Open-Source Club: Monero Dodges Yet Another Attack With Community’s Help

Published at: Sept. 28, 2018

This week, the developers of Monero (XMR) patched a bug that could allow an attacker to ‘burn’ the funds of an organization’s wallet. The breach was initially revealed by a community member, and XMR developers were quick enough to fix it before any damage was done.

Anonymity above all: How Monero works

Simply put, Monero (XMR) is a cryptocurrency like Bitcoin (BTC), but with an additional focus on anonymity. It was established in 2014, when bitcointalk.org user thankful_for_today forked the codebase of Bytecoin into the name BitMonero. To establish the new coin, he used ideas that were first outlined in a 2013 white paper called ‘Cryptonote’ that was written by an anonymous personality Nicolas van Saberhagen. Ironically, BitMonero was soon forked itself by open-source developers, and titled ‘Monero’ (which means ‘coin’ in Esperanto). It has remained to be an open-source project ever since.

XMR has considerably more privacy properties than BTC: Instead of just being a decentralized coin, Monero is designed to be fully anonymous and virtually untraceable. Thus, XMR is based on the CryptoNight proof-of-work (PoW) hash algorithm, which allows it to use ‘ring signatures’ (which mix the spender's address with a group of others, making it more difficult to trace transactions), ‘stealth addresses’ (which are generated for each transaction and make it impossible to discover the actual destination of a transaction by anyone else other than the sender and the receiver), and ‘ring confidential transactions’ (which hide the transferred amount).

In 2016, XMR experienced more growth in market capitalization and transaction volume than any other cryptocurrency (almost a 2800 percent increase, as per CoinMarketCap). A lot of that growth came from the underground economy. Being an altcoin that is tailor-made for fully private transactions, Monero eventually became accepted as a form of currency on darknet markets like Alphabay and Oasis. Specifically, after being integrated on the darknet in the summer of 2016, its value “immediately increased around sixfold,” according to Wired.

"That uptick among people who really need to be private is interesting," Riccardo Spagni, one of the Monero core developers, told the publication in January 2017. "If it’s good enough for a drug dealer, it’s good enough for everyone else."

Monero’s alleged privacy remains to be a controversial topic, as some suggest that the coin is not in fact fully anonymous. In an August interview with Bloomberg, the United States Drug Enforcement Administration (DEA) special agent Lilita Infante noted that although privacy-focused currencies are less liquid and more anonymous than BTC, the DEA “still has ways of tracking” altcoins such as Monero and Zcash. Infante concluded:

“The blockchain actually gives us a lot of tools to be able to identify people. I actually want them to keep using [cryptocurrencies].”

Interestingly, while Europol’s latest cybercrime report suggests that BTC remains the most popular cryptocurrency for criminal activities, it also predicts a rise in the demand for anonymity-focused altcoins, including Monero (XMR).

The privacy-focused nature of Monero also prevents it from being listed on some compliant crypto exchanges. For instance, in June, Japan-based Coincheck delisted XMR and three other anonymity-focused altcoins to follow Counter-Terrorist Financing (CFT) and Anti-Money Laundering (AML) procedures issued by the local financial regulator.

The burning bug: Potential threat to Monero’s ecosystem

On Sept. 18, user u/s_c_m_l described a hypothetical attack within the XMR ecosystem on the Monero official subreddit:

“I can imagine an attack where ‘A’ procures [a] large amount of XMR and [sends] it to ‘Exchange B’ in many transactions with the same stealth address. ‘A’ then exchanges that XMR for other currency and cashes out, leaving the exchange paralyzed [and] unable to use that XMR.”

Importantly, the Monero blockchain ‘burns’ XMR transactions between identical stealth addresses, seeing them as illegitimate. Instead, just one single ‘correct’ transaction could go through. Burned XMR, in turn, are fully unusable, as they cannot be replaced.

More specific details on the attack were described in a Monero blog post:

“An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g., an exchange's hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange's wallet does not warn for this particular abnormality (i.e., funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR.

“The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable/burned outputs of 1 XMR.”

Simply put, the bug basically allowed hackers to burn the funds of an organization's wallet — such as that of an exchange — while only having to pay the network transaction fees. Although they wouldn’t obtain any money from doing so, “there are probably means to indirectly benefit,” as Monero team suggested. For instance, the attackers could manipulate the market, as they would have the control over the coin supply of XMR.

Monero handled the breach calmly

The Redditor’s theory became widely discussed within the Monero subreddit, and the developers reached out with a public announcement only after fixing the issue. On Sept. 25, Monero team declared that a private patch was “promptly created and later included in the code” after discovering the potential vulnerability. After that, they reportedly notified “as many exchanges, services and merchants as possible,” explaining that the patch had to be applied on top of the v0.12.3.0 release branch.

In an accompanying blog post, Monero developers argued that this was “clearly not the preferred method” because some parts of the Monero ecosystem were still left out, but there was limited time to eliminate the bug. After that, the glitch was announced via public mailing, as it is “imperative to be subscribed to the public mailing list” for any organization that deals with Monero, developers argued.

