(Thanks to spackle for this writeup!)
The first week has been a wild ride, and there is a lot to share. Presented roughly by order of importance:
PR Improving Node Startup
Restarting a node while there is a large mempool can take over an hour in extreme conditions, since the node must process all the mempool transactions before resuming regular operation. 0xFFFC has addressed this with a massive speed up in PR 9376. These changes are now in use on the stressnet, to great effect.
Block Sync Size
Block propagation and network synchronization suffer at larger block sizes, which encourages the creation of alternative chains. Setting '--block-sync-size 1' allows nodes to handle larger blocks more easily, and this is now standard practice on the stressnet. Further updates are expected on this soon.
Ongoing Investigations
- Block sync size
- Wallet-to-daemon connectivity and performance enhancements
- Tx pool management (including flush_txpool processing time)
General Announcements
- Go to monitor.stressnet.net to see network stats
- explorer.stressnet.net is offline for now
- Node operators should upgrade to latest release for a smooth(er) stressnet experience. Older releases struggle with larger blocks, and ban too many nodes.
- Congratulations to strawberry, winner of the wallet draining competition
- Ongoing discussion is being held on Matrix at #monero-stressnet:monero.social and Libera Chat IRC on ##monero-stressnet.
Stressnet Stats
- This plot shows the block sizes on stressnet over the past week
- Largest Block: 2.49 MB at height 2521514
- Most transactions processed in an hour: 33074 (equivalent of 794000 tx per day)
Do you know about Primo? I think it was only a proof-of-concept, never used widely: https://monero.stackexchange.com/questions/11752/what-is-primo-private-monero-payments
Primo is a protocol and associated suite of software allowing a website to request payment for service by mining Monero to an address owned by the website owner.
At least 3 new nodes joined the network in the last hour. Thank you! Keep them coming.
Monero has a problem. The suspected spam transactions from earlier this year showed that Monero nodes do not cope with high transaction volume as well as expected. Monero protocol developers have been trying to get to the root of the issue, but the problem only appears when nodes are handling high transaction volumes.
Since the spam is over (for now), the only way to help developers find and fix the bottlenecks is to run a separate test network that will be spammed with transactions. We call it "stressnet". The performance bottlenecks are potential blockers for privacy improvements like larger rings sizes and/or Full Chain Membership Proofs (FCMPs). To quote developer selsta: "a large increase to the ring size is going to risk the stability of the network if we don't fix the known daemon [node] inefficiency bugs first."
A testnet fork (the stressnet) has been created to stress test the node and diagnose performance bottlenecks. To participate, you can simply run a node using this slightly modified open source release of monerod
(launch monerod
with --testnet
): https://github.com/spackle-xmr/monero/releases/latest
Testing begins on June 19th at 15:00 UTC. Current bugs require a significant number of connections to observe, so we need as many nodes on the stressnet as possible.
Ongoing discussion is being held on Matrix at #monero-stressnet:monero.social and Libera Chat IRC on ##monero-stressnet.
FAQs
- What are the risks to running a stressnet node?
The anonymity set of running a node on the mainnet Monero network is in the thousands. The anonymity set of running a node on this stressnet will be in the dozens at best. If you run a stressnet node on your machine, the IP address of your machine (or the proxy's IP address if your machine uses a proxy) will be visible to other nodes on the network. If you have an extreme threat model, this may be an unacceptable risk for you.
The Monero node process may consume a lot of your computer's resources like CPU and especially RAM. You can set the priority of the node lower using nice
or just quit the process if it is taking up too much of your resources.
- How can I see what's happening on the stressnet?
We have set up a stressnet blockchain explorer at https://explorer.stressnet.net/ . We are working on more ways to visualize the stressnet activity.
- When should I sync up my node?
As soon as possible. The initial sync may take over 24 hours to complete. Once spamming starts on June 19th, it may be difficult to sync from scratch.
- How much storage space do I need?
The stressnet blockchain is about 10GB now. The stressnet could use up to 50GB of storage by the time testing completes. Pruning your node is fine.
- How long will the stressnet run?
We hope that it will run for two months. If it takes more time than expected to track down the bottlenecks and test patches, the stressnet could go on for longer.
