Monero developers uncover flaw in privacy-preserving algorithm

Monero bug in decoy selection may affect privacy.

The Monero team, the privacy-focused cryptocurrency project, uncovered a bug in the decoy selection algorithm that could affect the privacy of users’ transactions. One of the first to notice it was developer Justin Berman.

A rather significant bug has been spotted in Monero’s decoy selection algorithm that may impact your transaction’s privacy. Please read this whole thread carefully. Thanks @justinberman95 for investigating this bug.

1/6

— Monero || #xmr (@monero) July 27, 2021

The Monero blockchain uses ring signatures, which include mixins in the form of inputs and outputs from other people’s prior transactions. They help obscure traces and conceal the true operation.

According to Berman, if a user spends the funds they received within the first two blocks allowed by consensus (10 blocks after receipt or ~20 minutes), there is a high likelihood that the true transaction could be identified among the mixins.

“Today, if a user spends an output directly in the block that they unlock, and that output was originally included in a block with fewer than 100 outputs, [in the ring signature] its true output will be clearly identifiable. For comparison, the average is about 63 outputs,” writes Berman.

The project team noted that the bug does not reveal addresses or transfer amounts and does not put users’ funds at risk. Developers stressed that they have not yet fixed the issue—the bug is present in the official wallet code.

Users can substantially mitigate the risk to their privacy by waiting 1 hour or longer before spending their newly-received Monero, until a fix can be added in a future wallet software update. A full network upgrade (hard fork) is not required to address this bug.

4/6

— Monero || #xmr (@monero) July 27, 2021

“Users can substantially mitigate the privacy risk by waiting at least an hour before spending freshly received Monero. The bug will be fixed in a future wallet software update. A full network upgrade (hard fork) is not required,” the statement says.

Earlier users had already flagged the decoy selection issue. In March, a member of the private Incognito noted that the timestamp of the true input is usually “newer” than that of randomly chosen mixins.

“I looked at the latest transactions in the explorer — for most of them the actual input was fairly obvious,” he added.

Earlier in May, the Ethereum Foundation disclosed details of a vulnerability, allowing a DoS attack on the blockchain of the second-largest cryptocurrency.

Follow ForkLog news on Twitter.