'Critical' Vulnerability in Beam Wallet Could Have Put Funds At Risk, Devs Say After Fix

The "critical vulnerability" found by developers of the mimblewimble privacy coin Beam is said to have put user funds at possible risk of being stolen.

AccessTimeIconJan 16, 2019 at 5:45 p.m. UTC
Updated Aug 18, 2021 at 10:35 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Developers behind the privacy-focused cryptocurrency Beam have revealed that the "critical" bug discovered and subsequently fixed in their wallet software last week could have put user funds directly at risk.

As stated in a Medium post published today, the vulnerability would have allowed an attacker to create “modified transactions” and subsequently send funds directly into the attacker's wallet.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • In an exclusive interview with CoinDesk, Beam CTO Alex Romanov explained that by leveraging Beam’s Secure Bulletin Board System (SBBS) – a custom-built system to enable offline encrypted messaging between Beam wallets – attackers “currently listening in on active SBBS addresses … would be able to cause these wallets to send money to an attacker.”

    Romanov stressed that the issue was application-specific and in no way related to the privacy-enhancing technology mimblewimble, saying:

    “The vulnerability is not related to mimblewimble or cryptography or any underlying technology. Basically, it’s a bug in the application itself … It just affected the wallets because it would be possible to create this specific transaction.”

    And though the existence of the vulnerability was disclosed to the public the same day it was found by Beam’s internal development team, the exact nature of the threat was not made public until today.

    The reason for this according to Romanov was to prevent opening up any “possible attack vectors” for users who had not seen the announcement of the vulnerability last Wednesday.

    Elaborating that people are “not online all the time, sometimes there are time differences, people may be asleep,” Romanov told CoinDesk that withholding further details was a way to buy time for users “especially pools and exchanges” to implement the code fix.

    Speaking to the issued patch, Romanov explained that the fix was relatively simple.

    “We have just prevented this specific scenario in which this custom transaction would have been accepted by a running wallet and that’s it,” said Romanov to CoinDesk.

    The next upgrade

    Beam officially launched on Thursday, January 3. Since that point, Romanov said that feedback from users is already being worked into a new upgrade for the Beam software currently being tested and set for release “in the next couple days."

    “We have taken into consideration all the issues raised by users, all the requests, all the misunderstanding that in retrospect was pretty obvious because mimblewimble is a very new technology … and we have created an update which will improve the user experience,” said Romanov.

    Calling it version 1.0.1, Romanov highlighted that use of Beam systems as a result of mimblewimble has caused “pools and also exchanges to significantly modify the way they operate and the way they handle transactions.”

    “There were a lot of learning curves from all sides … [The update] will reduce the amount of potential misunderstandings or problems. Sometimes, even though the system functions properly, it’s not clear for the [user] what is happening," Romanov told CoinDesk:

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.