A Bug in Monero Decoy Selection Compromises Privacy

A bug recently discovered in the Monero code shows that the cryptocurrency may have given users a false sense of privacy. In a recent publication on GitHub, a developer, j-berman stated that a bug in the decoy selection of the Monero code makes it possible for outputs spent in the blocks that they unlock to be identifiable. This is even more easily done if the block contains less than 100 outputs.

This issue arises if the outputs are spent immediately they unlock a block. This creates a trail that makes it possible to identify the output, nullifying the potency of the ring signature to which Monero owes its transactions obfuscating properties. Such transactions can be identified in the Monero ring today, practically blowing the cover of the user.

The GitHub article that highlighted the bug stated that:

This means that the decoy selection algorithm will practically never select an exp(x) of 100 or lower. This means that unless an output_index that is 100 or more recent is included in a block that has MORE than 100 outputs, there is practically 0 chance the decoy selection algorithm will select it. The fact that there is still a chance to select a decoy with output index <100 is thanks to this part of the algorithm which takes the output_index determined by exp(x), finds the block it’s in, and then randomly selects an output from that block. So outputs from blocks that have >100 outputs have a chance at being selected as decoys. But a block that has 10 outputs in it for example has 0 chance to have any of its outputs selected as a decoy.

The Monero decoy selection algorithm is the program that hides the outputs of the transactions made on the Monero network. It does this through the inclusion of 10 decoys in a ring with the output. It uses a special mechanism to ensure that the main output is unidentifiable. 

All the selected outputs are included based on certain criteria such as the time that the output was expected to have been spent. This obfuscates the main output by eliminating the possibility of tracking using time stamps. With the decoy hiding the main output, Monero transactions are essentially anonymous, to a large extent it seems, judging from the newly discovered decoy selection vulnerability.

According to a paper presented by Miller and others, the decoy is selected to reflect the spending pattern of the original output based on the so-called gamma distribution.

Author: Jofor Humani

Writing is a late passion developed by Jofor. Other passions include singing hymns of praise. He has been creating crypto content since 2017 for many cryptocurrency and blockchain journalistic outlet.