Paper 2019/455

FloodXMR: Low-cost transaction flooding attack with Monero’s bulletproof protocol

João Otávio Massari Chervinski, Diego Kreutz, and Jiangshan Yu

Abstract

Monero is one of the first and most popular cryptocurrencies to address privacy issues of other crypto coins such as Bitcoin. Monero has a market capitalization of over one billion US dollars, and is ranked the 12th most valuable cryptocurrency on CoinMarketCap (17 April 2019). This digital coin provides different mechanisms to protect its users, such as decoy keys or mixins to obfuscate transaction inputs. However, in spite of the efforts to protect Monero’s users privacy, transaction tracing attacks are still feasible. Our contribution is twofold. First, we propose and evaluate a new traceability attack, called transaction flooding attack (FloodXMR). Second, we present an analysis of thecosts required for an attacker to conduct FloodXMR. We show how an attacker can take advantage of Monero’s Bulletproof protocol, which reduces transaction fees, to flood the network with his own transactions and, consequently, remove mixins from transaction inputs. Assuming an attack timeframe of 12 months, our findings show that an attacker can trace up to 47.63% of the transaction inputs at a cost of just 1,746.53 USD. Moreover, we show also that more than 90% of the inputs are affected by our tracing algorithm.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
MoneroPrivacyTraceabilityAttack
Contact author(s)
joaootaviors @ gmail com
History
2019-05-10: received
Short URL
https://ia.cr/2019/455
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/455,
      author = {João Otávio Massari Chervinski and Diego Kreutz and Jiangshan Yu},
      title = {{FloodXMR}: Low-cost transaction flooding attack with Monero’s bulletproof protocol},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/455},
      year = {2019},
      url = {https://eprint.iacr.org/2019/455}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.