TL;DR – A theoretical bug found in the Monero source code has been identified and patched. The relevant patches have been made for the Safex Blockchain.

Earlier this month, a theoretical vulnerability was raised by the Monero community of a bug within the Monero source code (in which the Safex blockchain is a fork of), where a malicious actor could send funds to another address, but the funds when received would be burned and unable to be used.

On many blockchains, such as Bitcoin and Etherium, it is possible to burn coins on the network; hence the name Burning Bug. Burns can occur when the Monero blockchain detects transaction between identical stealth addresses, it assumes these are illegitimate and burns one of the transactions, allowing just one legitimate transaction to remain.

After modifying a Monero wallet to make transactions using the same stealth address as the target wallet, attackers send, say, a thousand transactions of one XMR to an exchange. Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1,000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable / burnt outputs of 1 XMR.”

As a result of this vulnerability, the Monero developers have released a fix which has been applied to the Safex Blockchain (source). The fix should find it’s way into the next master release.

No Safex or Monero has been lost as a result of this vulnerability. It was classed as a theoretical bug rather than one being actively exploited.