According to the technology news outlet, “inventive” hackers could create false transaction data via the copying of a simple line of code from the Monero wallet code base, which is open-sourced and easily accesible online.
These malicious actors could then manipulate the amount of cryptocurrency shown by the wallet however they wanted, with each new line of copied code multiplying the Monero amount displayed.
While this bug doesn’t facilitate the materialization of XMR out of thin air, attackers could use this as a medium of attack against a cryptocurrency exchange. More specifically, malicious users could trick exchange support staff teams into crediting their account with Monero that doesn’t exist, with one coder noting that users could bluff a value of up to 8,000 times over the original transaction amount.
A security researcher who originally revealed this glitch said the following on the matter:
“An attacker could exploit this repeatedly to siphon of all of the exchange’s balance.”
It is also important to note that this vulnerability has also had an effect on other Monero-based cryptocurrencies, that utilize variations of the CryptoNote protocol to function sufficiently. This development came about after cybersecurity researchers disclosed that ARQ tokens, a hard-fork of Monero, was also subject to the aforementioned glitch.
However, the flaw has since been amended, or at least for Monero anyways, as it still remains unknown whether the other developers of CryptoNote-based coins responded to the issue.
The Altex Exchange Falls Victim To The Bug
While developers were quick to patch the issue for Monero, a lesser-known exchange named Altex took to Twitter to let its users know that hackers had used the security flaw to their advantage. The Altex team wrote:
We have been experiencing issues with two of our listed coins (they were still affected by the double-counting bug recently found in the Monero codebase, even after updating the software). That bug caused a big loss in coins for the exchange and we have put our main currency under maintenance so the people who exploited the bug can no longer withdraw… We will suspend trading for now and keep writing updates on our twitter. We are trying to resolve this situation ASAP, we hope you understand.
Upon further investigation, it became apparent that the exchange in question began to experience this issue in early July, issuing a tweet noting that “every CryptoNote-based coin” will be under maintenance due to a bug.
Every CryptoNote based coin is currently under maintenance while we wait on the coin developers to update/fix their wallet because of the recent bug discovered.
— Altex.exchange (@Altex_exchangeR) July 6, 2018
As the exchange relies heavily on the trading and use of Monero and other CryptoNote cryptocurrencies, it is likely that they were put in a tough financial situation due to this cybersecurity flaw. While Altex may be having a rough time, there are currently no public reports of other exchanges falling victim to the use of this bug.