By gifting new assets to existing cryptocurrency users, so-called “airdrops” are proving explosive, enabling the sudden creation of massive amounts of value almost overnight. But as the method is perhaps being hastily adapted, unexpected hazards are beginning to emerge.
Planning to launch on April 30, monerov is one such example. Seeking to correct what it sees as an error in monero’s value proposition, it aims to offer a variation on the software behind the 11th-largest cryptocurrency that alters the rate at which coins are created.
But there’s a catch. While monerov activates like all forks (by copying another crypto’s codebase), its design threatens to undermine one of the core privacy mechanisms of the protocol it’s splitting from. In short, because of the way it impacts monero’s privacy features, a single data leak could cause a chain reaction, one that potentially damages its future transactions.
Given the risks to the original blockchain, the idea has been met with an icy reception.
Researchers affiliated with monero are now speaking out, seeking to brand the giveaway, in which monero holders would receive free money, an attack.
“Forking an existing blockchain without taking into account the effects is a reckless disregard for user privacy with no real benefits,” a cryptographer at the Monero Research Lab, who goes by the pseudonym “Surang Noether,” flatly told CoinDesk.
That said, the airdrop only threatens one aspect of monero’s privacy model – other devices, that conceal transaction quantities as well as destination addresses, would be unaffected. But, there are concerns that it could set a precedent for further airdrops in the future.
As monero core developer “binaryFate” told CoinDesk:
“It is much easier to bootstrap a community by distributing ‘free’ tokens to an existing user base, than starting from a genesis block and convincing new users to join based solely on the merit of your technology.”
What actually is an airdrop?
A newly popular method for distributing new cryptocurrency, it’s notable that the attack vector exposed by monerov hinges on the very process of airdrops.
Rather than using code to calibrate a new blockchain, an increasing number of forks are choosing to inherit the former chain, allocating a time for when the the codebase will split off and continue.
“One must distinguish forking a codebase and forking a blockchain,” binaryFate said.
Typically, at a predetermined “block height,” a numbered block in the chain, the new cryptocurrency will create a “snapshot” of who owns what on the former chain.
This information is then replicated onto the new blockchain, giving users two wallets, and potentially, a crypto stash that has doubled in quantity.
On the bitcoin blockchain, participating in an airdrop can have privacy faults of its own. As highlighted by author Andreas Antonopoulos, claiming airdropped coins with a bitcoin key pair can risk linking an entire transaction history, even if a bitcoin user has been diligent.
The technique can also cause more systemic problems, such as the well-known “replay attack” – in the wake of a fork, there’s a risk that money spent on one blockchain will also transact on the other chain, sacrificing the integrity of the ledger.
Linking key images
But this particular attack is specific to monero. To achieve anonymized transactions, monero relies on three mechanisms: stealth addresses, ring signatures and ring confidential transactions.
Together, these code functions form a robust privacy model, as stealth addresses protect the identity of a user that receives funds, ring signatures protect the sender and ring confidential transactions obscure the quantities that are being sent in a transaction.
The fork attack impacts only one of these devices, the ring signatures.
In ring signatures, transaction outputs, or the information about what is being sent, is aggregated into a “ring” that obscures information by mixing it up with the randomly selected transaction outputs of other monero users.
However, this presents a problem: “You never know if an output is actually spent or not,” binaryFate explained…