A “significant” bug, with the potential to expose users’ transaction details, has been spotted in the privacy-centric cryptocurrency Monero (XMR), according to a Twitter post on Tuesday.
-
The bug, identified in Monero's decoy selection algorithm, occurs when a user spends their funds received in a transaction before roughly 20 minutes has passed.
-
There is a "good probability" the output of the new transaction can be identified as the true transaction, according to the tweet.
-
XMR allows users to conceal their transactions by including worthless coins known as “mixins” along with the actual coins they spend in a given transaction.
-
"This does not reveal anything about addresses or transaction amounts … This bug persists in the official wallet code today," said Monero.
-
Users may avoid the bug altogether by waiting one hour or more before spending their newly-received Monero until a fix is implemented in a future wallet software update.
-
A hard fork is not required to fix the bug, Monero said.
-
U.S. Software developer Justin Berman first spotted the bug.