Exploiting Network and Timing Side-Channels to Break Monero Receiver Anonymity

## Summary: We present various examples of side-channel leakage in the communication between a Monero wallet and P2P node. Communication patterns and timing leak whether the wallet is the payee of a transaction that is sent into the transaction pool or mined in a block—thereby breaking transaction privacy, as well as enabling linking of stealth addresses. If a user connects their Monero wallet to a remote node, the required leakage in commu- nication patterns and timing is observable by a malicious (yet passive) remote node provider, or by a passive network adversary that monitors the encrypted traffic between a wallet and a trusted node. Even if the wallet and node are both hosted locally and trusted, side-channel leakage can be observed by an active remote attacker with a P2P connection to the node. ## Releases Affected: * Current release (v0.14.1.0) and previous ones of the main Monero node and wallet implementations ## Steps To Reproduce: The attached report (which we also sent to [email protected] and [email protected] via PGP) explains the different vulnerabilities and how they can be exploited. ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * Vulnerability disclose report ## Housekeeping 1. Be sure to read our policy before submitting 2. Provide an XMR address within the report if you wish to receive bounty (assuming that the report is valid) - PoC within a report will most likely result in more bounty than not XMR address: 45jPGGu9QPYSoNgZPuVpbaMcvrKEJ8TGMd4bPc9VVFKWKqmmfUuzEHDi6sremu2H2idVgySvCmam48RvhKCPRDtBTPj2be3 ## Impact A remote attacker (either in control of a public node, or a network adversary monitoring communication to a remote node, or even a remote P2P participant connected to a wallet's local node) can infer when the wallet is the payee of a transaction added to the mempool or mined in a block.