12:02:35 thoughts on incognito extortion and the flood being linked? 12:03:06 incognito could be compromised / always been a honeypot and now flooding + EAE attack is used to de-anon vendors paying the ransom 12:16:37 How do you know it’s incognito flooding ? 12:17:03 Vendors would be paying ransom if they are doxed 12:17:58 Flood is coming from chain analysis company not some dnm 13:16:42 monerobull: why do you think incognito has always been a honeypot? 14:25:27 PSA before today's meeting: it seems Matrix accounts on the matrix.org server still don't receive messages from monero.social accounts. I'd advise people with only a matrix.org account to register a new one on the matrix.monero.social home server (easiest on app.element.io) and use that for now. 14:46:15 Hmm, but people with two Matrix accounts sounds a bit like a recipe for confusion, e.g. if I want to DM them ... 14:47:34 chaser: Thanks. people with matrix.org home servers could also just refresh https://libera.monerologs.net/monero-research-lab a lot during the meeting to see the conversation instead of making a Matrix account on monero.social 14:47:39 Maybe they could come over to the dark side for a while and use IRC directly. Old school, but after an initial shock it doesn't hurt too much ... 14:48:58 ^ Probably someone would need to post that from a matrix.org Matrix account for the intended audience. 14:49:09 Right :) 14:54:42 Is the matrix broken? 14:58:51 Yeah, someone took the green pill. Somehow. 15:01:39 MRL meeting in this room in two hours. 15:05:14 did it taste of apple or pear? 16:17:25 yes, it is a mess. my temporary solution is to use a Matrix client that supports being logged in with multiple accounts (the most feature-rich and cross-platform one seems to be FluffyChat). 16:39:37 to clarify: app.element.io is a way to run a client in the browser, but you can also use your current instance (but then you have to log out) of a Matrix client that supports registering accounts (not all do), or install the same in a different packaging format (on GNU/Linux: your distro's package manager, flatpak, snap, appimage, etc), or install a different one (https://matrix.o 16:39:38 rg/ecosystem/clients/). what matters is to, during registration, set the home server to matrix.monero.social. the trouble of multiple accounts can be helped by using a Matrix client that leds you handle multiple accounts at once. I found FluffyChat to be the most feature-rich such client. 16:46:01 other ways to not miss messages are to refresh frequently the IRC log page (https://libera.monerologs.net/monero-research-lab) or to connect to IRC directly with an IRC client. 16:46:01 (and apologies to every non-matrix.org user for repeating the info from the other side.) 17:01:17 Meeting time! https://github.com/monero-project/meta/issues/981 17:01:29 1) Greetings 17:01:45 Hello 17:02:04 hello 17:04:47 Hello 17:05:09 Hi 17:05:40 2) Updates. What is everyone working on? 17:07:33 me: Working on analyzing the possible spam black marble flood. I have a PDF draft, but it's very rough. I have the draft plots ready to share: https://github.com/Rucknium/misc-research/tree/main/Monero-Black-Marble-Flood/pdf/images 17:07:53 Hiya. Intermittently here, but multitasking 17:08:38 "work" would be an overstatement, but I collected all the measures I can think of that can be effective against a black marble flood: https://github.com/monero-project/research-lab/issues/119 17:09:09 chaser: Thanks a lot :) 17:10:04 Good text, helpful 17:10:54 I worked a little on frontend for lws, but stopped after I discovered woodser was already on it. Otherwise have been working on "remote" scanning for lws. A little more confident that it will be possible without destroying the code, but still a possibility that I punt on the feature 17:12:29 3) Discussion. The large tx volume is still happening. A little lower now, but still filling almost all blocks to the 300 kB minimum limit. 17:13:45 I put some plots here: https://github.com/Rucknium/misc-research/tree/main/Monero-Black-Marble-Flood/pdf/images The most important ones are empirical-effective-ring-size.png, spam-share-outputs.png, and projected-effective-ring-size-non-log.png 17:15:38 If the tx volume is a black marble flood attempt, an effective ring size low enough to allow chain reaction analysis to deterministically figure out the real spend would be the greatest threat. Effective ring size is about 5.5 now. Less than 1% of rings would be drawing black marbles for all 15 decoys. 