The developers of privacy-centric cryptocurrency, Monero have identified a “rather significant” bug in the algorithm that could allow for transaction destinations to be identified.
“If users spend funds immediately following the lock time in the first 2 blocks allowable by consensus rules (~20 minutes after receiving funds), then there is a good probability that the output can be identified as the true spend. “
The developers also stated on Twitter that:
This does not reveal anything about addresses or transaction amounts. Funds are never at risk of being stolen. This bug persists in the official wallet code today.
Developer Justin Berman investigated the bug initially and the team informed that the bug in the decoy selection algorithm led to “next to 0 chance of selecting extremely recent outputs as decoys.” This simply meant that if the users spend their Monero [XMR] tokens within roughly 20 minutes of receiving them, there was a high chance of their transaction being identified as the real one among the several fake transactions.
As per Berman’s overview of the decoy selection algorithm:
“Today, if a user spends an output right in the block that it unlocks, and the output was originally created in a block that has fewer than 100 outputs total in it, their real output would be clearly identifiable in the ring.”
Monero currently has a yearly average of 63 outputs per block and according to Berman, “outputs that are spent immediately when they unlock are likey identifiable in rings today.”
Monero developers noted that they were working towards a fix. Berman informed that the fix will certainly require a change in decoy selection and that would have some impact on transaction uniformity. However, it was worth noting that the funds were safe, but the bug persists in the official wallet code today.
Meanwhile, XMR has been noting a straight week of growth. The digital asset reported a 27.61% surge in the past six days and was currently trading at $221.94.