The anonymous cryptocurrency team Monero revealed nine security vulnerabilities, including one that could allow hackers to steal XMR from exchanges.
As reported in the HackerOne report, until March, unscrupulous miners Monero could hypothetically create “specially tuned” blocks to make Monero wallets accept fake XMR deposits chosen by the attacker.
“We believe that this could have been used to steal money from stock exchanges,” the researchers said in an initial report. In the end, they were awarded 45 XMR ($ 4,100) for their efforts.
Five vectors of DoS attacks were also uncovered, one of which received a “critical” level of importance.
Another vulnerability is related to the CryptoNote protocol used in Monero to increase the confidentiality of transactions. It could lead to the fact that fraudsters sabotaged the work of Monero nodes, intentionally requesting large amounts of blockchain data from the network.
Andrei Sabelnikov, who discovered the error, told the Hard Fork publication:
“If you have a fairly large blockchain (with such a long history as Monero […]), you can send a protocol request that will call all its blocks from another node, which may contain hundreds of thousands of blocks. Preparing a response to such a request can take a lot of resources. In the end, the OS can stop its execution due to the huge memory consumption that is typical for Linux systems. ”
Sabelnikov warned that there may be other cryptocurrency projects based on CryptoNote, which have similar vulnerabilities. It has also been found that Monero software allows for “undeclared” memory to leak to unreliable network nodes. It was reported that this type of memory could include confidential material (such as cryptographic or other similar personal data).
The bulk of these errors was discovered about four months ago. Eight vulnerabilities have since been fixed, and one remains almost completely unrevealed. It seems that the reports are timed to the release of Monero version 0.14.1.0 in June. It should be noted that most of these shortcomings have been described as “proof of concepts”.
In 2017, the Monero team discovered
and fixed a bug in the CryptoNote protocol. The error allowed double spending, in other words, ensured the creation of an unlimited number of coins. In March of this year, the Monero network was successfully activated.
an update that protected the network from the big bang attack, which is based on the dynamic block size algorithm.