In early 2018, the Monero community and developers were preparing for the Monero v7 protocol upgrade when something caught us by surprise: Monero airdrops.

Airdrops were all the rage at the beginning of the year, with people forking cryptocurrencies with the hope of printing additional coins out of thin air. We had seen other communities subjected to these pumps and dumps, but we didn’t make the connection to Monero. Until MoneroV came along.

MoneroV was a ridiculous airdrop that claimed to “fix” many of the issues of Monero, most notably setting a fixed supply of MoneroV. The community generally found this prospect ridiculous, but the announcements set shockwaves of terror through the community. No one expected the fork to mean anything, but we were worried about the impact that chain splits had to privacy.

If a user sends one transaction on two chains, the real output in the ring signature is often revealed, since the key images are the same. Two transactions having the same key image and only shared output renders the ring signature useless and reveals the real output used in the transaction.

I hurriedly sought to understand the potential impact of chain splits on Monero privacy. I made this video in February which is mostly correct, though the “high-risk” zone is actually a few days before and after the split, not just a few days after. I communicated three major changes to the wallet behavior to mitigate these damages. I suggested a minimum ringsize increase from 5 to 7 with research expanding on MRL-0004. Ultimately, these protections were included in the Monero 0.12.0 release.

What Chain Splits Mean for Monero

Around this time, we were hit with two chain splits in short succession: Monerov6 (Monero Classic, Monero Original) on April 6 and MoneroV on May 3. I would like to reiterate that the community did not split; these forks went largely on their own and have seemingly died off.

Now that it’s several months after these chain splits, let’s investigate to see what the impact is. We can use an updated version of the Monero blackball tool and the same research table as before to estimate upper bounds for the proportion of outputs and the number of transactions that were compromised.

Here are the relevant results of running the blackball tool in late August 2018:

2018-08-21 10:21:07.248 7f7bb3e58c00 INFO bcutil src/blockchain_utilities/blockchain_blackball.cpp:1290 rct-key-image-attack: 31359 (0.45299%)

2018-08-21 10:21:07.248 7f7bb3e58c00 INFO bcutil src/blockchain_utilities/blockchain_blackball.cpp:1290 rct-chain-reaction: 8 (0.000115562%)

We’re going to take one number in particular: 8. This fits in nicely with our existing model, since this is the number of RingCT transactions that were compromised by a chain split chain reaction. We can use this number to estimate the proportion of compromised outputs in given windows.

We’re just taking a brief look at the data today to get some estimates, so a more verbose analysis will return much more specific data. Now let’s find a reasonable upper-bound.

Looking at the number of Monero transactions per day, it seems that it was close to 4000–6000 during the time of the splits. Let’s be conservative and select 4000 to get a higher upper bound.