I read through this entire gist, and I was not able to find a single section categorically proving that Monero is unsafe. It makes big claims such as "Monero has been broken." and "Monero is substantially unsafe and incapable of providing anonymity [...]", but then at the end the very same paper says the following:
"Monero is the best-in-class anonymous cryptocurrency in production today."
What the hell is it trying to say then?
From what I've been able to gather from this gist, its argument that Monero is "unsafe" hinges on the extra sentence: "under the formal threat model proposed and analyzed in this paper". Curiously, section 8, "Analysis Under Full Threat Model", is completely blank. And it also curiously never properly defines the "full threat model"
From what I gather however, its main argument is that 10 decoys (in RingCT) is too few and there could be probabilistic attacks and the some of the decoys could be malicious actors. The Monero developers already know this however, and are working on Triptych and Arcturus [1] to fix this. Note that this doesn't mean that Monero is 0% safe (as the gist likes to pretend by writing stuff like "Monero has been broken"), but it rather means that Monero is 80-90% safe rather than 100% safe. And if you're that worried, the Monero wallet offers the option for churning [2]
Lastly, the gist is more than 3 years old now, without a single update to it. Does the author not know that in 3 years there could be lots of upgrades and fixes to Monero? The fact that the largest Dark Net Market is now using Monero only surely should be an indication that Monero is doing something right?
> "Monero is the best-in-class anonymous cryptocurrency in production today."
>
> What the hell is it trying to say then?
It's trying to say everything else is broken too. I think Zcash is now best is class though.
> Note that this doesn't mean that Monero is 0% safe (as the gist likes to pretend by writing stuff like "Monero has been broken"), but it rather means that Monero is 80-90% safe rather than 100% safe.
No, the main point of the gist is that the analytic attacks are able to entirely break any user whose wallet functions as a stream wallet, which in practice is nearly everyone. To fall outside of the "stream wallet" definition provided in the gist, you have to run a custom wallet (not the main Monero code), and the implementation of that wallet has to be highly user hostile.
The attack doesn't target weaknesses in the monero implementation, it targets weaknesses in the monero architecture. Any decoy system has the exact same issues. If Monero is still on a 10 decoy system (even if it were on a 100,000 decoy system), all the attacks in the gist apply.
> It's trying to say everything else is broken too.
> I think Zcash is now best is class though.
I fundamentally disagree. Zcash is sponsored and funded by so many government agencies which raises a stupid amount of red flags. It's sponsored by US DARPA, Israeli Digital ministries, Amazon, etc. [1] It's absolutely ridiculous that a coin with so many links to bad institutions could ever be considered trustworthy.
Furthermore, its lead developer was caught with his pants down when he went on a ramble about how they could install backdoors for government agencies to track criminal transactions, while also making it secure and anonymous for normal people. The fact that the project didn't completely collapse that moment still blows my mind. [2][3]
> No, the main point of the gist is that the analytic attacks are able to entirely break any user whose wallet functions as a stream wallet, which in practice is nearly everyone.
>The attack doesn't target weaknesses in the monero implementation, it targets weaknesses in the monero architecture. Any decoy system has the exact same issues.
I've read through the gist you linked again, and I think I now understand what the threat model being analysed is.
He makes the following assumptions:
* >The anonymous stream wallet model assumes a single adversary that has global visibility of all payment streams on the network.
* >This global adversary is assumed to be performing an ongoing Sybil attack on the network.
* >the global adversary is assumed to have access to unknown side-channels that help to de-anonymize the user. [...] examples could include more exotic techniques known only to the adversary.
First of all, these are incredibly optimistic assumptions. Sybil attack, maybe. But, a government (adversary) having "unknown" side-channel attacks to de-anonymise users? Really? I mean, if I'm able to make such an easy assumption that a government has unknown side-channel attacks without having anything to back up my assumption with, then I could write a paper on pretty much any technology and accuse them of being "insecure" and "broken". But you know as well as I do that such assumptions are bonkers.
The gist then goes on to say:
"Though a global adversary may seem like a strong assumption, techniques such as the flashlight attack, dragnet surveillance, government mandated KYC, and the general nature of corporate information sharing and data selling today suggest that a single party could potentially gain a substantial and surprising amount of knowledge about any particular identity on the internet"
Which doesn't make 100% sense. Sure, such techniques would work if we were talking about Bitcoin where addresses are fixed and the blockchain is completely transparent. But this is Monero. If a government uses KYC to link a real life identity to a Monero address, a user can simply generate a new wallet and send the transaction from the KYC'd address to a blank wallet. The sender wallet is hidden with decoys, and most importantly (!!!), the receiving wallet is 100% hidden thanks to stealth addresses. No need to worry about decoys. So, how on earth would a government use their vast databases to get around this?
If this gist was so well written, why wasn't it submitted for peer review, and why hasn't it received an edit in 3 years?
---
Fundamentally, Monero is objectively safer due to how it's not in bed with so many government agencies, and how the developer team is decentralised and anonymous. Theoretical attacks and GitHub gists from 3 years ago saying how someone could do this or that don't mean anything when the only other alternatives are literally sponsored by Israeli ministries. Furthermore, the IRS $625k bounty for breaking Monero is still open, and the largest dark market curently uses Monero only. I believe that these 2 things speak volumes more than a gist from 3 years ago.
