An investigation by Justin Berman, a software developer interested in the “intersection of finance and cryptography,” has discovered a significant bug in Monero’s wallet code.
The Bug in Monero’s Wallet Code
In a Twitter thread on July 27, Monero developers said the bug impacted the network’s decoy selection algorithm. It, therefore, meant transactions weren’t as private as initially thought if the coin is spent within the first two blocks or roughly 20 minutes.
A rather significant bug has been spotted in Monero's decoy selection algorithm that may impact your transaction's privacy. Please read this whole thread carefully. Thanks @justinberman95 for investigating this bug.
— Monero || #xmr (@monero) July 27, 2021
During this time, external third parties, constantly watching and trying to decipher Monero transactions, can identify which of the dispersed decoys is the actual spend.
However, the good news is, the cracking party won’t still know the transaction amount or anything about addresses.
The Best Mitigation Strategy Is to Wait
The flaw is specific to the official wallet code.
To mitigate against tracking or third parties trying to crack persons behind XMR transactions, the Monero development team is urging coin receivers to wait for at least an hour until the bug is fixed in the coming days.
The error isn’t fundamental but specifically affects Monero wallets.
Accordingly, a fix would be to update the wallet’s code, not a hard fork.
“Users can substantially mitigate the risk to their privacy by waiting 1 hour or longer before spending their newly-received Monero until a fix can be added in a future wallet software update. A full network upgrade (hard fork) is not required to address this bug.”
Monero Under Assault
Monero is under assault for their solutions of presenting a genuinely anonymous means of transfer value without third parties.
Several regulators, especially in the U.S. and Europe, have expressed their frustrations, saying privacy coins, including Monero, fan illegalities, including money laundering.
For this reason, several exchanges, including ShapeShift, which is decentralizing, were forced to delist XMR to “de-risk.”
At the same time, the IRS, in September 2020, said it would pay $625k for a team that successfully cracks Monero and privacy coins.
The one-year contract was won by crypto intelligence firms–Integra and Chainalysis.
They will provide tools to help the tax-collecting agency trace tax evaders. The IRS says privacy coins and non-custodial layer-2 solutions were conduits of criminal activities.
Earlier, BTCManager reported a Chainalysis employee confession that Monero was smartly invented.