17:17:49 "projected-effective-ring-size-non-log.png" is a bit depressing, if I understand that correctly: With ringsize 25 the adversary only needs to double blocksize to about 600, and it's again down to 5.5 17:17:53 Doing actual chain reaction simulation would take time. Chervinski et al., (2021) did a chain reaction simulation. Looking at their parameters, I don't think it's a problem now with the suspected spam volume. 17:19:18 Yes. ArticMine suggested raising ring size to 40. 17:19:41 ArticMine should have suggested bumping the min fee 4x :p 17:20:33 bumping fee is not smart. 17:20:48 he did actually, but only the relay fee. I think if fees are modified, it makes sense to do it on the protocol level. 17:20:59 Raising the ringsize with the current technology is relatively costly. Arguably more harmful than bumping the minimum fee imo 17:21:08 Looking at the list from chaser, I don't think we have any immediate "smart" countermeasures 17:21:13 The budget of the suspected adversary is unknown. There was a 24 hour burst of 1in/2out 320 nanonero/byte txs that was either the spammer or a service that paid a lot temporarily to get fast confirmations. The rest of the suspected spam pays fees much lower (20 nanoneros/byte) 17:22:08 a spammer with a truly unlimited budget will always consume 100% of new available block space, making the attach unavoidable. So that's what we're up against 17:22:15 a spammer with a truly unlimited budget will always consume 100% of new available block space, making the attack unavoidable. So that's what we're up against 17:22:18 320 nanoneros/byte is the 3rd tier of fees. The GUI/CLI only increases fees from the 1st to 2nd tier if the txpool is congested. 17:23:38 Can anyone confirm that increasing the ring size would not increase the pruned node storage space very much? 17:26:06 The only way the monero network gets around this is assuming that the attacker doesn't have unlimited resources (since then we have to assume it's a lost cause), and we make it significantly more expensive for them 17:26:30 Don't know enough details about pruning to be sure. But for sure the pruned blockchain growth would also accelerate 17:26:33 no attacker has unlimited budget. we don't know their budget until they stop. the cost requirement is like a fence, what we can do is to raise it in some or multiple ways, which will raise our general defense, and may make an attacker retreat/not raise their volume 17:27:10 I could project the expenditure to achieve some effective ring size. Vary the fee and the nominal ring size. 17:27:19 the cost of raising fees is only passed onto the senders. Higher fees also subsidize mining, making mining attacks more expensive as well, assuming no material change to organic demand 17:28:01 It might be worth trying to guess the realistic amount an attacker would be willing to spend, and trying to model around that. There will always be some implied number there to target 17:28:19 Raising fees could reduce the volume of txs sent by real users. That would increase the adversary's share of outputs, ceteris paribus. 17:28:58 yes, but for them to maintain the same ratio of outputs that we're worried about, the math works in our favor 17:29:04 yay ring signatures :) 17:29:39 for every 1 real tx cost paid by a user, the attacker needs to pay what, 10x that? for a concerning ratio 17:30:09 That's an interesting way to look at it 17:30:23 Raising the ring size is the best deterrence against a black marble attack 17:30:52 Real users and the suspected adversary do not have the same willingness to pay per tx. 17:30:58 Let me put it this way: if making new transactions costs effectively nothing, then even ringsize 100 wouldn't matter, since there's no cost to spam transactions 17:31:33 I'm not saying ringsize is truly irrelevant, it's just that fees matter a lot more 17:32:38 attacker will need to spend exponentially more with higher ringsize ? 17:32:52 IMHO raising the ring size to 40 would be great, given what I know at this point in time. 17:32:58 Of course 17:33:57 Do you mean because of the impact on the output distribution 17:34:02 projected-effective-ring-size-non-log.png tries to accurately project block weight as ring size increases by the way. 17:34:08 Interesting that so far no attempt to drive the effective ringsize lower than about 5, but 5 is still a quite good protection. Is that even useful what they do here, as a black marble attack? 