Fake deposit amount exchange vulnerability in Monero

Foreword to Ryo community

This bug has been fixed in Ryo 7 months ago. Patch is available here, however in case of Monero it might cause a hard fork on exploitation. Another fix is possible by ignoring non-null RingCT coinbase transactions in the wallet.

How does the exploit work?

RingCT has extremely insecure design where the amount displayed to the user (from now called masked amount) is different from the amount checked by the network (from now called commitment).

When a coinbase transaction is minted it will include a plaintext amount and a null rct signature. Network will construct commitment from this plaintext amount.

However if the coinbase transaction includes non-null rct signature, it will be able to communicate a masked amount too. This essentially means that the attacker can make it appear as if he deposited any sum of his choosing to an exchange.

Why did you not report it Monero?

Because of their long history of toxic behaviour towards security researchers [ 1 ] [ 2 ] [ 3 ] [ 4 ] I hope that Monero community uses this opportunity to reconsider their behaviour.

Accidental leak open disclosure

While discussing this exploit on Ryo public channel I confused the issues and accidentally leaked a different issue. Monero might want to get that one patched too. [ 1 ]

Monero Devlopers’ Response