How can an attacker add their own known decoys to the ring with monero-wallet-cli?
Add a comment
|
1 Answer
Please read: "History and state of Monero security analysis, by B. Goodell (August 17, 2024)" (Page: 9, Section: 2.1.9, "Adversarial floods", and "Cypher Stack Report: UMP Paper" (January 11, 2025) about how "churning" can help or hurt.
I believe this is also answered in your question's link to "Private Money: Part 1 - Investigating the state-of-the-art private money protocols - Monero’s Limitations", Bhargav Annem's Blog, (May 20, 2024):
"... that a powerful attacker could add their own known decoys to the ring. By flooding the network with transactions that reuse known or controlled outputs as decoys, they can “poison” the anonymity set. Once a few real spends are known, these poisoned rings make it much easier to strip away decoys and trace other transactions. It creates a chain reaction where even users who took care to protect their privacy can end up exposed if their transactions enter rings with adversaries.
This set-intersection effect accurately explains why churning—the practice of sending funds back to yourself to “clean” them—is especially dangerous in Monero, and why any privacy leak (such as using a KYC exchange or revealing a single address) can compromise not just a single transaction but the entire anonymity set. When a user spends funds that were previously used in a public or traceable context, it contaminates any ring that output appears in. Even indirect interactions with centralized services, or careless use of wallets that expose scanning patterns, can cascade into de-anonymizing dozens or hundreds of other users. ...".
"Flood-XMR: Low-cost transaction flooding attack with Monero’s Bulletproof protocol", by João Otávio, Massari Chervinski, Diego Kreutz, and Jiangshan Yu, Cryptology ePrint Archive, 2019. Partial Abstract:
"... However, in spite of the efforts to protect Monero’s users privacy, transaction tracing attacks are still feasible. Our contribution is twofold. First, we propose and evaluate a new traceability attack, called transaction flooding attack (FloodXMR). Second, we present an analysis of the costs required for an attacker to conduct FloodXMR. We show how an attacker can take advantage of Monero’s Bulletproof protocol, which reduces transaction fees, to flood the network with his own transactions and, consequently, remove mixins from transaction inputs. Assuming an attack timeframe of 12 months, our findings show that an attacker can trace up to 47.63% of the transaction inputs at a cost of just 1,746.53 USD. Moreover, we show also that more than 90% of the inputs are affected by our tracing algorithm.".
The attacker simply makes carefully chosen transactions, as explained on page 3:
"We propose and evaluate a new attack, named transaction flooding attack (or FloodXMR), to trace the payment keys of Monero’s blockchain. While the idea is rather simple, i.e., to flood Monero’s network with transactions whose input and output keys are owned by the attacker, we need to address some challenges and pay attention to details that significantly impact the results, such as the chain reactions. First, the transaction fee is proportional to its size in bytes, which means that the attacker should carefully chose a cost-effective size. Second, as 50% of the decoy keys of the transaction’s input are from the past 1.8 days, the attacker has to create transactions continuously. Third, we explore the critical mass reactions of Monero’s blockchain, as it can nearly double the number of traced input keys, as we discuss later on. Fourth, we try to maximize the number of output keys per transaction. Ideally, the attacker should create cost-effective transactions with as many output keys as possible.".