- Would it be possible/advisable to run it alongside a mainnet node?
Yes, this is fine. If you also run a testnet node (this would be rare), then you have to change the stressnet node's default ports and the blockchain storage location. Instructions are in the README of spackle-xmr's monero GitHub repo.
AFAIK Trocador was getting DDoSed. They said they set up Cloudflare temporarily. They are looking for a better solution.
Some messages from https://matrix.to/#/#Trocador.app:matrix.org
Hey there! We were under a heavy ddos attack, so we moved to CF temporarily to help our defenses. As soon as it's over we'll get out of cloudflare. We apologize for the inconvenience, we are looking into alternatives for the next time we suffer a bigger attack like this
[From Tuesday]: We literally moved there 16:00 UTC as a contingency, so it's not even 24 hours yet. We are looking into alternatives for next time a massive DDoS happens
An economist, a chemist, and an engineer were stranded on a desert island. And between them they had only a single can of beans, but no can opener.
The engineer suggested that he climb a palm tree to a precise height, then throw the beans a precise distance at a precise angle. 'And when the can hits,' he said, 'it will split open.'
'No,' said the chemist. 'We'll leave the can in the sun until the heat causes the beans to expand so much the can will explode.'
'Nonsense,' said the economist. 'Using either method we'd lose too many beans. According to my plan, there will be no mess or fuss and not a single bean will be lost.' Well, the engineer and the chemist said, 'We're certainly willing to consider it. What's your plan?' And the economist answered, 'Well, first assume we have a can opener.'"
In economics, the devil is in the assumptions. It is the responsibility of the reader of an economic model to understand what the assumptions are and their implications, and decide for him/herself if the assumptions are reasonable and useful, "All models are wrong, but some are useful", after all.
I agree with you that the assumption of coin loss being a function of total coins in the supply is...doing a lot of work in this model. IMHO, this is an interesting intellectual exercise, but its connection to reality or anything that people really care about in their daily lives is not very strong.
Right. As far as I know, a LLM will not give you a proper source if you ask it how it knows some information. A website found through a search engine will have a source for its info (or it's probably unreliable if it has no sources).
You as a human being have a right and responsibility to know the source of information and use your reasoning abilities to decide if the source is reliable. An LLM interrupts this process. I don't understand how people are absorbing information without sources or a way to critically think about if the information may be accurate.
The news that you missed is that Large Language Models (LLMs) like ChatGPT are unreliable sources of information. Look for another source if you need reliable information about anything.
The first one isn't text to speech and the second is not FOSS. If you have a good FOSS TTS that has examples of what the voices sound like, I would like to be linked to it :)
Yes it will be text-to-speech again. I will try another voice. Thanks for the feedback.
Where are all the WOMEN standing up for private digital cash?
In my MoneroKon talk this weekend I will be analyzing data on cryptocurrency investment and use as payment: https://cfp.monerokon.org/2024/talk/NVF8ZN/ According to EU and US data, men definitely get more involved in cryptocurrency, but the gender divide is more lopsided in investment activities than payment activities. In other words, women are less likely to use cryptocurrency as a means of payment than men, but they are much less like to buy cryptocurrency as an investment than men.
You could interpret that as "the way to get women interested in peer-to-peer electronic cash is to focus on it as a means of payment instead of as an investment." Or the opposite: "Women investing in cryptocurrency is a relatively unexplored market segment!" Anything else you want analyzed, you have about 12 hours to ask before I finalize the analysis.
I know Ruckinum ran an analysis and thinks this is not a black marble flood, but I can’t help but think it’s a way go somehow break the anonymity of monero, whether just sent amounts, or received amounts, which would still give a wealth of information.
I didn't run a quantitative analysis of the large number of 150-input transactions on May 2. I just guessed that it's not an actual black marble flood since it doesn't fit the definition or attack model of Noether, Noether, & Mackenzie (2014) and Chervinski, Kreutz, & Yu (2021).
Are the transactions reused?
Yes, each output can be re-used an unlimited number of times as a decoy in other transactions.
If they are reused, then they can tell the real spend by discarding any spend that’s been used more than once. Is that correct?
