On Tuesday, Monero developers released a post-mortem report about how they fixed the burning bug that allowed attackers to burn XMR stored in exchange deposits. Users burn the XMR by flooding the system with identical stealth addresses for different payments thus making funds unusable on these accounts. This is because all the requests using the same address as the initial request will be rejected as the system will flag them as suspicious. The attacker will only lose the transaction fee that was paid to the exchange.
The Burning Bug Attack
The developers released a report stating
“The burning bug fundamentally doesn’t permit the wallet to send out a warning when it gets a burnt output. This allows a determined attacker to burn XMR from the wallet of an organization or exchange losing only the transaction fees used for each transaction.”
Monero (XMR) Price Today – XMR / USD
When sending Monero, a key image is generated in a unique way. So, multiple requests lead to the formation of multiple identical key images. This leads to the rejection of subsequent transactions. The attacker can achieve this by modifying the code and sending the same private key over and over and over again. The requests would be sent to a burnt stealth address but it would be usable only ones.
How Developers Found The Bug
According to the report, one of the Monero community members made a hypothetical description of how the attack works on Reddit. After the developers saw it, they decided to patch it up quickly to prevent it from being exploited. They notified exchanges and fixed the lope hole. A warning email was also sent to everyone on the Monero public mailing list.
Although some harm was done, the coin supply protocol was not affected by the burning bug. The reports of the bug, however, may have been what propelled some exchanges do temporarily remove Monero from their list of tradable coins as reported by smarttest.wpmudev.host.