Monero Discloses ‘Burning Bug’ After Heavy Secrecy

Monero Discloses ‘Burning Bug’ After Heavy Secrecy

shutterstock 1069130705

Several exchanges disabled their Monero wallets on Monday, and it has now been revealed that this course of action was due to a critical bug. Although users correctly guessed that this was the case, Monero developers seemed to deny the existence of a bug.

The Monero team has now acknowledged and patched the bug, and today they sent out a post-mortem that explains the problem.

How the Bug Worked

Monero’s post-mortem has dubbed the issue “the burning bug”. Essentially, attackers would have been able to render Monero tokens unusable and unspendable.

This problem would have occurred when multiple transactions were sent to a one-time public key or stealth address. This line of attack would have created “multiple duplicate key images”, yet the recipient would only have been able to send tokens from their address once.

Although the attacker would not have been able to reap any financial benefits, the attack would have rendered the victim’s funds unusable. Exchanges and other services, rather than individuals, were mainly at risk.

Suggested Reading : Learn more about Monero here.

Devs Discuss Secrecy

This is the second critical Monero bug in less than a month — the team disclosed a multiple counting bug just weeks ago. Users are noticing a pattern, and some are dissatisfied with the Monero team’s history of secrecy.

Monero developers have acknowledged that the decision not to disclose the bug was a difficult one. According to one moderator on Reddit:

“We were extremely conflicted as to how to proceed in this situation, and will be having a serious discussion with the community about how to handle this kind of stuff in the future. Decentralized consensus is hard.”

Although secrecy can lead to damaged trust and rampant speculation in the community, silence may be necessary to maintain security.

Even a vague acknowledgement of an issue could have increased the likelihood of an attack: one moderator has said that because the bug had been publicly mentioned on Reddit, any amount of disclosure would have made it “easy to connect the dots”.

However, some argue that attackers may be able to guess that there is a bug regardless of what the dev team does. Commenters have noted that if exchanges disable Monero in the future, attackers will probably be able to deduce that there is a bug:

“Now that we have been through this twice, I would argue that in any similar situation (e.g. exchanges suddenly taking down their wallets, some claiming to have been contacted by the devs) any would-be attacker will assume that there is a bug or vulnerability.”

Although secrecy may breed fear, uncertainty and doubt, the community response to the long-awaited bug announcement was otherwise positive, with many relieved that the bug had finally been patched.

The post Monero Discloses ‘Burning Bug’ After Heavy Secrecy appeared first on BitcoinLinux.