Monero has revealed nine security vulnerabilities, two of which were assessed as “critical.” Eight of the bugs have already been fixed, The Next Web's Hard Fork writes. Five of the vulnerabilities constituted a DDoS risk.
According to the report, bad agents were able to design “specifically-crafted” blocks so that Monero wallets would accept fake deposits in exchange for XMR. The vulnerability could have been used to steal money from cryptocurrency exchanges. Security researchers who discovered the bug received a 45 XMR ($4,100) reward.
Among the patched vulnerabilities was a CryptoNote-related exploit that could have been used to take Monero nodes down if a bad actor requested a lot of blockchain data.
“If you have quite a big blockchain, then you can push a protocol request that will call all of its blocks from another node, which could be hundreds of thousands of blocks,” according to Andrey Sabelnikov, the researcher who uncovered the bug. A response like this requires a lot of resources and huge consumption of memory, he added.
According to Sabelnikov, other cryptocurrencies using CryptoNote could share the vulnerability with Monero.
Most of the vulnerabilities seem to have been fixed in June as the reports coincide with the release of Monero version 0.14.1.0 in June. One, still mostly classified at the moment, awaits a fix.