No. If every output that is created is spent, then on average each output will appear in 16 rings of other transactions. A Monero wallet do not check how many times an output has been used by other transactions when it is deciding which outputs to select as decoys.
They run or have compromised a lot of ‘activist’ nodes and xpubs are sent to the nodes in light wallets, unsure if this is how it works, or if that was unique to Samourai’s whirlpool design. If this was the case, light wallets use currently online available servers, so chances are a user connects their wallet to tens of servers. Users who run their own nodes would be unaffected but I think the majority of monero users use light nodes.
In normal operation, most Monero wallets do not send an "xpub" (in Monero this would be the Private View Key). The terminology can be confusing. In Monero, a "light wallet" is a wallet where the user gives a view key to a server to perform the blockchain scan on behalf of the user. The person or company running the server can see which transactions belong to the user and how much XMR is being sent to them. The MyMonero wallet works like this. Feather is not a light wallet with this definition, despite its name. Feather wallet and most wallets like Cake, Stack, the GUI/CLI wallets, etc., ask a local node (on the user's own machine) or remote node (on someone else's machine) for the entire blockchain data during a period of time and do the decryption of the wallets' transactions on the user's own device. That's why wallet sync takes a long time for those wallets when they are opened after being closed for a long time.
The remote nodes can collect some limited data like the user's IP address (if the user is not using Tor) and the last time the user synced the wallet. A malicious remote node can attempt to give the user a false decoy/output distribution (this is what Feather was trying to prevent with the initial, but flawed, code) and it can give the user's wallet an incorrect fee to pay (but the user can notice that the fee is too high and disconnect from the remote node. More information about remote node privacy is in Breaking Monero Episode 07: Remote Nodes (sorry for YouTube link. Use your favorite private YouTube front-end to view it): https://www.youtube.com/watch?v=n6Bxp0k7Uqg
Thank you!
Location: Libera.chat, #monero-research-lab | Matrix Join the Monero Matrix server if you don't already have a Matrix account. Time: 17:00 UTC Check in your timezone Main discussion topics: Greetin...
Context in the MRL logs: https://libera.monerologs.net/monero-research-lab/20240401
Small research projects. Contribute to Rucknium/misc-research development by creating an account on GitHub.
I have some preliminary research for you:
https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/monero-black-marble-flood.pdf
March 2024 Suspected Black Marble Flooding Against Monero: Privacy, User Experience, and Countermeasures
On March 4, 2024, aggregate Monero transaction volume suddenly almost tripled. This note analyzes the effect of the large number of transactions, assuming that the transaction volume is an attempted black marble flooding attack by an adversary. According to my estimates, mean effective ring size has decreased from 16 to 5.5 if the black marble flooding hypothesis is correct. At current transaction volumes, the suspected spam transactions probably cannot be used for large-scale “chain reaction” analysis to eliminate all ring members except for the real spend. Effects of increasing Monero's ring size above 16 are analyzed.
Support the MAGIC Monero Fund and open source software and research for the Monero Project.
Thank you to all donors!
The MAGIC Monero Fund's campaign to raise 226 XMR (28,800 USD) for three months of vtnerd (Lee Clagett) development work has succeeded.
vtnerd will work on Monero and Monero Light Wallet Server (LWS). The LWS increases Monero's capacity for more users and transactions. LWS will be even more important when Seraphis (next generation Monero transactions) is implemented because Seraphis will improve the user privacy and speed of light wallet servers.
Here are the full details of vtnerd's proposed work:
---
vtnerd is the author of Monero-LWS, and has been a contributor to the Monero codebase since 2016. He is a veteran of four CCS proposals; [1], [2], [3], [4]
This proposal funds 480 hours of work, ~3 months. The milestones will be hour based; 160 (1 month), 320 (2 months), 480 (3 months). At the completion of hours, he will provide the Monero Fund committee references to the work that was completed during that timeframe.
Some features that are being targeted in monero-project/monero
:
- Get new serialization routine merged (work on piecemeal PRs for reviewers sake) (already in-progress)
- Complete work necessary to merge DANE/TLSA in wallet2/epee.
