Monero Privacy Compromised for Three Years Due to Bug in Decoy Selection Algorithm

Urgent Wallet Update Required as Monero Developers Discover Flaw Impacting Transaction Confidentiality

- Advertisement -

Monero, a cryptocurrency that has privacy at its core, has faced a significant problem that affected this very property of the network for three years.

Monero developers recently discovered a bug (flaw) in its decoy selection algorithm that compromised the confidentiality of transactions. They ask users to update their wallets urgently.

According to developer reports, the bug affected GUI/CLI wallet versions from v0. to v0.18.2.1 and severely impacted transaction privacy. During this time, Monero users could have lost their sender anonymity when making transactions with funds 10 blocks old.

In Monero, decoys, also known as ring members, are the old transactions used as a distraction from current transactions. These decoys are selected to hide the true receipt of funds in a transaction and increase the privacy of the sender.

The vulnerability found originated in the gamma selector code, used to choose decoys in Monero transactions. Due to a slippage error, the gamma selector could not choose decoys that were exactly 10 blocks old.

This allowed an outside observer to deduce with high probability what the actual spend in an input ring was if one of the ring members was exactly 10 blocks old.

To address this issue, wallet update v0. was released in early April, which resolves the flaw and protects the privacy of Monero users. The network development team asked all Monero users to update their wallets to this version as soon as possible.

In addition, users of third-party wallets are suggested to check if their developers have updated the wallet code to the new Monero Core “wallet2”.

By upgrading, not only the anonymity of individual senders is improved, but also the anonymity pool is increased for all users, including those still using previous vulnerable versions.

A flaw that affected an essential feature in Monero

Monero is a network that focuses on preserving the privacy of its users when making transactions on it.

To do so, it employs a series of functionalities that allow signing a transaction without revealing the addresses of the participants or the amounts involved.

Therefore, the fact that a bug has affected privacy and that the flaw is discovered so long after the fact is a heavy blow for its user community.

In fact, the developers themselves admit that “the bug was discovered by accident while trying to fix an infinite while loop during decoy selection.”

A number of users expressed their opinion in the comments of the developers’ github post.

For example, janowitz questioned why the vulnerability was not published earlier, considering that the latest version of the wallet was released almost two months ago and more users could have been warned about this problem.

In addition, he asked “to know how many transactions were affected in total (…) the flaw has been there for almost four years”.


- Advertisement -
- Advertisement -
- Advertisement -


- Advertisement -

Must Read

Read Next
Recommended to you