
Speculation of the recent DigitalNote exploit has been rife in the community and creating significant anxiety between the community and the development team.
After a detailed investigation, the development team identified and analysed the exploit and can now report our findings.
The first exploit, the “Monte Spoof attack”, on DigitalNote saw the minting of 1.8 billion coins (with 925 million sold on Bittrex). This was performed with a specifically crafted PoW block. This was identified as a glitch in TX checking where inputs were not correctly checked against outputs (allowing coins to be minted). The XDN team patched this and forked the chain to fix this issue.
Recently another exploit took place that saw the funds from 2 of the burn addresses removed and sold on Bittrex. We identified the same PoW address as the first exploit linked to this. This second exploit uncovered a significant bug in the code that has been around since 2019. This bug allowed the hacker to take advantage of a transaction signature of *any* transaction into *any* wallet to craft a withdrawal transaction from that wallet.
I will say that again… ANY single transaction from ANY wallet to craft a withdrawal transaction of the same amount… And they obviously started with the big ones (to answer a few of you, yes they were burned correctly, no private key is needed to perform this exploit) This was further proofed when another (somewhat pointless) exploit was carried out on the 9th September… possibly by another person who figured out the issue.
In this case, 11 wallets (all with single large inputs) were drained and send to 8 (non-exchange) addresses This exploit occurred at block 423410, which is why some of you may have gotten stuck on block 423409 when trying to resync (the resync caught it as an invalid block). This last occurrence on 9th September is the reason why we required a chain rollback, as it sucks that our burn coins were stolen, but we absolutely cannot have community coins stolen.
We have since upgraded explorer to the new chain, but took a screenshot of this last exploit for your reference. So this is the main reason we haven’t yet divulged any information, every wallet was susceptible to this exploit, and the more people that figured it out and decided to play would have spelled the end of this coin. Once we are all migrated to the new chain, we will continue to test and monitor until we are comfortable, only then will we ask exchanges to reopen deposits and withdrawals.
Stay focused, stay strong, stay together!
All the best — The XDN Team
If you are keen to get in and help with the development of DigitalNote, please contact the team on our Discord chat.
References: