Developer’s of the privacy token Monero (XMR) have found a bug that breaks its transaction privacy, according to recent tweets on Monday.
The official Monero Twitter account warned users of a “rather significant bug” in the Decoy system. The bug was at first discovered by software developer Justin Berman when he found out that if a user spends their XMR tokens after 20 minutes of receiving them (two blocks time), it’s likely that their transaction will be identified as the true transaction, breaking users privacy.
A rather significant bug has been spotted in Monero’s decoy selection algorithm that may impact your transaction’s privacy. Please read this whole thread carefully. Thanks @justinberman95 for investigating this bug.
— Monero || #xmr (@monero) July 27, 2021
“Today, if a user spends an output right in the block that it unlocks, and the output was originally created in a block that has fewer than 100 outputs total in it, their real output would be clearly identifiable in the ring,” Said Berman.
XMR Community Concerned with Privacy Issues
Despite Monero trying to calm down its community, the announcement had quite an effect on them. Most users on the Twitter thread were worried about their privacy and being exposed to attackers.
However, developers said that users shouldn’t be worried as this bug doesn’t reveal the amount sent or the address and that funds are not at risk of being stolen. It only affects funds sent within 20 minutes of receiving them, which is two-blocks time.
Wait an Hour to Send your XMR
Monero developers said they’re working on fixing the bug in a future wallet software update, and that a hard fork won’t be required to do so. Users should wait at least an hour to send their coins.
Berman also said that Monero currently has a yearly average of around 63 outputs per block, meaning users have been exposed if they sent their coins immediately after receiving them, as transactions are “likely identifiable in rings today.”