Monero XMR: “Significant” privacy bug discovered


The Privacy Coin Monero has a problem: some transactions are less obscured than others. To blame is a bug that the Monero team was recently informed about.

Monero (XMR) can do what Bitcoin is supposed to do: anonymous transactions. While the taproot update is showing an improvement in the privacy of the crypto key currency, Monero can already use various mechanisms “ex works” that make tracking transaction flows and account balances a challenge that every blockchain still adopts – Sniffer’s nose bruised. It is not for nothing that the US tax authority IRS offered a reward of USD 625,000 last year for hackers who manage to lift Monero’s veil of privacy – so far without success.


Monero developers warn of privacy bug

However, the project itself has now received indications of a bug that could compromise the privacy of transactions. Specifically, it is about the algorithm for creating decoy transactions. These are “transaction dummies” that are automatically created with every XMR transaction to disguise the flow of money. As programmer Justin Berman discovered, this obfuscation only partially works for short-term transactions. At least the amount sent could, under the right conditions, be determined:

The algorithm for the decoy selection has almost no chance of selecting extremely current outputs as decoy. If a user today outputs an output directly in the block in which it was activated, and the output was originally created in a block that contains less than 100 outputs in total, his real output would be in the ring [der Signatur des Blocks] clearly recognizable

warned Justin Berman via GitHub – commendably only after letting Monero’s core development team know.

Mind you: This is only about the amount of the sent amount, not about the address or “account balances” of the transaction partners. Still, the Monero team takes the “significant” bug “very seriously,” as stated on its Twitter presence announced. They are currently working on a solution, it continues. Until then, users of the Privacy Coin are required to allow at least two blocks (around 20 minutes) to elapse between receiving and forwarding XMR, so that maximum privacy is guaranteed.