September Bugs: Major Flaws Challenge Devs of Major Coins
It seems that this September is unusually busy for developers of major cryptocurrencies. After a serious bug was discovered in the Bitcoin network, Monero developers were also challenged by "The Burning Bug."
A theoretical question on the popular social network Reddit led Monero (XMR) developers to discover an inherent flaw, "The Burning Bug", in the network’s code. If the fault was discovered by malicious actors, they could have stolen massive amounts of the cryptocurrency with none the wiser, and within mere seconds.
The bug, however, has been fixed with the release of v0.12.3.0 of the Monero code.
To any exchanges, services, merchants, and other organizations present in the Monero ecosystem, if you have not received or applied a patch yet, compiling v0.13.0.0-RC1 ensures the patch is included.— Monero || #xmr (@monero) September 25, 2018
In a bug post-mortem published yesterday, the developers explain, “The bug basically entails the wallet not providing a warning when it receives a burnt output. Therefore, a determined attacker could burn the funds of an organization's wallet whilst merely losing network transaction fees.”
The developers realized that there is a huge problem after Reddit user u/GasDoves posted the question, “What happens if I spend from a specific stealth address and then someone sends more to it? Are the funds inaccessible as the key image has already been used?” on the Monero subreddit.
A stealth address is a concept that is usually used as a proxy between two addresses, where the sender sends the funds to the stealth address and it forwards those to the actual recipient. This adds an extra layer of security and anonymity - the key selling points of Monero, often dubbed a “privacy coin.”
Monero requires its senders to create one-time stealth addresses for every transaction on behalf of the recipient. The recipient can publish just one address, yet have all of his/her incoming payments go to unique addresses on the blockchain, where they cannot be linked back to either the recipient's published address or any other transactions' addresses. By using stealth addresses, only the sender and receiver can determine where a payment was sent.
Since the stealth address is a one-time occurrence, spending from it and then receiving more funds to it generates a unique problem: the funds can be exchanged for other cryptocurrencies on exchanges, but later, only the first transaction is validated and the rest of them is invalidated. However, the malicious actor has already exchanged the faulty XMR, and those coins disappear in the hands of the exchange - leaving them, practically, robbed.
Monero price chart
The discovery of this bug comes shortly after a Bitcoin bug was also discovered: one that could collapse the whole network, due to which developers have been urging everyone to update their software to minimize such a risk.