17:35:02 I find this quite a bit puzzling 17:35:12 I'm not going to stand against a ringsize increase. You all should know I've advocated in favor of all the previous ones. But, it would be silly imho to bump the ringsize but do nothing about fees. 17:35:12 Increasing the ringsize has a permanent network cost. Increasing fees has no direct network cost. 17:35:27 let's not rule out that it is organic 17:36:20 ArticMine: I mean because of the estimates that I've done in https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/images/projected-effective-ring-size-non-log.png . If nominal ring size is 40, there would still be a healthy effective ring size if the suspected spammer is filling 300 kB blocks. Actually it would be larger than current nominal ring size (16) 17:36:23 sgp - it has social effect, people want to use the cheapest means of transacting 17:36:58 Monero should not compete to be the cheapest network. Monero won't win that fight :p It needs to be a very private option for a totally reasonable cost 17:37:59 yes but people care more about money than privacy, that's why low fees are more attractive with the added "privacy" bonus 17:38:48 I think it might be interesting to brainstorm a bit more about possible forms of "PoW before submitting a transaction" 17:38:51 it doesn't matter if it's organic or not, because we can't know, and we can't afford to think it's the optimistic scenario. and even if it is organic, this event is an invitation to any adversary in the sidelines to come and attack, especially if they see that there is no pushback. 17:38:55 I prefer raising the ring size as the most robust way to address this. However I would not object to fee adjustments as part of the response 17:39:24 Maybe we can connect the amount of PoW needed with some network parameters / network statistics, so normally it's negligible 17:39:42 Raise ring size and slightly adjust fees. Ez. 17:39:45 For txn pow with existing format could just reroll randomizer until some field is sufficiently low/high :- P 17:39:48 Monero is a privacycoin, not a "cheap transactions with privacy bonuses" coin. 17:40:07 There is a technical statistical point to keep in mind. Mean effective ring size = 5.5 does not mean that random guessing success is 1/5.5. Effective ring size is a random variable since decoys are selected randomly. 1/x is a strictly convex fucntion. By Jensen's inequality, E[1/x] > 1/[E[x]. The current probability of correctly guessing the real spend is about 25%. Check empirica l-guessing-probability.png 17:40:10 Liam Eagen to give talk on Bulletproofs++ at MoneroKon 17:40:21 I strongly suggest you hike the fees a higher multiple than the ringsize increase 17:40:47 If the attacker continues to consume the majority of the block space, then they will pay the majority of the fee increase 17:41:11 I am not opposed to a reasonable increase in fees, too. 17:41:55 maybe that's the point of the attack ? so we increase the fees ? 17:42:20 unfortunately the motivation doesn't really matter 17:42:22 as pointed out, it has no effect on privacy 17:42:39 there is absolutely a privacy risk and rucknium demonstrated 17:42:44 Ariel Gabizon will also give a talk on Circle STARKs https://eprint.iacr.org/2024/278 17:42:45 there is absolutely a privacy risk as rucknium demonstrated 17:43:32 these charts are very good, thank you! 17:43:43 I said in Saturday's #monero-community:monero.social meeting that I am planning to write a statistical research CCS to analyze the black marble flooding and other Monero research tasks. Input is appreciated :) . nioCat suggested that I work with ArticMine to model some scenarios. 17:44:25 If the current amount of spam does not change, it won't get much worse than it already is, right? 17:44:26 And Stefanos Chaliasos on Security Vulnerabilities in SNARKs 17:44:58 I understand that people have an emotional attachment to small fees. However, it really is important to consider the consequences of having a super low cost of spam. A low cost of spam makes enforcing privacy protections significantly more expensive (through a much larger, less efficient required ringsize) 17:45:07 Yeah, still working on OSPEAD in parallel, but the black marble is more urgent since OSPEAD adjustments probably have to happen at a hard fork to be safest. 