Image courtesy of Franck on Unsplash
“Severe” decoy selection bug discovered report The bug was reported via the Monero project's official Twitter account, and according to an investigation by software developer Justin Berman, the bug “may affect the privacy of transactions” for a short period of time after funds are received.
If a user spends funds immediately after the lock time of the first two blocks allowed by the consensus rules (approximately 20 minutes after receiving the funds), there is a high probability that the output will be identified as a real spend.
Monero Research Lab clarified that the data at risk of being leaked relates to addresses and transaction amounts, and that the funds themselves are “not at risk of being stolen.” The bug remains in the “official wallet code” since the report was published about 10 hours ago.
To mitigate the bug, users can wait one hour after receiving the funds before spending them. Developers are currently working on an update to the wallet software, which does not need to be implemented with a hard fork.
The Monero Research Lab and Monero developers are taking this issue very seriously and will provide an update when a fix for the wallet is available.
Potential fix for Monero decoy selection bug
In the Monero Project GitHub repository, Berman detailed the bug, which he said was investigated by core developers before it was made public. He explained that the decoy selection mechanism affecting software wallets means that “very recent outputs have zero chance of being selected as a decoy.”
Thus, by spending funds after some time, users can mitigate the bug. As the developers revealed, the algorithm introduces 10 “decoys” into the Monero ring, which then hide the real output. The selection mechanism has almost zero chance of selecting a decoy with an output less than 100, but it is still possible.
The reason why a decoy with an output index less than 100 can still be selected is because of this part of the algorithm that takes the output_index determined by exp(x), finds the block it is in, and randomly selects an output from that block. Therefore, any output from a block with an output greater than 100 can still be selected as a decoy.
While still under development, Berman believes that resolving Monero’s bug will require a fix to the decoy selection mechanism, which the developer said could affect transaction integrity if a transaction is processed by non-updating nodes compared to how updating nodes construct the ring.
The fix I'm considering at the moment is that the algorithm is off by one block, meaning the gamma distribution observed in the paper is simply a plot of observed spending – with a block time of 120 seconds, one would expect output spent below 120 seconds to be close to 0, which the gamma distribution suggested in the paper seems to support.
At the time of writing, Monero (XMR) is trading at $220.95 on the weekly chart, up 16.1% in gains. XMR is trading sideways in line with overall market sentiment after a strong weekend rally.
