Monero Reports on Resolving Fake XMR Minting Bugs a Month After Fix
Cryptocurrency is so far on the cutting edge that it almost defines it, yet some are finding out the hard way that it’s even sharper than anticipated. The frightening reveal of nine security bugs through HackerOne internet security platform that had affected Monero (XMR) in recent months — ranging from the insignificant and solved to the malicious and live — was a big wake-up call for blockchain enthusiasts. Five of these vulnerabilities constituted a dire DDoS risk (one of that was labeled critica)l, but eight of the bugs are now fixed, including the most severe one discovered.
The big deal with a faux XMR
On June 3, a blockchain developer on HackerOne announced the discovery of a severe exploit in Monero that had granted hackers the ability to "create" fake XMR and send them to exchanges. The report stated:
“By mining a specially crafted block that still passes daemon verification, an attacker can create a miner transaction that appears to the wallet to include sum of XMR picked by the attacker. It is our belief that this can be exploited to steal money from exchanges."
Though the fake XMR bug is one among a list of issues with Monero — and the biggest losers are exchanges rather than traders or investors — it demonstrates that even the most private and security-centric coins can be compromised. This is nothing less than a very visible threat to the entire ecosystem. Cryptocurrency is absolutely worthless if it fails to deliver on its most foundational promise of security and transparency. With (currently) limited functionality for cryptocurrencies in comparison to fiat money, if coins concede on their primary advantage, then what’s the point? CEO of the exchange Codex, Serge Vasylchuk, told Cointelegraph:
“Most of the vulnerabilities were disclosed few months ago, yet were only now fixed. While Monero developers are doing great work, they cannot guarantee no new coins were minted by deceiving an exchange. If such an attack would occur, it might've taken a long time until the exchange would've noticed it, unless their security mechanisms are advanced enough to scan its cold wallet storage and compare it with account deposits very quickly.”
Especially for Monero — a self-proclaimed privacy and security coin — these failings may seem unforgivable. They raise significant doubts about the idea that cryptocurrencies are generally infallible and put greater onus on exchanges to complete regular audits and be more selective in the tokens they list. This concept wasn’t as judiciously considered before now, but with the latest problems in Monero, we may see an industry-wide effort to clean up shop. The sheer number of issues revealed simultaneously by Monero, even if most had already been fixed, shows the desperate efforts that projects make to close gaps soon after they appear.
Monero bugs tear down the curtains on crypto
Another issue that has been exposed by Monero is that crypto is highly susceptible to the domino effect, given how the newest solutions are often stacks of first-iteration blockchain software. The other critical issue reported on HackerOne was one affecting all tokens using the CryptoLive application layer, and not just Monero. A CryptoLive bug that led to DDoS susceptibility would affect all projects, cryptocurrency exchanges on which these coins appear and investors as well. This illustrates the idea that crypto is anything but airtight, and that its close-knit ecosystem may instead be ripe for contagion.
However, there’s somewhat of a silver lining to these recent events: There was no report of these bugs appearing elsewhere — and the fact that Monero brought it to the community’s attention willingly does mean a lot — and a progressive angle that capably addresses the potential domino effect. By being historically public (rather than muddying the waters) about the issues in their software, Monero has effectively warned others in the space about potential predicaments and shows that it’s committed to its users. It also harkens to last year when a Monero wallet bug was revealed by the company and immediately solved alongside a public statement warning of crypto’s risks and novelty.
Regarding this, Charles Guillemet, the chief security officer at hardware wallet Ledger,, told Cointelegraph in a conversation that transparency increases the trust one can have in these blockchains. On the other hand, a disclosure putting users at risk would be irresponsible.
No company that was only interested in capital, or in being the “first-mover” rather than a blockchain leader, would publish that their issues are “again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs,” like Monero did in a recent blog post.
Another concern that arises from this whole XMR situation is the bug repayment issue. Are bug bounties a sufficient method for raising security issues in the blockchain space, or does Monero's handling of its own issues demonstrate the need for a better or more prompt solution? Guillemet has also commented to Cointelegraph regarding this:
“Bounty programs are an excellent way to incentive security researchers to behave responsibly. It becomes problematic when companies / organizations use bounties to outsource their security work. Bounties shall not replace red teaming, secure development and third party audits by recognized labs. A common mistake consists in thinking that open source and bounty program guarantees security. It's clearly wrong and we have seen many examples of this.”
Monero merely the latest
The other major hacks occurring in the crypto industry help put Monero’s troubles in context, and when zooming out, one quickly realizes that the technology may not be ready for the mainstream as it exists now. If a decentralized app or platform on the scale of many that are popular today — Facebook Messenger, WeChat, Airbnb — were to be hacked in the way that Monero was, it would be an international crisis in the same league as Cambridge Analytica or beyond. Frankly, the size of some crypto hacks should make us grateful that digital tokens aren’t a bigger part of how the world works at this point in time.
Earlier this year, the monthly count for vulnerabilities in major blockchain platforms and projects climbed to 43, with issues found in Coinbase, Brave, Tendermint, Ledger and others. At present the white-hat hacker crowd and internal developers are the majority of sweat equity being invested into bug fixes, with tens of thousands given out each month by projects that put bounties on their biggest glitches.
Regulators are undoubtedly struggling with the overwhelming and precarious pyramid of projects they’ve been tasked to organize, but it must happen (even with a restricting one-size-fits-all set of regulations) before a project with code that resembles swiss cheese is allowed to handle vast public data and funds. Charles Guillemet, believes that, “Monero is not the first example and won't be the last one unfortunately.” He continued by clarifying the steps such platforms need to undertake in order to protect themselves from such situations: “Red teaming, independent third party audit, peer review of scientific articles. New cryptographic protocols need time to be reviewed and assessed.”
Binance Chain — and its supported initial exchange offering platform, the Binance Launchpad — relies on Tendermint, for example, but what would happen to the nascent projects being nurtured by Binance if a nasty exploit were to fester too long? The consequences beg no guessing. Though Monero has demonstrated the ascent to mainstream may take longer than imagined, it also showed us the safest path up the mountain, and that’s one where blockchain projects support one another rather than racing to the finish line.