17:45:36 I disagree. A critical part of privacy is to increase the ham transactions. This means increasing the anonymity set 17:45:54 I don't know if this has already been mentioned but although the effective ring size is ~5 wont these decoys that are left be more likely to be older i.e the ones less likely to be the real spends 17:45:59 I would agree with you ArticMine if we already had FCMP 17:46:06 r​brunner: The effect on privacy is not going to become severe quickly if the current tx volume stays the same. It will get worse gradually 17:46:58 Think of drowning the blockchain Surveillance companies in ETH, which is starting to happen 17:47:53 Yes I agree 17:48:12 drowning in ETH? I don't understand 17:48:35 boog900: Yes, this is true for certain investigation scenarios. It makes out of band information over these periods more valuable, if that makes sense 17:48:54 I don't know if I can explain it simply here 17:49:41 boog900: Yes, but https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/images/projected-effective-ring-size-non-log.png projects what happens if the spam continues for a very long time at current levels. It doesn't get much worse than effective ring size 5.5 when blocks have 300 kB total weight. Effective ring size about 4.5 I think. 17:49:42 unfortunately, all these will be possible only with a fork 17:50:04 FCMP is the goal. My interim solution is to all for a tx size of around at least 5000 - 6000 which is the estimated size for FCMP 17:50:44 So we have the scaling in place for when FCMP come on line 17:50:50 Why 4x the cost of transactions to be stored permanently if we could instead 4x the cost of fees paid by the attacker for the same privacy improvement 17:51:24 Because that improvement is not assured? 17:51:27 not if they have large budget 17:51:30 chaser: Yes, but the hard fork node parameters need to be ready before the wallet parameters need to be ready. Ring size is node. Decoy selection algorithm with OSPEAD is wallet. 17:51:34 They might be ready to pay 4x 17:52:12 I think we need a sanity check. Are there really reasonable use-cases where a Monero transaction *should* cost less than, say, $0.10? What demand does that actually turn away 17:52:21 increasing fees may even decrease privacy as people will use lower than default fees and just wait longer 17:52:43 They have have paid 16x when we saw the 320 nanoneros/byte burst. 17:53:32 A 4x increase in fees below the minimum penalty free blocksize is part of my proposal. So both 17:54:29 There are a lot of people in the world who would not transact at $0.10 per tx 17:54:45 Well, maybe people would even grudgingly put up with USD 1 as a fee. Does not mean that makes sense as a course of action 17:54:46 currently the cost is $0.004 per tx, right? 17:55:01 I agree 17:56:01 a 4x proposal would make the per tx fee $0.016. Which would cost the attacker how much in USD terms per day Rucknium? Apologies if you don't have the # of txs they make handy 17:56:10 We will need 3D images :D 17:56:10 I will do some more projections on fees, ring size, and privacy impact. 17:56:37 ~$2400 17:57:04 I see about 3 XMR per day spent by the suspected spam now. 17:57:21 And that's why "let's rise fees" is such a slippery sloppy: USD 2400 is still almost nothing for certain adversiaral "use cases" 17:57:35 assuming same tx volume as during peak 17:57:40 so about 98k spam tx/day? 17:57:53 .... and combining this with ring 40 we have an additional ~2.5x 17:58:08 and if monero drops 80% in usd price .... or increase to the same as btc 17:58:48 sadly there's always some implicit price assumption in these calculations, and we can't predict the future. Yay hard forks (or at least soft forks) :p 18:00:00 You mean all on chain like BTC or staying decentralized. There is a big difference here when considering fees and spam attacks 18:00:01 a 4x to fees will bring their cost to roughly $46k/mo, which is still low 18:00:08 IMHO, ways to link fees to the purchasing power of XMR should be researched. Does not mean a formal oracle. 18:00:57 The question here is settlement on chain or on a centralized ledger 18:01:14 Nice idea, but raises the complexity of the system yet again. Already now we may have the most complex fee algorithm of them all 18:01:18 For example, fees could be linked to network hashpower. Since aggregate mining revenue is 0.6 XMR per block and hashpower is proportional to revenue (mostly), maybe that could help. 18:01:48 what centralized ledger? monero was already delisted everywhere! /s, kinda 18:01:57 articmine is your proposal documented somewhere, or just in chats thus far? 18:02:30 I am working on putting this together with documentation 18:02:36 The BTC fees are linked to BTC purchasing power by demand and completely inelastic block space supply. It's not a model to follow exactly, but it has a link there. 