Airdrop Attack? Monero Fork Condemned as Privacy Threat

Mar 16, 2018 at 12:00 UTC
Updated Mar 19, 2018 at 04:05 UTC
FEATURE

Giving away free crypto might not be as easy as it sounds.

By gifting new assets to existing cryptocurrency users, so-called “airdrops” are proving explosive, enabling the sudden creation of massive amounts of value almost overnight. But as the method is perhaps being hastily adapted, unexpected hazards are beginning to emerge.

Planning to launch on April 30, monerov is one such example. Seeking to correct what it sees as an error in monero’s value proposition, it aims to offer a variation on the software behind the 11th-largest cryptocurrency that alters the rate at which coins are created.

But there’s a catch. While monerov activates like all forks (by copying another crypto’s codebase), its design threatens to undermine one of the core privacy mechanisms of the protocol it’s splitting from. In short, because of the way it impacts monero’s privacy features, a single data leak could cause a chain reaction, one that potentially damages its future transactions.

Given the risks to the original blockchain, the idea has been met with an icy reception.

Researchers affiliated with monero are now speaking out, seeking to brand the giveaway, in which monero holders would receive free money, an attack.

“Forking an existing blockchain without taking into account the effects is a reckless disregard for user privacy with no real benefits,” a cryptographer at the Monero Research Lab, who goes by the pseudonym “Sarang Noether,” flatly told CoinDesk.

That said, the airdrop only threatens one aspect of monero’s privacy model – other devices, that conceal transaction quantities as well as destination addresses, would be unaffected. But, there are concerns that it could set a precedent for further airdrops in the future.

As monero core developer “binaryFate” told CoinDesk:

“It is much easier to bootstrap a community by distributing ‘free’ tokens to an existing user base than starting from a genesis block and convincing new users to join based solely on the merit of your technology.”

What actually is an airdrop?

A newly popular method for distributing new cryptocurrency, it’s notable that the attack vector exposed by monerov hinges on the very process of airdrops.

Rather than using code to calibrate a new blockchain, an increasing number of forks are choosing to inherit the former chain, allocating a time for when the the codebase will split off and continue.

“One must distinguish forking a codebase and forking a blockchain,” binaryFate said.

Typically, at a predetermined “block height,” a numbered block in the chain, the new cryptocurrency will create a “snapshot” of who owns what on the former chain.

This information is then replicated onto the new blockchain, giving users two wallets, and potentially, a crypto stash that has doubled in quantity.

On the bitcoin blockchain, participating in an airdrop can have privacy faults of its own. As highlighted by author Andreas Antonopoulos, claiming airdropped coins with a bitcoin key pair can risk linking an entire transaction history, even if a bitcoin user has been diligent.

The technique can also cause more systemic problems, such as the well-known “replay attack” – in the wake of a fork, there’s a risk that money spent on one blockchain will also transact on the other chain, sacrificing the integrity of the ledger.

Linking key images

But this particular attack is specific to monero. To achieve anonymized transactions, monero relies on three mechanisms: stealth addresses, ring signatures and ring confidential transactions.

Together, these code functions form a robust privacy model, as stealth addresses protect the identity of a user that receives funds, ring signatures protect the sender and ring confidential transactions obscure the quantities that are being sent in a transaction.

The fork attack impacts only one of these devices, the ring signatures.

In ring signatures, transaction outputs, or the information about what is being sent, is aggregated into a “ring” that obscures information by mixing it up with the randomly selected transaction outputs of other monero users.

However, this presents a problem: “You never know if an output is actually spent or not,” binaryFate explained.

Because transaction outputs are hidden, nodes cannot verify that an exchange took place, meaning that a malicious user could spend the same XMR repeatedly.

To correct this, monero relies on what is called a “key image,” which is a proof that one piece of data within the ring signature is genuine. But while this remains privacy preserving as a one-use item on a single blockchain, if a key image is repeated, it can expose the original transaction output.

“This defeats the point of using ring signatures at all for that particular output,” binaryFate said.

But there’s a further risk arising from the airdrop, as well.

Because old transactions are sometimes included (a “decoy” to further secure the privacy of ring signatures), the exposed transaction could have an unpredictable impact across the monero blockchain, damaging the privacy of multiple users as an increasing number of fragments of a ring are revealed.

And, due to the nature of the attack, the deanonymization process would happen exponentially.

Sarang explained:

“If a substantial fraction of monero users claimed funds, the statistical likelihood that real inputs could be identified begins to increase.”

Mitigation measures

However, Sarang continued, to pose a serious risk, a large portion of monero users would need to participate in the airdrop. So, the fix is fairly simple: users could stay away from forks in which their private keys might be reused.

Toward this, monero developers and community members are coordinating to warn others of the risks posed by the upcoming airdrop.

“There is a social, voluntary-based component to the general mitigation: educate monero users to protect themselves,” binaryFate told CoinDesk.

However, warning users away from a free crypto can be a hard sell, and the monerov Twitter and Telegram groups have a growing numbers of users.

“The promise of free money is compelling. If someone mailed me an envelope of cash, it would be tempting to keep it,” Sarang admitted.

Against this, there’s two major steps that the monero team has taken. First, because the attack effectively decreases the ring size by revealing certain outputs, monero will increase the ring size in response.

Additionally, monero has coded up a mitigation that protects the exposure of outputs by insuring that key images are contained to a single ring signature. By deploying this, which Sarang described as “the safest approach,” data leaks can be avoided.

Monerov has said it is researching privacy protection for the upcoming fork, however, it is unclear whether the team intends to deploy the fixes recommended by the monero core team.

In an email to CoinDesk, monerov’s developers said they intend to raise the size of its ring signatures and deploy a “time gap” between the snapshot and mainnet release, to protect against information exposure.

However, the coordination necessary to stave off the attack between the two groups has been limited.

Speaking in an online chat, monero developer “moneromooo” warned that if the airdrop fails to implement the recommended fixes alongside monerov’s own methods, “It appears to be not a mitigation, but a worsening.”

As such, speculation is spreading among monero developers as to whether the airdrop is a deliberate, sophisticated attack.

BinaryFate told CoinDesk:

“It doesn’t really matter whether the attack is malicious or simply a greedy money grab, the threat is the same anyway.”

Silver forks image via Shutterstock