Finally, Monero claims that the bug “did not affect the protocol and thus the coin supply was not affected,” hence no attackers were quick enough to actually exploit the bug.

XMR community stays on guard

This was not the first security concern regarding Monero within the past month. In early September, Twitter and Reddit users started to point out that the MEGA Chrome extension was compromised. The MEGA Chrome extension is a tool that claims to improve browser performance by reducing page loading times, as well as providing a cloud storage service.

Redditor u/gattacus posted on Monero’s official subreddit that the MEGA Chrome extension version 3.39.4 seemed conspicuous:

“There was an update to the extension and Chrome asked for new permission (read data on all websites). That made me suspicious and I checked the extension code locally (which is mostly javascript anyways). MEGA also has the source code of the extension on github […] There was no commit recently. To me it looks either their Google webstore account was hacked or someone inside MEGA did this. Pure speculation though.”

The application was removed from Chrome webstore after roughly four hours. Later, the MEGA team clarified that version 3.39.4 was a malicious update performed by unknown hackers with the aim of compromising users’ private information. Soon, it became clear that the attack didn’t center around Monero specifically, as the malicious code was reportedly activated on websites such as Amazon, Google, Microsoft, GitHub and MyEtherWallet along with Monero XMR web wallet services. This time, the fault wasn’t on Monero’s end.

The ‘burning bug,’ in turn, was possible due to a flaw in XMR’s code, but the developers were quick to react to the warning signal raised by the altcoin’s community.

Tags
Related Posts
Ledger Client Address Issue and Fake Deposits: Community Spots Two Vulnerabilities Related to Monero
This week, at least two seperate bugs related to Monero (XMR) were reported by crypto community members. The first one allegedly lead to a Ledger hardware wallet user losing around 1,680 XMR (nearly $80,000, as of press time) of his funds after making a transaction. The other vulnerability allowed hackers to make fake XMR deposits to cryptocurrency exchanges. Anonymity above all: What is Monero and how it works Monero is a cryptocurrency with an additional focus on anonymity. It was launched in April 2014, when Bitcointalk.org user thankful_for_today forked the codebase of Bytecoin into the name BitMonero. To create the …
Altcoin / March 6, 2019
Sodinokibi Crypto Ransomware Switches from Bitcoin to Monero to Hide Money Trail
A kind of ransomware — a malware that encrypts user data and asks for a ransom to restore access to it — switched from Bitcoin (BTC) to Monero (XMR) to better protect the hackers’ identities. According to an April 11 report by cybersecurity news outlet BleepingComputer, using Monero will make it harder for law enforcement to track ransom payments to the hackers behind Sodinokibi. As the article mentions, Europol strategy analyst Jerek Jakubcek explained during a February webinar how anoncoins influence legal investigations: “Since the suspect used a combination of TOR and privacy coins, we could not trace the funds. …
Bitcoin / April 13, 2020
Despite Bear Market, Crypto Mining Malware Tops Threat Index for 13th Month Running
Three strains of crypto mining malware have topped the latest Global Threat Index from Israeli cybersecurity firm Check Point, according to a press release published on Jan. 14. Check Point Software Technologies Ltd. is a security solution provider for governments and enterprises globally, with over 100,000 organizations reported to be currently using its security management system. As reported, stealth crypto mining attacks — also known as cryptojacking — work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. According to Check Point’s Global Threat Index for December 2018, the top …
Altcoin / Jan. 14, 2019
Hacked Crypto Exchange Coincheck Confirms Removal of Four Anonymity-Focused Altcoins
Recently hacked Japanese crypto exchange Coincheck will end trading for four privacy-oriented cryptocurrencies, Monero (XMR), Zcash (ZEC), Dash (DASH), and Augur (REP), Cointelegraph Japan reported May 18. Following reports from back in March, the exchange has now officially confirmed the removal of the four anonymity-focused coins will come into effect June 18. According to Coincheck’s blog, the exchange will remove the four cryptocurrencies to comply with counter-terrorist financing (CFT) and anti-money laundering (AML) measures recently issued by Japan’s financial regulator, the Financial Services Agency (FSA). The FSA has been especially active in regulating domestic crypto exchanges, specifically around customer protection, …
United States / May 20, 2018
BitBay Crypto Exchange to Delist Monero Due to Money Laundering Concerns
Cryptocurrency exchange BitBay will delist privacy-centric cryptocurrency Monero (XMR) due to money laundering concerns. The exchange announced the decision on Nov. 25, noting that the delisting will take place on Feb. 19, 2020. The exchange explained its decision “Monero (XMR) can selectively utilize anonymity features among projects. This feature of XMR is a subject to end of transaction support. The decision was made to block the possibility of money laundering and inflow from external networks.” On Nov. 29, the exchange will already stop accepting XMR deposits. Due to the upcoming Monero blockchain fork, XMR withdrawals will not be possible from …
Regulation / Nov. 26, 2019