18:02:46 I agree that we shouldn't be *too* attached to measuring these costs in dollars. markets are fickle. what we can know is that higher attack costs raise the probabilistic security. 18:03:30 You need to be able to mitigate the spam risk by causing actual USD equivalent costs to a potential attacker, that's what it comes down to 18:03:56 yes, I know it's inevitable, as you said 18:05:44 You can link to USD cost if one assumes no settlement on centralized ledgers. Then the equation of exchange predicts a linear relationship between blocksize and price over time assuming a constant velocity 18:06:20 clearly this attack proves there's no given relationship between blocksize and price 18:06:31 M is constant, assuming V is constant the PQ is constant 18:07:28 add captcha before sending tx /s :D 18:07:39 Most of the recent growth in transactions rates have been below the penalty minimum 18:08:13 With no penalty. pricing 18:09:39 how do you all feel about the resource requirement increase that a larger ring size would impose? can Seraphis/Seraphis+FCMP justify pre-introducing these requirements? 18:10:31 imo, no, not really. But it an important consideration if we consider the other costs reasonable for their advantages 18:10:40 Graphics verification is required in my opinion for the current and subsequent proofs 18:10:57 IMHO, node performance should be benchmarked if ring size would increase to 40. It has to pull lots of data from the database when there are a lot more outputs referenced per ring., 18:11:20 We have to take advantage of parallel processing on CPU and GPU 18:12:04 yes but that takes time, resources, testing, etc. bumping the fee does not take effort and comes with no network costs 18:13:00 if the network fee was raised to $0.10, the attacker would be spending $300k per month. Just to give you an idea of how much the fee matters for these mitigations 18:13:28 versus today's $11k 18:13:46 Not necessarily if the ham drops down by a factor of 10 18:14:09 It is a band aid, not address the issue 18:14:57 do you approach it as "delay that bump as much as possible, hopefully hardware and uplink will grow by then"? 18:15:46 chaser: sure, that's part of this. Performance improves over time. Further, FCMP benefits are far greater than a moderate ringsize increases. We get a lot more benefit for the same cost 18:16:34 Uplink is not an issue, and hardware is heavily underutilized with little or no parallel processing 18:17:11 the cake nodes are already having major issues handling rpc connections fwiw. That can be improved, but not in an immediate fashion 18:17:37 Take the Monero Nodo for example. These devices have a very personal graphics processor that literally sits idle 18:18:06 They could not take advantage of parallel processing 18:18:36 no, it's the speed of the monerod locks (and related) that's the issue. The whole blockchain currently needs to be stored in ram 18:18:46 yes, FMCP is the silver bullet, the cost is that we can't have it at least for over a year, probably more 18:18:48 We have to deal with the cause instead of just focusing on the symptoms 18:18:49 Doesn't the RPC performance have little to do with ring size? 18:19:18 the monero blockchain does not reside in RAM 18:19:31 larger transactions will slow down all connections, read/write, etc 18:19:40 Monero needs to be run on SSD 18:19:42 Not HDD 18:19:47 it is an ssd :p 18:19:50 nvme 18:20:11 cake nodes already need ram cache to keep up 18:20:35 monerod locking is the biggest problem there 18:20:43 absolutely 18:21:00 and again, these things can be solved, but not with a snap of our fingers 18:21:11 _unlike the minimum fee_ 18:21:35 Why is it locking 18:21:38 4x will do nothing to a professional adversary 18:21:45 that's how monerod is written 18:22:09 If there was something like a bitcoin electrum server for Monero, maybe you would not have conflicts: https://blog.keys.casa/electrum-server-performance-report-2022/ 18:22:14 because back in the mists of time, when monerod's blockchain was entirely RAM resident, you needed fine-grained locking to be able to use it safely 18:22:40 with LMDB transactions you don't really need that any more, but it's a major rewrite to change the interaction style 18:23:00 So is this a database issue? 