How This Monero Bug Could Impact User Privacy
A “significant” decoy selection bug has been reported for Monero via the project’s official Twitter handle. According to the investigation, carried out by software developer Justin Berman, the bug “may impact your transaction’s privacy” during a brief window of time after funds have been received.
If users spend funds immediately following the lock time in the first 2 blocks allowable by consensus rules (~20 minutes after receiving funds), then there is a good probability that the output can be identified as the true spend.
Monero Research Lab clarified that the data at risk of exposure is related to addresses or transactions amounts, the funds themself are “Never at risk of being stolen”. Since the report was published around 10 hours ago, the bug has persisted in the “official wallet code”.
In order to mitigate the bug, users can wait 1 hour before spending funds after receiving them. Developers are currently working on a wallet software update. This won’t need to be implemented via a Hard Fork.
The Monero Research Lab and Monero developers take this matter very seriously. We will provide an update when wallet fixes are available.
A Potential Fix For The Monero Decoy Selection Bug
On the Monero Project GitHub repository, Berman made a detailed explanation of the bug. He revealed that his investigation was run by core developers before it was published. He clarified that the decoy selection mechanism that affects the software wallet has “0 change of selecting extremely recent outputs as decoys”.
Thus, why users can mitigate the bug by spending their funds after a while. As the developer clarified, the algorithm introduces 10 “decoys” into a Monero ring, later, it hides the real output. The selection mechanism has almost 0 chance of selecting a decoy with less than 100 outputs, but still, the probability is there:
The fact that there is still a chance to select a decoy with output index <100 is thanks to this part of the algorithm which takes the output_index determined by exp(x), finds the block it’s in, and then randomly selects an output from that block. So outputs from blocks that have >100 outputs have a chance at being selected as decoys.
Although it is still under development, Berman believes that the solution for the Monero bug will require a modification to the decoy selection mechanism. This could potentially impact the uniformity of the transactions if they are processed by a node without the update versus the way update nodes will construct rings, the developer said.
The fix I’m leaning toward at the moment is that the algorithm is off by 1 block, meaning that the paper’s observed gamma distribution simply plotted observed spents. At a block time of 120 seconds, you would expect next to 0 outputs to be spent in less than 120 seconds, which the paper’s recommended gamma distribution seems to corroborate.
At the time of writing, Monero (XMR) trades at $220.95 with a 16.1% profit in the weekly chart. XMR follows the general market sentiment moving sideways after a significant push to the upside during the weekend.