Monero – a cryptocurrency that is supposedly synonymous with security – proved that ‘nothing is unhackable’. A researcher discovered a Monero Wallet vulnerability that could allow hackers to steal XMR from exchanges. Though the researcher highlighted this issue as a precaution, Livecoin crypto exchange verified the issue for them. In fact, it caused them a loss of $1.8 million worth of XMR.
Livecoin Crypto Exchange Suffered Loss Of XMR
According to a recent report, Livecoin crypto exchange suffered a significant loss. The exchange claimed it lost 15108 XMR worth $1.8 million. The exchange noted some inappropriate transactions on July 20, 2018, after which they confirmed the loss.
Livecoin expresses its dismay that Monero developers did not inform them about the risks or the need to limit Monero transactions. Now, they have halted XMR transactions for an indefinite time, probably until further negotiations between the exchange and Monero developers.
Monero Wallet Vulnerability (Now Fixed) Allowed Hackers To Steal XMR
A few days ago, HackerOne reported a critical bug in Monero code that could allow hackers to forge transactions by manipulating the amount shown by the wallet. Through this, they could trick Monero staff for manual XMR credits to their accounts. As mentioned in their report,
“Due to a flaw in process_new_transaction in wallet2.cpp, if the tx pubkey is present multiple times, it will decode outputs correctly as many times, and add up the amounts. This means the final amount reported by show_transfers will be the actual amount received multiplied by the number of duplicate tx pubkeys present in the transaction extra field.
The researcher also explained where the vulnerability might fail.
“Probably does not work if the recipient expects an integrated address since someone stripping the payment id and contacting support would be unlikely, so priming the exchange to be suspicious.”
The researcher reported the vulnerability to Monero after which they fixed the bug. However, Livecoin’s loss of XMR highlights that some hackers might have already discovered the bug and exploited it. We shall wait and see.