1 May 2023 [security] [pinned]

tevador releases security advisory for 'medium severity' vulnerability in Monero wallets that can be exploited by malicious remote nodes

tevador1 has released a security advisory2 notifying the community of a medium severity vulnerability in Monero wallets that can be exploited by malicious remote nodes:

The vulnerability has a CVSS score of 6.5 (medium severity). The impact of the exploit is more than just privacy loss, but the attacker cannot steal Monero from your wallet. I recommend to stop using 3rd party remote nodes immediately. Run your own node instead. If you can’t avoid using a 3rd party node, make sure you trust the node operator.

The vulnerability was first reported in January 2023 on HackerOne3, but apparently there is no easy way to fix it.

Although no patch will be provided by the Monero developers, tevador did propose a small change to the PoW algorithm that would give better security for wallets using untrusted remote nodes4.

We can expect the full details of the vulnerability to be disclosed soon. Until then, it is recommended to stop using 3rd party remote nodes and run your own node if possible, or at least connect to a trusted node operator.

Note: tevador exposed the vulnerability to the public after 90 days, per Monero’s VRP ‘Post-release disclosure process’5.

This is an ongoing story and the report will be updated when new information is available.

  1. https://github.com/tevador/ 

  2. https://r.nf/r/Monero/comments/134jbdt/security_advisory_new_attack_from_malicious 

  3. https://hackerone.com/monero/ 

  4. https://github.com/monero-project/monero/issues/8827 

  5. https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md#iv-post-release-disclosure-process