Monero developers have patched a bug that could allow attackers to 'burn' the funds of a users wallet while only costing network transaction fees devs said in a September 25 announcement.
A community member described a hypothetical attack on the XMR subreddit when the bug was discovered. An attacker could cause significant damage to merchants and others in the XMR ecosystem using this exploit. The blog describes how the bug could be exploited:
“An attacker first generates a random private transaction key. Thereafter, they modify the code to merely use this particular private transaction key, which ensures multiple transactions to the same public address (e.g. an exchange's hot wallet) are sent to the same stealth address. Subsequently, they send, say, a thousand transactions of 1 XMR to an exchange. Because the exchange's wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR.”
Monero noted an attacker wouldn't be able to directly acquire monetary gains from such an attack, “there are probably means to indirectly benefit.”
After the attack, the attacker sells the XMR for and withdraws BTC. The exchange is then left with 999 'burned' or unspendable outputs of 1 XMR.
The bug has not impacted the coin supply or the protocol. XMR developers created a patch in the code which was announced on their official Twitter page.