The Monero community is working hard to ensure that the network continues as one of the most secure in the cryptosphere. A recently released Security Advisory Report shows that some members of the community have made a contribution of 1394.45XMR for the Monero Bounty for HackerOne. This is 92.96 percent of the projected fund for the project.
Details of the report show that this is part of a total budget of 1,500XMR planned for the period to ensure that appropriate security audit is carried out for the network.
53 Contributors for Network Security
A further breakdown shows that this fund was contributed by 53 wallets. 13 payouts totaling 121XMR have already been disbursed to bounty hunters. The investment in security has paid off well as the network continues to be secured from vulnerabilities through appropriate response whenever they are discovered.
A copy of the proposition for the audit seen by Cryptoinfowatch shows that the security auditors were instructed to refrain from committing denial of service or active exploitation of the Monero/Kovri networks. They were also to refrain from exploiting Monero data centers and avoid social engineering of Monero or the Kovri project.
The release also shows that live hosted Monero sites were not to be subjected to the audits but only the code to avoid active disruptions.
Focus On the Monero Code
The audit instruction echoed this, “As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. The live sites are NOT in the scope of this process; only the code is!”
The researchers were also instructed to send their finding through encrypted emails to the project response team. The response team was also instructed to respond to such emails within three days via encrypted channels. The essence would be to make further inquiries into the possible vulnerabilities found.
Types of Threats Facing Monero
The release classified vulnerabilities according to severity, “ HIGH: impacts network as a whole, has potential to break entire monero/kovri network, results in the loss of monero, or is on a scale of great catastrophe; MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited; LOW: is not easily exploitable or is low impact”
However, the Monero Response Team has the final authority at defining bug severity. They are also responsible for taking appropriate action in the event a bug was discovered. Steps such as remedial, counter measures and disclosure on Monero channels were advised.
The Monero community is among the strongly knit probably due to the peculiarity of the coin. Even with the recently discovered burning bug, the network still remains one with positive outlooks.
The burning bug was described by the official Monero blog, “An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g., an exchange’s hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e., funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR.”
With the investments in security audits, the likelihood of these attacks will become slimmer.