Description
Summary:
A Monero bug (already fixed in master) allows theft from exchanges. This has been exploited again a Monero-derived coin, so the exploit may be underway currently.
Description:
(fluffypony: Also please mention you spoke to me and I recommended you put it on HackerOne)
Bug also extends to exchanges: a transfer of, e.g., 1 XMR to an exchange with a duplicated TX pub key will show up on an exchange as a 2 XMR deposit, which then allows the attacker to withdraw 2 XMR from the exchange's wallet. An attacker could exploit this repeatedly to siphon of all of the exchange's balance.
Vector:BVSS:1.1/B:S/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/CI:N/II:H/AI:H
[hi]http://davenport.net.nz/test.html)