en
Back to the list

Monerujo Wallet User Drains Monero’s CCS Wallet: Report

source-logo  coinedition.com 05 November 2023 09:23, UTC
  • Monero’s Community Crowdfunding System (CCS) wallet was exploited and drained on September 1.
  • Till September 1, the wallet held a total balance of 2,675.73 XMR, worth $460,000.
  • Moonstone Research identified that the exploitation was done by a Monerujo wallet user with the PocketChange feature.

In a sudden turn of events, the decentralized community-driven project Monero revealed its Community Crowdfunding System’s (CCS) wallet exploitation that occurred on September 1, 2023. As per reports, the attacker drained the wallet in nine transactions, accumulating its entire balance accounting for 2,675.73 XMR, worth $460,000.

Chinese crypto reporter Colin Wu took to his official X page, Wu Blockchain, to share insights on Monero’s CCS hack, the source of which remains a mystery. The reporter also reflected on the blockchain security firm SlowMist’s assumption that the vulnerability is a “loophole in the Monero privacy model.”

The Monero team announced that the community crowdfunding system CCS Wallet was attacked on September 1, 2023, and the entire balance of 2,675.73 XMR (approximately $384,000) was stolen. So far, the source of the vulnerability cannot be determined. SlowMist believes that it…

— Wu Blockchain (@WuBlockchain) November 5, 2023

As per Monero’s revelations, until September 1, the CCS, a system funded by donations, held a total balance of 2675.73 XMR. In November, Monero developer Luigi identified that the wallet holdings had been completely stolen.

Moonstone Research traced the attacker’s transactions and concluded with the supposition that the exploiter was a Monerujo wallet user who had the PocketChange feature enabled. Monerujo is an Android non-custodial Monero wallet, offering PocketChange feature that mitigates a disadvantage of Monero by creating multiple “pockets” or “enotes”. The report further explained the notion, reflecting on Monerujo’s statement, which read,

As long as [PocketChange is] enabled, every time you use Monerujo to send moneros somewhere, it will take a bigger coin, split it in parts, and spread those smaller coins into 10 different pockets. That way, the coins won’t merge again, and you’ll be ready to spend instantly from all those pockets without waiting the dreadful 20 minutes.

With four Crescent Discovery Reports, Moonstone Research identified that the attacker had created 11 output enotes, which is unlikely for usual transactions. Reiterating their assumptions, Moonstone Research stated, “We believe this is the most likely case, regardless if the attacker was using Monerujo version 3.3.7 or 3.3.8.”

Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.

coinedition.com