Many cryptocurrencies try to preserve the anonymity of their users. Monero (XMR), a crypto launched in 2014, is one of them. However, it seems that a bug in its code is putting the privacy of some users at risk.
A bug discovered in Monero (XMR)
On Tuesday, July 27, the Monero protocol teams notified their users that a bug had been found in the decoy algorithm, i.e. the algorithm in charge of anonymizing transactions.
In fact, the bug was revealed by the developer Justin Berman. The latter discovered that if a user spent funds, 20 minutes after receiving them (i.e. 2 blocks later), there was a good chance that his transaction would no longer be confidential:
“If users spend funds immediately after the lock time in the first 2 blocks allowed by the consensus rules (~20 minutes after receiving the funds), there is a good probability that the output can be identified as the real spend.”
In practice, Monero uses an anonymization algorithm leveraging ring signatures. In short, this method uses several decoys to be included in the signature, allowing the actual output of the transaction to be hidden. However, when a user makes a transaction within minutes of receiving the funds, a bug in the selection of decoys screws up the mechanism and prevents the transaction from being anonymized.
“Today, if a user spends an output directly in the block they unlock, and that output was originally created in a block that contains fewer than 100 total outputs, their true output would be clearly identifiable in the ring.”
A temporary fix before a real fix on Monero
Unfortunately, according to the information reported by Monero teams, the bug is still present in the code of the official wallet, at the time of writing. It should be fixed in the next update of the wallet, without any date revealed for the moment. Fortunately, the resolution of this bug does not require any modification of the protocol itself. So there will be no need to resort to a hard fork.
While waiting for its resolution, Monero teams encourage users to wait another 1 hour before spending freshly received funds:
“Users can significantly reduce the risk of privacy breach by waiting 1 hour or more before spending their newly received Moneros, until a fix can be added in a future wallet software update.”
A not so widespread bug?
A few hours after these revelations and facing the discontent of the community, the Monero teams have clarified the impact of this bug. It would seem that this bug would only have a relatively limited impact on the total number of transactions made:
“It would probably only affect a tiny fraction of XMR transactions. The absolute maximum number of rings affected is probably less than 1% (since block 2300000, only ~1% of the outputs used in the rings had between 10 and 12 blocks, and a percentage of them were probably decoys).”
Fortunately, the Monero Foundation has the funds to finance the correction of this bug. In fact, last June, the Foundation received an anonymous donation of $500,000.
