It seems that the Monero (XMR) wallet software has a bug that could enable fake deposits to crypto exchanges.
This was brought into the highlight via a Medium post that was published by the official Ryo (RYO) account a few days ago, reports Cointelegraph.
How does the exploit work?
The Medium post offers a detailed explanation of how this exploit works.
The post begins by saying that “RingCT has an extremely insecure design where the amount displayed to the user (from now called masked amount) is different from the amount checked by the network (from now called commitment).”
The Medium post continues and explains that “When a Coinbase transaction is minted it will include a plaintext amount and a null rct signature. Network will construct commitment from this plaintext amount.”
Cointelegraph explains that this mishandling could allow an attacker to fake the deposit of an arbitrary amount of XMR to an exchange.
A fix is on its way
It also seems that an email was reportedly sent to the Monero-announce mailing list and it warns exchanges and service operators about the whole thing.
The email also includes parameters for the wallet which are “effectively a workaround preventing the vulnerability from being exploitable. The official Monero profile also tweeted the same workaround on March 3,” according to Cointelegraph.
The same online publication reports that a few hours later, the Monero account posted that the fix for this vulnerability has already been written and waiting to be reviewed.