18:23:08 no, the database is lock-free. 18:23:15 it is an interface to the database issue 18:23:19 cake is bottlenecked by the lock implementation currently, yes 18:23:30 So Monero needs to be optimized 18:23:37 Monerod 18:23:42 yes 18:23:47 which they can design around, but that will take months of testing or for a completely fresh rewrite 18:24:10 the whole blockchain_db pile of code is fuggly 18:24:54 but it was a shim layer between the memory-only blockchain and the DB-oriented one, so it is heavily compromised in many ways 18:27:52 I agree with articmine that this stuff can be optimized, at that it's good to take advantage of the performance that we have. But, I also think Monero should have much higher fees to discourage attacks like this, and yes, even micropayments 18:28:25 *even micropayments - step back in adoption ? 18:28:44 and how much of increase would be enough ? because i don't believe 4x will do anything to an adversary like this 18:28:47 I will draw some budget lines and indifference curves :D 18:29:11 thanks rucknium, these are always very useful to use in discussions like these 18:29:12 10 cents is still reasonable territory imo. 18:29:36 10 cents - if price stays at course 18:29:59 sgp_: I can't tell if you're serious or not 😁 18:30:11 I will try to figure out a way to compare these things 18:30:13 if we make changes to the fees and suddently price increases 10x which would not be a sci-fi event - it would grow to $1 USD per tx ? 18:30:26 I know you will :) 18:30:56 Fees impact both ham and spam. To put it bluntly a crude tool. Furthermore imposing an artificially high node relay fee can cause miners to accept transactions directly. This can be a privacy and decentralizion nightmare 18:31:02 soft fork or hard fork, just like we're discussing now. Unfortunately, that's the way it'll have to be to protect privacy before FCMP 18:33:04 there must be a better tool to deter spam. like a PoW required before submitting a txn 18:33:07 Also if the ham falls by 10x then we are effectively back at 0.01 USD from a spam cost perspective 18:33:48 yup, and hooray, we would need to adjust again. I don't see another way around it, unless we find some pow thing promising I guess 18:34:19 seems that PoW until FMCP is the way ? 18:34:33 PoW to submit is even worse. For starters it discriminates against most of the developing world 18:34:39 new plan: everyone needs to have an account at the monero kyc blockchain to send transactions 18:34:44 I suppose it's all the same thing, adding a cost to making txns, whether in monetary fees or in resource costs 18:34:51 :p 18:34:53 PoW spam prevention didn't really work for Nano. They got spammed anyway and had to change their model. 18:35:18 arguably monero has pow as an option already: mine, get xmr, use that to pay fees :p 18:36:01 They are mostly in the tropics, while the spammer can launch the attack from a cold place 18:36:01 Call it the ArticMine attack 18:36:09 we need a surge pricing model that takes network topography into account 18:36:17 to think of it, if adversary can spend 3 XMR per day today, he can surely afford PoW attack 18:36:35 yup, and higher fees will also make a PoW attack more expensive 18:36:40 txns from low volume networks get lower fees 18:38:26 yeah make the fee model so complicated they run away just from seeing it :D 18:38:47 I'm sympathetic to that. or maybe a multi-faceted approach that distributes the "pain": moderate txPoW, moderate ring size increase, moderate minimum free increase, and modifying the median parmeters as Artic outlined. 18:39:20 how do you mean taking network topo into account? 18:39:46 we can't really do it, since we have dandelion / tor / i2p to anonymize txn origin 18:40:52 I mean instead of PoW to submit consider an XMR micro burn to submit. At least it is fair to those in the tropics 18:41:42 assuming none of those existed, we could see when large volumes are coming from clustered network addressese, like all coming from OVH, or Linode, or AWS 18:42:21 that would be a fair trade-off, but a horrible UX. people shouldn't have to understand this choice and make a decision when they transact 18:43:10 It exposes the reality. I do agree it is a horrible UX 18:43:58 I see. I think taking factors external to the blockchain is a very slippery ground. 