The P2Pool Bug That Targeted New XMR

Most crypto exploits target coins that already belong to someone. A recently patched vulnerability in P2Pool, the popular Monero mining pool was different. It did not touch anyone's existing wallet. Instead, it targeted freshly mined coins: the block rewards being distributed at the very moment of creation.

Here's how it worked. If an attacker could run enough nodes connected to P2Pool, for example through a botnet, they could redirect a significant share of the block reward to themselves - potentially even up to 100%.

P2Pool is not some obscure pool. It is one of the most popular ways to mine Monero, almost a standard in the Monero ecosystem. Miners like it because there is no central server assigning work or distributing payouts. Everyone participates independently, and rewards are split automatically. As it turned out, that automated reward distribution mechanism could be manipulated.

Crypto hacks are everywhere these days, and attackers keep finding the most unexpected weak points. But stealing coins at the exact moment they enter circulation? That's something I hadn't come across before.

The silver lining is that this vulnerability does not appear to have posed a serious threat to the Monero network overall. In theory, it could have had indirect consequences if mining became unprofitable enough for miners to start shutting down their nodes. But unlike last year, when problems caused by the Qubic mining pool led some services to require hundreds of confirmations before accepting XMR, nothing like that is happening now.

At Rabbit.io, we are still processing XMR swaps into other cryptocurrencies after 10-25 confirmations, depending on the exchange route.