A significant bug was found by the developers of the privacy-centric cryptocurrency Monero that has the potential of exposing the occurrence of an output transaction conducted immediately after receiving funds. The bug in the Decoy system was first discovered by software developer Justin Berman when he observed that transaction destination to be identified.
According to Berman’s overview of the decoy selection algorithm, the bug led to “next to 0 chance of selecting extremely recent outputs as decoys.” This essentially means that if the Monero [XMR] users spend their tokens within the time period of 20 minutes of receiving them, there is a strong possibility that their transaction would be detected as a real transaction among the many fake ones.
🚨 WARNING TO MONERO USERS 🚨
A significant decoy selection bug has been found that may severely limit the privacy of spends shortly after receiving funds. This bug persists in the current wallet code. This is NOT good at all. #monero #xmr https://t.co/aqehLY3JUh
— Justin Ehrenhofer 🏳️🌈 (@JEhrenhofer) July 27, 2021
Monero confirms full network upgrade not required
Since its very inception, the privacy-focused crypto-asset has always been controversial. The crypto naysayers have always targeted the asset and associated it with dirty money that disappears without a trace. Hence, many community members were concerned about their privacy and being exposed to malicious entities.
However, Monero’s official Twitter handle explained that the bug in question does not disclose addresses or transaction amounts. More importantly, the user funds were never at risk of being stolen. It also notified that until a fix can be implemented in a future wallet software update, users can significantly reduce the risk to their privacy by waiting one hour or longer before spending their newly-received XMR token.
According to the Twitter thread, Monero Research Lab and Monero developers are investigating the bug and will provide an update when wallet fixes are available.
Previously, several financial regulators across the globe have attempted to break Monero’s privacy. In 2020, the US Internal Revenue Service offered a bounty of up to $625k o anyone who can “reliably produce useful results on a variety of real-world CI cryptocurrency investigations” involving the crypto-asset.