Exchange Denial of Service in Monero

Introduction

While discussing the previous Monero vulnerability, I confused the issues (they are both related to the fact that the encrypted amount and commitment are separate entities in RingCTs) and accidentally disclosed this one [ 1 ]. Monero team has had over a week now to examine the source code and surprisingly they have not asked us for any details about the bug.

Description of the issue

Wallet does not perform sufficient error handling when an invalid encrypted amount is met. While the RCT library correctly throws an exception; it is caught and the returned amount is set to zero.

While there is nothing inherently wrong with this behaviour, wallet will attempt to use zero-sized sums in constructing transactions. This will cause the verification of such transaction to fail.

Overall impact of the bug is such that a publicly known wallet address, such as an exchange, can be put out of action through sending many small transactions with invalid encrypted amounts.

This outage is not terminal, and a rescan with a fixed wallet will enable the valid outputs to be used.

Recommended fix that we implemented in Ryo is to ignore zero amounts altogether.

Why did you not report it to Monero?

Because of their long standing and continuing history of toxic behaviour towards security researchers [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ].


At the request of a Monero moderator I’m adding a link to a community discussion on the topic here. Please keep in mind that some posts are NSFW due to abuse being hurled around.