Researchers from a large number of well-known institutions revealed that there are serious flaws in Monero’s privacy securities. Even though it’s still better than Bitcoin, the privacy features of Monero do not provide the anonymity most thought it did.
Privacy at Risk
Monero’s main trait is that it mixed any Monero token with funds of random multiple users. Because of this anyone who’s searching its blockchain won’t be able to trace the identity or any preceding transaction that originated from the same source.
But researchers from MIT, Boston University, Carnegie Mellon, Princeton, and the University of Illinois at Urbana-Champaign just put out a paper pointing out at least two motives for which Monero’s hyped feature might not make as untraceable as it appeared.
“Mixins are sampled from a distribution that does not resemble real spending behavior, and thus the real inputs can usually be identified,” read the paper.”In any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction.”
A ‘mixin’ is the number of other signatures (excepts that of the sender’s) which are distributed in Monero’s ring signatures.
Also, timing analysis has succeeded in identifying the “real coin more than 90 percent of the time,” basically nullifying g the privacy defences of the blockchain.
It should be noted that Monero has since undergone some updates, and the chances of the correct identification of the real coin have been halved, should the same timing analysis method be used.
Problems from The Past
The second flaw might be even more of a threat.
“Most Monero transaction inputs prior to February 2017 contain deducible mixins, and can be traced to prior transactions via analysis,” details the paper.
If the user did not use privacy protection, the coins that he transacted with can be identified if they were later used as a mixin, which could then be used to trace other coins. The researchers also estimate that around 25% of overall Monero transactions are for “illicit use.” And while the flaws don’t automatically imply that all of these transactions can be tracked, they seriously weaken the security measures of the network.
“Privacy isn’t a thing you achieve, it’s a constant cat-and-mouse battle. There are steps we can take to continue to improve the sampling, but the reality is that this isn’t a solvable problem by just pecking away at it,” said Monero’s lead developer, Riccardo Spagni regarding the flaws.