Summary

We describe remote side-channel attacks on the privacy guarantees of anonymous cryptocurrencies.

Our attacks, which we validate on Zcash and Monero, enable a remote attacker to identify the P2P node of the payee of any anonymous transaction being sent into the network. This enables the adversary to link all transactions sent to a user, to recover a user's IP address from their anonymous payment address, and to link a user's diversified addresses.

In addition, for Zcash, we show that an attacker can remotely crash any Zcash node for which the attacker knows a payment address, and set up a remote timing attack on an ECDH key exchange involving a victim's private viewing key. In principle, this attack can fully recover the victim's private viewing key, thereby completely breaking receiver privacy.

Our attacks rely on differences in the way that a user's wallet processes a transaction, depending on whether the user is the transaction's payee. We show that these differences in wallet behavior affect the behavior of the P2P node that the wallet is connected to. In turn, a remote adversary can exploit various network and timing side-channels to observe these differences in the P2P node's behavior, and thereby infer the wallet's receipt of a transaction.

We disclosed these attacks to the Zcash and Monero security teams, who fixed the underlying vulnerabilities in their latest releases. For Zcash, initial fixes were introduced in the v2.0.7-3 release of the Zcash client. See Zcash's security announcemenet and blogpost. The v2.1.1-1 release of the Zcash client introduced further fixes for a timing side-channel in the processing of blocks. For Monero, the fixes are introduced in the v0.15.0 release of the Monero client. Our disclosure to Monero and the resulting discussion are publicly available on HackerOne. Users who have updated their client to the latest release are no longer vulnerable to the attacks described here. Since the attacks require active monitoring and participation in the Zcash or Monero peer-to-peer networks, they cannot be applied retroactively to earlier transactions.

We have also investigated whether current implementations of zk-SNARK protocols could leak transaction secrets through timing side-channels. We find that this is indeed the case for Zcash's implementation. As a proof-of-concept of this leakage, we show that the time to produce a proof for a Zcash transaction is strongly correlated with the (secret) amount of transacted funds. However, this leakage may be hard to measure and exploit remotely in the current Zcash system.

A more detailed description of the attacks can be found in our paper. An earlier write-up on the Zcash attacks, as well as a FAQ are here.