Following a rather hectic disclosure process, an exchange-deposit bug found in the official Monero wallet has been patched and revealed to the public. Monero developers quickly fixed the vulnerability after one bugfinder went rogue and leaked the issue on Sunday. A patch has now been released, and the problem is under control—just in time for a second bug to arise.
First Bug Affects Exchanges
The first bug affects exchanges and other similar services, meaning that users do not need to worry. Lead developer Riccardo Spagni has also commented that the bug does not affect the Monero blockchain at all: “This is not a consensus bug, there is no double spend, it does not allow coins to be created out of thin air.”
Instead, the bug affects services that receive Monero deposits. Basically, transaction amounts are represented in two different ways, and prior to the patch, an attacker would have been able to misrepresent a deposit’s true value. The original bug concerned Coinbase, but other exchanges like Kraken have also responded by temporarily disabling Monero.
It is important to keep security vulnerabilities secret until they are fixed so that potential attackers do not get a chance to exploit those bugs. Monero has tangled with the complexities of disclosure in the past—generally, the community deduces that a bug has been found whenever exchanges suddenly suspend Monero activity.
This bug was different: After it was disclosed privately on HackerOne, it was soon deliberately leaked on Medium. The leaker defended his actions by claiming that the Monero community has a “history of toxic behaviour” toward security researchers. Of course, that statement is unlikely to win over anyone who values Monero’s security.
Although there has been no fallout, there is one unsettling detail: According to some developers, it is suspicious that both the private disclosure and the public leak took place at about the same time. This has led some to believe that the leaker previously informed other individuals of the bug, which is obviously a major security problem.
Second Bug Affects Users
There is also a second, unrelated Monero bug that may pose a far greater risk to general users. An error in the Ledger Nano S could be causing users to lose their funds. This bug is particularly dangerous, since it does not involve an attack, but an all-around technical error. Ledger is currently warning users not to use the Nano S Monero app.
Warning: do not use Monero Ledger HW app with latest Monero client v0.14. Support issues have been reported on it, we are investigating. See more here //t.co/yOV2b09QaG
— Ledger (@Ledger) March 4, 2019
These issues are arising at an inopportune time: Monero’s upcoming hard fork is set to be executed at the end of this week. The upgrade will primarily provide ASIC resistance, thereby ensuring that users with basic systems are able to continue mining Monero at a profit. Fortunately, the hard fork seems to be on track in spite of the above issues.