Back to Vulnerability database

A bug in the Monero wallet balance can enable theft from exchanges

ID Submit date Publish date Author Score
1 10.26.2018 10.29.2018 Jason Rhinelander (jagerman) 10.0


Summary: A Monero bug (already fixed in master) allows theft from exchanges. This has been exploited again a Monero-derived coin, so the exploit may be underway currently.

Description: (fluffypony: Also please mention you spoke to me and I recommended you put it on HackerOne)

Bug also extends to exchanges: a transfer of, e.g., 1 XMR to an exchange with a duplicated TX pub key will show up on an exchange as a 2 XMR deposit, which then allows the attacker to withdraw 2 XMR from the exchange's wallet. An attacker could exploit this repeatedly to siphon of all of the exchange's balance.



@007vikaxh February, 8 12:18am