How This Monero Bug Could Impact User Privacy

A “significant” decoy selection bug has been reported for Monero via the project’s official Twitter handle. According to the investigation, carried out by software developer Justin Berman, the bug “may impact your transaction’s privacy” during a brief window of time after funds have been received. If users spend funds immediately following the lock time in the first 2 blocks allowable by consensus rules (~20 minutes after receiving funds), then there is a good probability that the output can be identified as the true spend. Monero Research Lab clarified that the data at risk of exposure is related to addresses or transactions amounts, the funds themself are “Never at risk of being stolen”. Since the report was published around 10 hours ago, the bug has persisted in the “official wallet code”. In order to mitigate the bug, users can wait 1 hour before spending funds after receiving them. Developers are currently working on a wallet software update. This won’t need to be implemented via a Hard Fork. The Monero Research Lab and Monero developers take this matter very seriously. We will provide an update when wallet fixes are available. A Potential Fix For The Monero Decoy Selection Bug On the Monero Project GitHub repository, Berman made a detailed explanation of the bug. He revealed that his investigation was run by core developers before it was published. He clar...