- Adding trust-on-first-use support to wallet2
Work targeted towards vtnerd/monero-lws
:
- Optional full chain verification for malicious daemon attack (already-in progress)
- Webhooks/ZMQ-PUB support for tx sending (watch for unexpected sends)
- ZMQ-pub support for incoming transactions and blocks (notifies of any new transaction or block)
- Implement "horizontal" scaling of account scanning (transfer account info via zmq to another process for scanning)
- Make account creation more "enterprise grade" (currently scanning engine re-starts on every new account creation, and uses non-cacheable memory) * Unit tests for REST-API
- Create frontend LWS C/C++ library
- Provide official LWS docker-image
- Provide official snap/flatpak/appimge (tbd one or all of those)
- Provide pre-built binaries
- (Unlikely) - reproducible builds so community members can verify+sign the binary hashes
- It is unlikely that all features will be implemented, at which point the unfinished features will roll into the next quarter.
Location: Libera.chat, #monero-research-lab | Matrix Join the Monero Matrix server if you don't already have a Matrix account. Time: 17:00 UTC Check in your timezone Main discussion topics: Greetin...
Last week rbrunner7 argued that future Monero transactions should not be able to set custom timelocks. This proposal was discussed in this week's Monero Research Lab meeting.
Monero's timelocks have been a "solution in search of a problem" for a long time. However, Alex from Local Monero said he had a special use for them:
> Sometimes, we ban a certain user permanently from our platform. Sometimes, that user tries to return to the platform. We catch them and warn them not to return again or there will be consequences. They ignore us and return to our platform. In these cases, we take the XMR that they placed in the arbitration bond and send it to them in a timelocked transaction to disincentivize them from trying to return again.
The rough result of the meeting was to evaluate time lock puzzles as an off-chain replacement for custom unlock times. xFFFC0000, a new Monero dev, said that he would investigate time lock puzzles soon.
Good question. You didn't get hacked. You approved the payment to Mullvad.
When you send XMR to an "integrated address", Ledger does not display the integrated address on the device. It displays the raw Monero address. Mullvad probably uses integrated addresses.
SethForPrivacy said:
At present, the UX around integrated addresses can be confusing and even outright dangerous, like how the Ledger always displays the underlying address instead of the integrated address, making address verification difficult or impossible depending on the application.
I don't know if there are plans to fix this or if it can be fixed at all.
Support the MAGIC Monero Fund and open source research for the Monero Project.
Supporting Monero since 2021, the MAGIC Monero Fund (MMF) continues to accept applications for research and development grants focused on improving the Monero protocol and ecosystem.
The fund can issue grants and host fundraisers for Monero research, development, security audits, and more. This allows for the Monero community to build a sustainable, alternative pool of funds to provide for significantly more consistent and less stressful research and development.
The application process is described here: https://monerofund.org/apply. Applications are accepted on a rolling basis. Contractors or recipients of MMF funding are required to undergo a basic KYC process that is similar to an employment on-boarding.
The fund has an advisory committee entirely elected by the Monero community and this committee selects which grants to fund. The current Magic Monero Fund Committee Members are kayabaNerve (Luke Parker), Rucknium (me), monerobull, kowalabearhugs, and artlimber. You can view current voters on the MAGIC website.
The MAGIC Monero Fund supplements but does not replace the Monero Community Crowdfunding System (CCS). By working in complement with other funding structures the fund aims to recruit and retain talent within the Monero ecosystem. You can view a list of previously funded proposals on the MoneroFund.org website.
MAGIC Grants’ Advantages
The 501( c )(3) public foundation status ensures donations to support our funding are fully tax deductible as allowable by US law, regardless of asset (eg: USD, BTC, XMR, NFTs, stock). An established non-profit since 2018, MAGIC utilizes US bank and exchange relationships while also maintaining the ability to work internationally.
While the Monero community appreciates XMR, as do we, it remains a volatile asset. This can be a barrier for people who want to contribute, one which has caused multiple proposals funded through the CCS to unfortunately fall through. The fund has the ability to convert donations to a less-volatile asset, such as fiat currency, for making payments in whichever means is preferred by the contractor. By handling all the boring legal stuff and tax documents, we can allow the community to focus on growing Monero.
If you are interested in helping support our cause, please review our active fundraisers as they appear, or consider donating to our general fund at https://monerofund.org/. Donors to the fund have the option of contributing anonymously.
