Not one, not two but nine security flaws have been revealed to be on Monero from developers. One of these nine bugs could actually be exploited and used to steal XMR from cryptocurrency exchanges.
According to a report by HackerOne:
“By mining a specially crafted block, that still passes daemon verification an attacker can create a miner transaction that appears to the wallet to include sum of XMR picked by the attacker. It is our belief that this can be exploited to steal money from exchanges,” a developer with the pseudoname “cutcoin”
The developers have also found five DoS attack vectors and they labelled one of them as a critical issue.
Another security flaw was found in relation to the application layer used in the Monero ecosystem to increase the privacy of the transactions, CryptoNote.
If hackers were able to exploit such a bug, they would be able to take Monero nodes down via a method that includes the malicious request of a big bulk amount of blockchain information from the cryptocurrency’s network.
According to the man who discovered the vulnerability, Andrey Sabelnikov:
“If you have quite a big blockchain (with long history like Monero […]), then you can push a protocol request that will call all of its blocks from another node, which could be hundreds of thousands of blocks. Preparing such a response can take a lot of resources. Eventually, the OS might kill it due to the huge memory consumptions, which is typical of Linux systems.”
The developers have reported further flaws around four months ago with eight vulnerabilities being under maintenance in the meantime however, the ninth one remained undisclosed.
Two of the nine flaws were classed as critical.
Last year, developers on Monero successfully fixed a vulnerability that could have had negative repercussions on both crypto exchanges and merchants.
As reported by CCN, by sending a series of payments to a single stealth address belonging to a cryptocurrency exchange or merchant and exploiting a bug in the Monero wallet software, hackers would have been able to burn cryptocurrency exchange deposits.