Monero Traceability Heuristics: Wallet Application Bugs and the Mordinal-P2Pool Perspective

TL;DR

Monero's privacy architecture relies on robust privacy features, yet recent wallet bugs and ecosystem developments have produced new traceability heuristics. The paper formalizes and evaluates six heuristics—10 Block Decoy Bug, Differ By One, Mordinals, Coinbase Outputs, P2Pool Output Merging—and a combined analysis, using ground-truth references and temporal data to measure precision and the evolution of the effective ring size. Key findings show high precision for most heuristics, with the 10 Block Decoy Bug and Coinbase decoy heuristics being especially impactful from 2019 to 2023, while the effective ring size stayed above 14 through Oct 2023. The work emphasizes cautious application of these methods due to possible false positives and provides benchmarks to guide future privacy assessments in Monero and similar systems.

Abstract

Privacy-focused cryptoassets like Monero are intentionally difficult to trace. Over the years, several traceability heuristics have been proposed, most of which have been rendered ineffective with subsequent protocol upgrades. Between 2019 and 2023, Monero wallet application bugs "Differ By One" and "10 Block Decoy Bug" have been observed and identified and discussed in the Monero community. In addition, a decentralized mining pool named P2Pool has proliferated, and a controversial UTXO NFT imitation known as Mordinals has been tried for Monero. In this paper, we systematically describe the traceability heuristics that have emerged from these developments, and evaluate their quality based on ground truth, and through pairwise comparisons. We also explore the temporal perspective, and show which of these heuristics have been applicable over the past years, what fraction of decoys could be eliminated and what the remaining effective ring size is. Our findings illustrate that most of the heuristics have a high precision, that the "10 Block Decoy Bug" and the Coinbase decoy identification heuristics have had the most impact between 2019 and 2023, and that the former could be used to evaluate future heuristics, if they are also applicable during that time frame.

Figures (11)

• Figure 1: Illustration of the zero mixins and chain reaction heuristics. Input rings 1 and 2 only have a single member, which means it must be the true spend. As enotes 6 and 8 are known to have been spent, it follows that enote 7 is the true spend of ring 3. The same approach works to identify output 9 as the true spend of ring 4, and is known as the chain reaction heuristic.
• Figure 2: Illustration of the 10-Block-Old Decoy Bug Heuristic: if there exists exactly one ring member that is 10 blocks old and the input ring has been created between October 11, 2018 and April 10, 2023, it is very likely the true spend (highlighted in green).
• Figure 3: Illustration of the Differ-by-One heuristic: given two input rings that are almost identical except for one ring member (i.e. all other ring members match between the rings), the differing outputs (marked in green) are likely the true spends.
• Figure 4: Mordinal: An image embedded in the tx_extra field in transaction hash baa3f1fa73942366c19471aac73b78dd2664eefe634bdbd260d58d09d2a0e259
• Figure 5: The number of coinbase outputs was high until 2017, as Monero used to generate outputs of multiple denominations prior to the introduction of RingCT, hiding amounts. In 2021, the number of outputs started increasing again with the emergence of decentralized mining pool P2Pool.