At the meeting, kayabaNerve (Luke Parker) suggested:
What'd likely be easiest, in a pure-C++ way, is to explicitly intended Monero's DKG to match MRL-0009 (if not already) and have it audited to line up. Then, a Musig2-esque CLSAG should be formalized (likely a modification of MRL-0009's Musig-DN-esque CLSAG?) and Monero should explicitly intended to match it. The fact it lines up should be audited.
My conclusion:
If anyone really wants to work on multisig, especially in the direction of kayabanerve's proposal, please speak up. IMHO, this was a productive conversation, but I don't expect any action to be taken unless more labor [is] put toward the problem.
Location: Libera.chat, #monero-research-lab | Matrix Join the Monero Matrix server if you don't already have a Matrix account. Time: 17:00 UTC Check in your timezone Main discussion topics: Greetin...
It is interesting that it took nine transactions to empty the CCS wallet. Is that indicative of somebody new to monero?
No.
A donation wallet has lots of individual transaction outputs that need to be consolidated if you move the entire balance. A transaction that has a lot of inputs that consolidates these transactions will be large in kilobytes. Unless network transaction volume is high enough to push up the dynamic block size rules, the maximum block size is about 300 kilobytes. Transactions must fit inside a single block, so there is a limit to the number of inputs in a single transaction. Plus, you don't want to create a transaction the full 300 kilobytes in size since miners' block creation rules might not mine a transaction that large. The first theft transaction in the list was about 22 kilobytes with 33 inputs:
https://xmrchain.net/search?value=ffc82e64dde43d3939354ca1445d41278aef0b80a7d16d7ca12ab9a88f5bc56a
The next was 99 kilobytes with 146 inputs:
https://xmrchain.net/search?value=08487d5dbf53dfb60008f6783d2784bc4c3b33e1a7db43356a0f61fb27ab90cc
Etc.
The full list: ffc82e64dde43d3939354ca1445d41278aef0b80a7d16d7ca12ab9a88f5bc56a 08487d5dbf53dfb60008f6783d2784bc4c3b33e1a7db43356a0f61fb27ab90cc 4b73bd9731f6e188c6fcebed91cc1eb25d2a96d183037c3e4b46e83dbf1868a9 8a5ed5483b5746bd0fa0bc4b7c4605dda1a3643e8bb9144c3f37eb13d46c1441 56dd063f42775600adf03ae1e7d7376813d9640c65f08916e3802dbfee489e2c e2ab762927637fe0255246f8795a02bd7bb99f905ae7afc21284e6ff9e7f73db 9bf312ed09da1e7dfce281a76ae2fc5b7b9edc35d31c9eb46b21d38500716b6b 837de977651136c18b0018269626be7155d477cc731c5ca907608a2db57ff6a8 9c278d1496788aee6c7f26556a3f6f2cbb7e109cd20400e0b2381f6c2d4e29f4
The CCS Wallet was drained of 2,675.73 XMR (the entire balance) on September 1, 2023, just before midnight. The hot wallet, used for payments to contributors, is untouched; its balance is ~244 XMR....
In the last Monero General Fund transparency report in March 2023, the General Fund held 8452 XMR. As far as we know, this separate wallet is safe and unaffected. It would be possible to pay people with active CCS proposal from the General Fund, but nothing has been decided.
If you have a Matrix account you should go to https://matrix.to/#/#monero-community-dev:monero.social to get help there and describe your app design. If you are just accepting payments to a website, then you can use BTCPay Server or BitCart.
The Monero blockchain does not hold data in plaintext like other blockchains. You cannot just query the blockchain data through an API. You have to decrypt transactions with private view keys.
Last week Exodus released a fix for their Desktop wallet creating Monero transactions with nonstandard fees, based on my discovery of the issue. Original announcement. Many users must have already updated their software because the number of these identifiable transactions on the blockchain have decreased from about 600 per day to 300 per day.
Yes, Exodus is a closed source wallet. I would not recommend people to use a closed source wallet. If people do choose to use Exodus despite it being closed source, then they should update to the latest version for better privacy. Monero users should have excellent privacy by default regardless of which wallet implementation they are using.
