange's hot wallet) are sent to the same stealth address.

Monero's Developers

Employing this strategy, the bad actor could “send a thousand transactions of 1 XMR to an exchange. Because the exchange's wallet does not warn for this particular abnormality … the exchange will … credit the attacker with 1000 XMR.”

Using the XMR received, the attacker could exchange it for Bitcoin (BTC) and then withdraw his or her funds - resulting in the exchange being “left with 999 unspendable / burnt outputs of 1 XMR.”

Ethereum Co-Founder Tells Binance CEO Crypto Can Do More Than Reform Money

Ethereum co-founder Vitalik Buterin has told Binance CEO Changpeng Zhao that cryptocurrencies can do more than just “reform money,” adding the crypto community should expand beyond the finance mentality.

In a tweetstorm, the co-founder of the second-largest cryptocurrency by market capitalization argued that some of the most popular narratives in the cryptocurrency space do not apply to this year’s crisis. Per Buterin, while Bitcoin was created n the aftermath of a global financial crisis in 2008, this year we’re dealing with a “virus crisis,” a crisis related to epistemology, and one of “overbearing policing.”

As a result, he said, the narrative bitcoiners user surrounding inflation is not the best one to use right now, taking into account that while the Federal Reserve’s balance sheet has been growing, inflation isn’t.

Buterin added, pointing to the March crash in equity markets and in the cryptocurrency space, that Bitcoin and other cryptos are also not uncorrelated to traditional assets, as at the time both dropped significantly. While Bitcoin has since recovered to give investors positive returns YTD, the S&P 500 has been struggling to climb back up to its highs.

Nevertheless, Buterin argued that it is time for the cryptocurrency community to understand “finance is relatively less important this decade than it was in the last decade,” and adjust to this new reality. The co-founder of ETH added his cryptocurrency already has various applications that go beyond finance, including governance, decentralized communities, censorship-resistant publishing and communication, and more.

Per his words, stablecoins have succeeded in the space because users are not trying to get away from the U.S. dollar, but are instead moving into the cryptocurrency environment to have more options on what they can do with their own money.

He then pointed to a tweet from Binance CEO Changpeng Zhao arguing “Bitcoin is the peaceful protest,” and claimed that “reforming money is not sufficient” and the crypto community needs to expand its mentality.

Buterin went on to say that 2016-.2020 is a “period of ideological realignment. Many old ideologies and coalitions are dying, and many new ones being born. The hills and valleys on the battlefields are shifting.”

Featured image via Unsplash.