A bug in the () software that could enable fake deposits to exchanges has been recently brought to public attention through a Medium , published by the official Ryo () account on March 3.
According to the post, an email reportedly sent to the -announce mailing list warns exchanges and service operators using the coin that the Vulnerability Response team received a disclosure concerning a vulnerability. The vulnerability consists of the mishandling of outputs in transactions (the first transactions in a block, always made by miners).
This mishandling could potentially allow an attacker to fake the deposit of an arbitrary amount of XMR to an exchange. Still, the email also contained parameters for the , which are effectively a workaround preventing the vulnerability from being exploitable. The official profile also the same workaround on March 3.
About ten hours later, the account that the fix for the vulnerability has been written and was awaiting review. From the GitHub dedicated to the patch, it appears that the code has been already merged with the main branch, which means that the fix is ready and only needs the new release to be published.
Ryo, a derived from , reports in its Medium that its team fixed this vulnerability seven months ago. The post justifies the lack of a responsible disclosure towards the team earlier by noting ’s “long history of toxic behaviour towards security researchers.”
Furthermore, the post also claims that when discussing the exploit in the Ryo public channel, the author of the post accidentally also disclosed a different issue, concluding:
“ might want to get that one patched too.”
As Cointelegraph reported earlier today, the developers team a warning on ’s on March 4 advising users not to use the Nano S app after another apparent bug reportedly lead to a user losing 1,680 XMR (equivalent to about $80.000).
Published at Mon, 04 Mar 2019 16:40:15 +0000