``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
[Privacy Advisory] Exodus Desktop Monero users, update to latest version for privacy fix
Prior to version 23.10.10, which was released on October 10, 2023, Exodus Desktop wallets produced unusual fees when creating Monero transactions. I suggest all Exodus Desktop users to update their software to version 23.10.10 or later before making their next Monero transaction to avoid the privacy impact of these unusual fees. The Exodus Mobile wallet also produces unusual fees, but a fix has not yet been developed and deployed to a new release version of Exodus Mobile. The fee of all Monero transactions can be viewed in plaintext by any observer of the blockchain, including privacy adversaries. Transactions that use unusual fees distinguish themselves from the rest of transactions on the blockchain.
Two transactions that have the same unusual fee are statistically more likely to be made by the same user. Unusual fees can increase the probability of correctly guessing that two transactions are actually linked to a probability far above random guessing, which is one divided by Monero's ring size (1/16 = 6.25% correct guessing when guessing completely randomly). According to my new theoretical and empirical research that has not been peer reviewed, a privacy adversary can use a simple statistical classification rule to achieve a 37% probability of correctly guessing the "real spend" in a ring signature of a transaction created with pre-23.10.10 versions of the Exodus Desktop wallet.[1,2]
Unusual fees affect the privacy provided by Monero's ring signature feature, which obscures the senders of transactions. It does not affect stealth addresses, which provide privacy for the transaction recipients, nor does it affect confidential transactions, which hide the amount of XMR that is being sent.
[1] Rucknium (2023) "Discussion Note: Formula for Accuracy of Guessing Monero Real Spends Using Fungibility Defects." https://github.com/Rucknium/misc-research/tree/main/Monero-Fungibility-Defect-Classifier/pdf
[2] Rucknium (2023) "Monero Nonstandard Fees." https://github.com/Rucknium/misc-research/tree/main/Monero-Nonstandard-Fees -----BEGIN PGP SIGNATURE-----
iQJMBAEBCgA2FiEEXV4Iojid8iWr0HgbKR4MIp1jFpcFAmUn38AYHHJ1Y2tuaXVt QHByb3Rvbm1haWwuY29tAAoJECkeDCKdYxaXSaYP/0AKcROZbWqvPCFro3Z2CZTp 0IwmadtgY3OcLhlC8Bno05Rz9P8t6msF0rG51SapK2xtDq+uyM6PFJTqyly9IAVy TncM79OlbBGFrC8U7HRGfElQbIxzE42ejrRbyTDxwh//dqUfX/3M56O1YOuto+HZ eLwj3MfQO1sgsIMG5g3/vzp73Vet9+LXf1U3AJVIWlY1Vb7W6r8qvW/LGojT4CCw /X1f3mkfnlr6CerT8evVlr9A2NYkDnl11pU2JJI2e3ZOgqPhvdJg6/7vFAhxp03d XvItDpHTssKNagfFc3TScJAYj8S7kkaJsqcQ1Y7vlbGjyqIcg7HuArHMLmDuD84j egtdFW3I+TD0ZPOeFFbo/mJEgogD+tZoe8ICGZzSLAAj5w8d9XlIfoDEionRas6j MuGPizBhmwRLBNYvhciqjs1zQSAhQyj+wcx7hOLHpXX6JP5fFT1AH8InRJP9IKiT UTC4KfofMTSCBZWgFdFTemo5soL+4O6kh2nY8v1QMbXWYXJPqs4WES4yuG+2P5io xFLExzCZbRq6TeoQGw+iC+GTq2y0yDaLQzp34dIdL/YdIoRRLOBe7m1rLalm+wrL Ys9ztAOKNFtg8vIY9Qe5VIwniW7WM2aQ0HXM/OyYg6/7EJ2MqvJt+edkDrQMAd9o bf+PgNKASOmjuFkbMAPm =cFy3 -----END PGP SIGNATURE----- ```
Q&A
Q: Does the unusual fee issue affect the Exodus Mobile wallet?
A: Yes. The Exodus Mobile wallet currently uses nonstandard Monero fees that are actually different from the fees used by old versions of the Exodus Desktop wallet. The latest version of the Exodus Mobile wallet does not have a fix for its unusual fees. Users of the Exodus Mobile wallet should be aware that their Monero transactions have lower privacy.
