Bug Found in Decoy Algorithm for Privacy Coin Monero

"This does not reveal anything about addresses or transaction amounts ... This bug persists in the official wallet code today," Monero said.

AccessTimeIconJul 27, 2021 at 6:36 a.m. UTC
Updated Sep 14, 2021 at 1:31 p.m. UTC

A "significant" bug, with the potential to expose users' transactions, has been spotted in monero, a cryptocurrency that's known for providing users privacy, according to a Twitter post on Tuesday.

  • The bug was identified in Monero's decoy selection algorithm. It occurs when a user spends their funds received in a transaction before roughly 20 minutes has passed.
  • There is a "good probability" the output of the new transaction can be identified as the true transaction, according to the tweet.
  • XMR allows users to conceal their transactions by including worthless coins known as “mixins” along with the actual coins they spend in a given transaction.
  • "This does not reveal anything about addresses or transaction amounts ... This bug persists in the official wallet code today," Monero said.
  • Users may avoid the bug altogether by waiting one hour or more before spending their newly received monero until a fix is implemented in a future wallet software update.
  • A hard fork is not required to fix the bug, Monero said.
  • U.S. software developer Justin Berman first spotted the bug.

Read more about

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.