In July 2021 a bug with the ability to expose users’ transactions was discovered by U.S. software developer Justin Berman. The bug exists in Monero's decoy selection algorithm and enables users that spend newly received XMR within 20 minutes to be possibly deanonymized. "This does not reveal anything about addresses or transaction amounts ... This bug persists in the official wallet code today," Monero said. XMR users can easily avoid this vulnerability altogether by waiting one hour or more before spending any newly received XMR. A fix is currently being work and according to Monero team members will not require a hard fork to fix. Read below to further understand the risks associated with Monero (XMR) and previous bugs.
Monero is an open-source cryptocurrency created in April 2014 that focuses on privacy, fungibility, censorship-resistance, and decentralization. It is one of the most popular anonymity-focused cryptocurrencies today. Its privacy-focused approach has led to Monero’s developing and integrating numerous cutting-edge advances in cryptography, including Ring Confidential Transactions (Ring CTs) and Bulletproofs. Monero is particularly popular with a strong base of users who believe in ASIC resistance and financial privacy.
- Industry-leading privacy enhancing technology like Ring Confidential Transactions (Ring CTs), Stealth addresses, and Bulletproofs
- Default-privacy and anonymity rather than optional privacy or pseudo-anonymity
- Staunch and devoted community, along with a decentralized and crowdfunded team that place their commitment to privacy above all else
- Dominated by 2 mining pools which account for > 50% of the hashing power
- An overwhelming majority (~70%) of code contributions since 2017 have come from one individual: moneromoo-moo
- The threat that a larger, more popular blockchain adopts full privacy-preserving technology making its existence (essentially) superfluous
- Increased regulatory scrutiny due to private transactions and anonymity
- More difficult user experience and fewer wallet options due to the privacy technology associated with a transaction
Decentralized governance and community-driven trust are two fundamental tenets that drive Monero's egalitarian ideals. Without these, many cryptocurrency communities are subject to the decisions made by centralized development teams and early-stage on-chain governance mechanisms that still have many issues that need to be worked out in order to function properly.
Monero guards against 51% attacks through its emphasis on decentralization using the RandomX Proof-of-Work mining and a focus on maintaining ASIC resistance. Estimates to 51% attack the network as of Q3 2021 suggest it would cost the would-be attacker ~$20k per hour plus the upfront cost of mining hardware. While this figure is not exactly cheap to an individual, it is easily within budget for a rival project, corporation, or government making Monero susceptible to such an attack.
Although focusing on ASIC resistance, Monero's mining is dominated by 2-3 mining pools which account for nearly 50% of the hashing power. This top-heavy hashing power hierarchy brings into question Monero’s true decentralization. Additionally, as stated in the previous section, Monero recently split into five different forks over disagreements in the best path forward to remain ASIC resistant. The original Monero chain forked to guard against Bitmain's ASIC mining ability, but out of the whole debacle emerged competing chains such as MoneroV, Monero Classic, and Monero 0. Unfortunately, all the messy forking and disagreements appear to have been for naught as a large majority (85%) of Monero’s hashing power is still under ASIC control.
Monero actively focuses on addressing security concerns, many of which are directly resolved by the community and its research arm. Notably, Monero underwent an attack in September 2014 where a bug in the CryptoNote reference implementation was leveraged to create two sub-chains, with neither able to recognize the validity of transactions on the other. Eventually, CryptoNote released a patch that Monero implemented. Monero community members actively participate in finding bugs in the Monero code; however, there is no current public bug bounty for Monero.
In July 2019, Monero released a report detailing nine security vulnerabilities including ones in which user’s funds on exchanges were at risk. The self-published report claims that eight have since been patched, one still outstanding, and no evidence that any of the vulnerabilities were exploited. The time of the bugs seem to coincide with Monero version 0.14.1.0 roll out in June 2019.
Beginning in 2020, Monero was subjected to an ongoing, unsophisticated spamming attack that, while malicious in intent, did very little to disturb the underlying protocol. It is important to note that the attacks did not affect the Monero protocol itself but rather the p2p network layer. All on-chain data and privacy measures were unaffected. The attacker(s) attempt to undermine the network by initiating constant Sybil attacks which look to spam the network and degrade usability.
Finally, one concern for Monero and all privacy-centric cryptocurrencies is the possibility that a larger, more secure, more popular blockchain adopts full privacy-preserving technology making their existence (essentially) superfluous. Currently, the Bitcoin community is actively working on privacy solutions with technologies like Schnorr Signatures, the Dandelion Protocol, and MimbleWimble. Ethereum is planning to adopt the privacy-preserving AZTEC protocol into their mainnet sometime in 2019. It is likely that even if both Bitcoin and Ethereum are successful in implementing their privacy upgrades and can match Monero’s level of privacy (which some find unlikely) that privacy coins will still fulfill a niche market of die-hard fans.