Q: I have sent Monero transactions with the Exodus Desktop wallet prior to the fix. Can those past transactions affect my privacy now?
A: Potentially yes. The fee data is part of every transaction permanently included in the Monero blockchain and cannot be removed. The unusual fee data can be accessed by anyone running a Monero node. If you used Exodus Desktop wallet to send Monero transactions in the past, you may consider if a higher average probability (37%) of your potential adversaries guessing the real spend in your transactions is a problem in your threat model.
Q: What makes the fees unusual?
A: Except when Monero's dynamic block/fee algorithm is raising block size and fees, a Monero node will suggest these four values for fees in units of nanoneros per byte: 20, 80, 320, 4000. A nanonero is 0.000000001 XMR. These four fee levels are "standard" fees. The Exodus Desktop wallet created Monero transactions with 240600, 342450, and 444300 nanoneros fee total (about 160 nanoneros per byte for transactions with 1, 2, and 3 inputs). The new 23.10.10 version of the Exodus Desktop wallet creates transactions with 20 nanonero per byte fees.
Q: How many Monero transactions were sent by an Exodus Desktop wallet?
A: I estimate about 3% of recent transactions had the Exodus Desktop nonstandard fees. That's about 4,000 Monero transactions per week. https://github.com/Rucknium/misc-research/tree/main/Monero-Nonstandard-Fees
Q: Does the Exodus Desktop wallet fix have anything to do with the version 0.18.3.1 of the Monero GUI/CLI wallet that was just released?
A: No. The timing was a coincidence.
Q: How was the issue discovered and patched?
A: I discovered the issue when I analyzed the fee data on Monero's blockchain. A set of nonstandard fees of 160 nanoneros per byte started to appear on the blockchain over a year ago on August 25, 2022, the same date that Exodus released a new version that restored the ability to send Monero transactions. With that clue, I used the Exodus Desktop wallet to create Monero transactions and concluded that it was responsible. I reported the issue to Exodus on September 4, 2023 through HackerOne. Exodus developers wrote a patch that was included in the periodic new version release on October 10, 2023.
Q: Is there any way to reduce the nonstandard fee issue in the Monero protocol instead of hoping that individual wallet developers do not use nonstandard fees?
A: Maybe. The next proposed major upgrade to the Monero protocol, Seraphis, requires that transactions choose from a limited set of possible fees. This is called "fee discretization". https://gist.github.com/UkoeHB/f508a6ad973fbf85195403057e87449e#transaction-uniformity
Q: If I am a Monero user, but I never used the Exodus Desktop wallet, does the issue affect me?
A: The old version of the Exodus Desktop wallet may have created "black marble" effects for other users, but the impact would be very minor because only about 3 percent of all Monero transactions were created by the Exodus Desktop wallet. I have not tried to calculate what the exact effect could be. More info on "black marble" effects: https://reddit.com/r/Monero/comments/12kv5m0/empirical_privacy_impact_of_mordinals_monero_nfts/ . Wallet implementations that use the "wallet2" code to create Monero transactions will use standard fees. As far as I know, some of the wallets that use wallet2 are the GUI, CLI, Feather, Cake, Monerujo, and Stack wallets.
Q: Are there other wallet implementations that produce nonstandard fees?
A: According to the data on the Monero blockchain, yes. There are at least 4 other clusters of nonstandard fees that make up about 7 percent of recent transactions. Figuring out which wallets are creating the transactions requires testing wallets and services like centralized exchanges. You can help! Test wallets and services you use to see if they are producing nonstandard fees: https://github.com/Rucknium/misc-research/tree/main/Monero-Nonstandard-Fees
Thanks. AGPL vs. MIT, if you mean the cuprate Rust implementation of a Monero node, I was just the messenger for that CCS fundraiser. I am not involved in the project. But there is a little intersection with the fungibility defects issue. If Monero's main wallet code wallet2 would be AGPL (which it isn't. It is BSD, which is similar to MIT) then the closed source multi-coin wallets that implement Monero wouldn't be able to use it. That would increase the number of wallets producing fungibility defects because they wouldn't use the wallet2 procedure.
