In a shocking twist of events, the decentralized community-powered Monero project has unveiled a breach in its Community Crowdfunding System’s (CCS) wallet that occurred on September 1, 2023. The assailant executed nine transactions, siphoning the entire balance, totaling 2,675.73 XMR, equivalent to a staggering $460,000.
Renowned Chinese crypto journalist Colin Wu, took to his official X page, Wu Blockchain, to shed light on the Monero CCS hack. The source of the breach remains shrouded in mystery. Colin Wu also echoed the observations of blockchain security firm SlowMist, who pinpointed a potential “loophole in the Monero privacy model” as the root of the vulnerability.
According to a recent report, the Community Crowdfunding System (CCS), which relies on donations, had 2675.73 XMR until September 1. It was not until November that a Monero developer named Luigi discovered that the entire wallet had been stolen.
Monerujo’s PocketChange, Elevating Monero Security
Moonstone Research meticulously tracked the assailant’s transactions and concluded that the exploiter was a Monerujo wallet user who had activated the PocketChange feature. Monerujo, an Android non-custodial Monero wallet, offers the unique PocketChange feature, which rectifies a drawback by segmenting coins into multiple “pockets” or “enotes”. In a statement, Monerujo clarified,
“As long as [PocketChange is] enabled, every time you use Monerujo to send moneros somewhere, it will take a bigger coin, split it in parts, and spread those smaller coins into 10 different pockets. That way, the coins won’t merge again, and you’ll be ready to spend instantly from all those pockets without waiting the dreadful 20 minutes.”
Drawing from four Crescent Discovery reports, Moonstone Research confirmed that the attacker had generated 11 output eNotes, an anomaly in standard transactions. Restating their findings, Moonstone Research affirmed, “We believe this is the most likely case, regardless if the attacker was using Monerujo version 3.3.7 or 3.3.8.”
The recent incident has caused a stir in the Monero community, leading to doubts about the safety of decentralized projects and the possible risks related to cutting-edge features such as PocketChange. The community now faces crucial questions and challenges, with the discussions revolving around security and privacy concerns.