Monero developers have spotted a significant bug in the token’s decoy selection algorithm that could break a transaction’s privacy. The team behind privacy coin shared the alarming finding in a tweetstorm on Tuesday.
A rather significant bug has been spotted in Monero’s decoy selection algorithm that may impact your transaction’s privacy. Please read this whole thread carefully. Thanks @justinberman95 for investigating this bug.
— Monero || #xmr (@monero) July 27, 2021
Monero Reports Transaction Privacy Breaking Bug
First reported by developer Justin Berman, the privacy breaching glitch currently persists in Monero’s official wallet code. Berman came across the issue when he found that if a user spends XMR tokens within 20 minutes of receiving them, the transaction destination will likely be identified.
“Today, if a user spends an output right in the block that it unlocks, and the output was originally created in a block that has fewer than 100 outputs total in it, their real output would be clearly identifiable in the ring,” Berman stated.
Monero’s community is understandably concerned about the network’s security and the possibility of a privacy breach. However, the company has assured its users that it is taking the issue very seriously. It has also highlighted that the bug doesn’t specify addresses and transaction amounts, and funds transferred on its platform are never at the risk of being stolen.
Users Must Wait An Hour to Spend Their XMR
For the time being, Monero’s developers are working on a software update to patch the issue. They have also ruled out a full-fledged network upgrade, or hard fork at this point.
To mitigate any potential risk to privacy, owners of XMR tokens have been advised to wait for an hour or even longer before they spend their newly received funds.
Created in 2014, Monero is a privacy-focused currency, which allows people to store and send digital assets anonymously. It is notorious for its presence on the dark web since it makes any illicit transfers completely untraceable. Last year, the Inland Revenue Service announced a $625,000 bounty for anyone who breaks the network’s anonymity. So far, that bounty hasn’t been claimed.