Thank you! I tried to be clear. Looks like I succeeded :) Let me know if you have any questions or comments.
A research note I wrote recently. For years there has been a worry about how much transaction fungibility defects are affecting user privacy. Now we can put specific numbers on it. If there is some tradeoff between requiring more transaction format strictness and some other goal, we can weigh the options with the estimated privacy benefits.
If your wallet uses the "standard" wallet2
method to create Monero transactions, this issue mostly doesn't affect you. As far as I know, some of the wallets that use wallet2
are the GUI, CLI, Feather, Cake, Monerujo, and Stack Wallet.
Direct link to the PDF: https://github.com/Rucknium/misc-research/blob/main/Monero-Fungibility-Defect-Classifier/pdf/classify-real-spend-with-fungibility-defects.pdf
Abstract
Many parts of Monero's transaction format such as tx_extra contents, the fee paid to miners, and the decoy selection algorithm are not standardized by rules set by nodes nor blockchain consensus. Instead, alternative Monero wallet implementations are free to set these transaction characteristics in ways that are unique to the wallet implementation. Therefore, observers of the blockchain data can determine that a transaction was likely created by a nonstandard implementation. The distinguishing characteristics of transactions create many “anonymity puddles” instead of one “anonymity pool”. An adversary that aims to guess the real spend of a ring signature can exploit the information contained in these characteristics, referred to as “fungibility defects”.
This note defines a simple classification rule that leverages information about the fungibility defects of each ring signature's 16 members. The classification rule is applied to the rings in all transactions that have the defect. A ring member having the defect increases the probability that it is the real spend because a user will often spend “change” outputs from transactions that were created by their own nonstandard wallet. Using basic probability concepts I develop a closed-form expression for the probability that the classifier correctly classifies a ring member as the real spend. This probability, the Positive Predictive Value (PPV) is a function of ring size, the probability that a user spends change in a ring, and the proportion of transaction outputs on the blockchain that have the defect. These three values are either defined by Monero's protocol rules or can be accurately estimated directly from the blockchain data. For example, when these values are 16, 40%, and 5%, respectively, the probability that the classifier correctly classifies a ring member as the real spend is 31.7%, much higher than the 1/16=6.25% probability of randomly guessing between the 16 ring members.
> # Why > > Currently, Monero only has one node written in C/C++, many would see this as an issue. Having only one implementation makes us more vulnerable to implementation bugs, having another node will help us to spot and fix these issues. > > monerod's code is also a bit of a mess, as many devs who have worked on it would agree. Cuprate is a fresh start and is built with modularity in mind which will lead to a cleaner and easier to understand codebase. > > Having a consensus rules document will make it easier for developers to build software to interact with Monero. It will also make it easier to spot potential issues with consensus rules.
XMR donations to the MAGIC Monero Fund, which funds Monero research and development, are tax deductible for the donor if you file taxes in the USA: https://monerofund.org/ . Or donations can be made anonymously in XMR if donors do not care about making tax deductions.
Recipients of funds, i.e. devs and researchers, must KYC to MAGIC. It's a system that works for some devs. Others can use Monero's Community Crowdsoucing System (CCS).
(I'm on the MAGIC Monero Fund committee.)
> Popular documentation like “Mastering Bitcoin” suggests the usage of bx seed for wallet generation. > > Secure cryptography requires a source of large, non-guessable numbers. If the random number generator is weak, the resulting cryptographic usage is almost always compromised. > > For technical people: in this case, practical wallet security is reduced from 128 bit, 192 bit or 256 bit to a mere 32 bit of unknown key information.
I am not an expert, but if you use a multi-coin wallet that includes Monero, then your Monero could be affected. I don't see a list of wallet software that is affected. It would not be easy to verify that closed-source wallets do not use the exploitable code library.
> Q: I used bx to generate my wallets but only use it for non-BTC coins, do I need to worry? > > A: Yes. All funds stored on BIP39 mnemonic secrets or BIP32 wallet seeds are affected since the underlying private keys are basically public now.
https://Rucknium.me
PGP key fingerprint: 5D5E 08A2 389D F225 ABD0 781B 291E 0C22 9D63 1697