Monero Burning Bug Squashed But Embers Still Linger For Merchants and Exchanges
A bug in Monero’s code allowed hackers to essentially create free Monero that would only be usable once. The code is fixed, and the supply wasn’t effected, but some merchants and exchanges may still be vulnerable.
You can read the official word on the Burning Bug at A Post Mortem of The Burning Bug.
I’m going to give you the key parts below in a copy and paste that trims out technical details and gives you the gist:
This blog sets out the burning bug. The goal of this blog post is to provide a detailed explanation of aforementioned bug, how it could be used to cause harm to services, merchants, and exchanges, and how it was handled by the Monero (dev) community…
…Practically speaking this bug is exploited as follows. An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange’s hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.
The bug was discovered after a community member described a (hypothetical) attack on the Monero subreddit. A private patch was promptly created and later included in the code via this pull request…
…In sum, a bug in the wallet software allowed a determined attacker to cause significant damage to organizations present in the Monero ecosystem with minimal cost. Fortunately, the bug did not affect the protocol and thus the coin supply was not affected.
…Lastly, this event is again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs.
The good news is, there is apparently [it seems to me] some sort of fix on the exchange end, because a few big exchanges like Bittrex, which had paused Monero trading, seem to have since reopened it.