Monero patches security vulnerabilities; the worst of which could have made exchanges vulnerable to XMR theft

Security • July 5, 2019, 4:00PM EDT
UPDATED: July 5, 2019, 3:03PM EDT
The Block

Monero has revealed nine security vulnerabilities, two of which were assessed as “critical.” Eight of the bugs have already been fixed, The Next Web's Hard Fork writes. Five of the vulnerabilities constituted a DDoS risk.

According to the report, bad agents were able to design “specifically-crafted” blocks so that Monero wallets would accept fake deposits in exchange for XMR. The vulnerability could have been used to steal money from cryptocurrency exchanges. Security researchers who discovered the bug received a 45 XMR ($4,100) reward.

Among the patched vulnerabilities was a CryptoNote-related exploit that could have been used to take Monero nodes down if a bad actor requested a lot of blockchain data.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“If you have quite a big blockchain, then you can push a protocol request that will call all of its blocks from another node, which could be hundreds of thousands of blocks,” according to Andrey Sabelnikov, the researcher who uncovered the bug. A response like this requires a lot of resources and huge consumption of memory, he added.

According to Sabelnikov, other cryptocurrencies using CryptoNote could share the vulnerability with Monero.

Most of the vulnerabilities seem to have been fixed in June as the reports coincide with the release of Monero version 0.14.1.0 in June. One, still mostly classified at the moment, awaits a fix.

More by Carol Gaszcz