Another day, another disclosure. This isn't isn't as exciting, as it was only in... unreleased software 😱
But it does provide a comment on the intricacies of working with #Monero, along with @HavenXHV's ( $XHV ) work on integrating with @THORChain.
But it does provide a comment on the intricacies of working with #Monero, along with @HavenXHV's ( $XHV ) work on integrating with @THORChain.
This does start with the $XMR side of things, and the considerations that must go into building wallets. There are two main issues people don't realize:
1) Lying about the transaction amount
2) The burning bug
1) Lying about the transaction amount
2) The burning bug
Since Monero transactions are private, they don't tell you, or anyone, the amount. Instead, they have all the data needed for nodes to verify them, as well as for you to, and the sender attaches a short encrypted memo including the amount.
The issue is this memo can be anything. It's not validated. It could be 0, the actual amount, or more XMR than in existence. Accordingly, Monero wallets must take the claimed amount, and "rebuild the commitment". They need to recreate the data that is validated.
If you can rebuild the actually validated data with the claimed amount, it must be for the claimed amount. If you can't, they're lying. That simple. Thankfully, most wallets do realize this, and I actually submitted a disclosure to a library which didn't, yet it was quickly fixed
The other issue is much more frustrating, and unfortunately is missed by a lot of people, including myself.
Monero outputs are to keys. They should be unique. When you spend them, you don't say which key it is (breaking privacy), yet that you're spending a 'mirror image'.
Monero outputs are to keys. They should be unique. When you spend them, you don't say which key it is (breaking privacy), yet that you're spending a 'mirror image'.
This mirror image isn't the original key, yet can be proven to be for the key in question. This enables correctness, while also privacy. These images ("key images") can only be used once.
So what if the output key isn't unique and is reused?
So what if the output key isn't unique and is reused?
The output keys will have the same key images, and only one key image can be used (to prevent double spends). Despite having `n` outputs, only one is usable. The rest will be burnt. This is the burning bug.
You tell someone they received funds, yet they can't actually spend them
You tell someone they received funds, yet they can't actually spend them
I actually missed this in my own wallet years ago, and it's unfortunately not the most documented aspect of Monero. Thankfully, most wallets use Monero's provided wallet lib, which does handle this.
Then we get to Haven, who wrote some of their own wallet code for Thorchain.
Then we get to Haven, who wrote some of their own wallet code for Thorchain.
Their code also didn't handle it. This would mean it'd be possible to deposit unspendable funds to Thorchain, and I'm a bit conflicted. On the one hand, I missed it too back in the day. On the other hand, it should've been handled, and is known by experienced XMR devs.
Things get better though. There's a new variant on the loose. This one? The extrapolated burning bug 👀
The original burning bug only let the original sender make a new output with the same key. The EBB allows *anyone* to make a new output with the same key.
The original burning bug only let the original sender make a new output with the same key. The EBB allows *anyone* to make a new output with the same key.
This means, if you deposited to Thorchain, I could use your output key for my own deposit. With the classic bug fixed, my output would be first and handled, but YOURS would be considered burning. If I was a miner, who got 5% of blocks, I could safely do this for 5% of TX.
This would allow anyone to burn the deposits of any other user, without risk, and get their money back (sans fees). It's possible by:
- An exchange receiving
- Using TX extra to decide who gets funded
- *Knowing the recipient's view key*
All properties met by the TC integration
- An exchange receiving
- Using TX extra to decide who gets funded
- *Knowing the recipient's view key*
All properties met by the TC integration
My frustration here is we have an incredibly complicated privacy system, and we're building an integration into another incredibly complicated system, yet there appears to be a lack of the required understanding to manage these behaviors.
I submitted both of these bugs, one which has been known for years, AFTER they said they had down their initial validation of the client. Thankfully, these should both be fixed. It doesn't change the fact Monero multisig, which they rely on, isn't yet though...
I'm also curious how they plan to use it. Monero multisig only supports up to 16 parties. I believe Thorchain Asgards are planned to have 20 parties, at this time. Smaller Asgards, specifically for Haven?
As one other note, I recently gave a talk on multisig at #MoneroKon2022 which covered the burning bug, and its complication to multisig (distinct from the EBB) which was great :D Very happy to have done so.
The EBB itself is written up here: github.com/monero-project…
The EBB itself is written up here: github.com/monero-project…
I'm also considering a new document explicitly for burning bug immune addresses now, instead of just when Seraphis rolls around 👀 Stay tuned for that. It'd notably enable contextless wallets, instead of needing to scan the entire chain.
The disclosures keep coming though... 👀
The disclosures keep coming though... 👀
• • •
Missing some Tweet in this thread? You can try to
force a refresh