18:44:52 attacker would just proxify 18:45:01 I still hope somebody will give submit PoW a bit more thoughts. Over the years we must have spent many person months analysing rings, but almost nothing yet where we could go with that 18:45:01 or use a botnet 18:45:04 sure but that slows them down 18:45:35 it would kill accountless public nodes fwiw 18:45:38 And "It did not work for Nano". Yeah, maybe, but we can do better sometimes. See our "Your can't beat ASICs" breakthrough with RandomX 18:45:43 Still I have seen nothing better than a ring size increase combined with a 4x increase in the minimum node relay fee below the minimum penalty free blocksize 18:46:21 What if we did >4x min fee increase 18:46:56 realistically - how do these fees compare to a credit card txn fee? 18:47:21 at some point you just have to acknowledge that there is a cost to a well maintained network 18:47:32 with 4x increase and today's prices, that's $46k/mo in fees 18:47:46 By the way, last meeting I said effective ring size decreases with increased spam in an exponential decay. It is actually hyperbolic decay. The plots look similar. 18:47:47 I don't want to be "only 20% as bad as credit card" for all the hoops you have to jump through with a cryptocurrency 18:48:20 current monero fee per tx starts at $0.0039, or 100x cheaper than a credit card min fee 18:49:05 I react to the thought experiments "What if the fee is 10 US cents" 18:49:15 the US Fed is proposing a cut of the debit card fees to 14.4 cents per transaction 18:49:52 It is a partial solution, which can be implemented without a hard fork 18:50:16 I really don't want to take any of that as a yardstick. "Look how much worse credit cards still are". Yikes. 18:50:18 Just do a fee modification 18:50:47 I think it's a reasonable upper bound to consider, even if the ideal is much less than that if there were no spammers 18:51:48 Credit card fees are a real mess. Even worse when hidden exchange rate surcharges are factored in 18:52:14 what if the "attack" keeps on going after increasing the fee x4 ? 18:52:16 Certainly not what I would use as a standard 18:52:49 at what point should we consider it organic ? after fee is increased to 10$ usd ? 18:53:08 does anyone oppose to $0.10 fee as a sanity check? 18:53:22 Just look at an all-time chart and stop telling it's organic: https://bitinfocharts.com/comparison/monero-transactions.html#alltime 18:53:24 doing it without a hard fork could have minimal effects. people may just not update to the point release. even with a hard fork, if it's only the relay fee, an attacker can coordinate with a pool (send them their tx's). if there is a fee increase, it should happen on the protocol-level. 18:53:28 not as an actual proposal, but "this is roughly in the 'feels correct' territory" 18:53:39 $0.10 fee/tx is too high IMHO 18:53:42 No one anywhere is posting on "how to download a wallet", so we don't have many new users now 18:54:17 Rucknium why do you feel it is too high? 18:54:36 If we have to raise fees to 0.10 US cents per transactions to keep a reasonable level of privacy, IHMO we have simply lost. 18:54:39 I agree 18:54:43 at 10 cents it's 10% of a 1$ coffee 18:54:54 pure rage 18:55:07 Fee increase is a dangerous thing to do 18:55:10 We can ask Monero users in Argentina. 18:55:26 When price pumps 10x, you will hardfork again to decrease fees? 18:55:29 You mean with a fee explosion we make many new friends there? 18:55:44 Good point 18:55:48 sec1: there must be an implied value of XMR before FCMP, it's unavoidable 18:55:50 sech1 - switch to log view, we had many events like this 18:56:01 and add to this the current big exchange delisting 18:56:06 clearly we made an assumption about the price of XMR right now and it was too low 18:56:27 all previous events had news linked to them, like Alphabay starting using Monero 18:56:38 the relationship between blocksize and XMR value did not correlate as articmine had hoped 18:57:16 Big exchange delisting and transactions spike didn't happen on the same day 18:57:22 The skepticism about the spam hypothesis just means it's in my research agenda :). https://mitchellpkt.medium.com/fingerprinting-a-flood-forensic-statistical-analysis-of-the-mid-2021-monero-transaction-volume-a19cbf41ce60 18:57:46 sech1 - didn't happen the same day because of the price drop, people were scared it will go to zero 18:57:55 after dust settled people came back 18:58:04 regarding the $0.10 is too expensive for people in some countries, unfortunately I don't know how we can possibly plan around accommodating this 18:58:22 But first: Assume it's a black marble flood and measure potential impacts and options. Then evaluate the spam hypothesis empirically. 18:58:38 even if we don't hike the fees and the attacker keeps spamming, then users will still be priced out since their transactions have too low of a fee to be confirmed 18:58:43 Binance has closed withdrawals most of the time, they couldn't physically release so many coins to so many users, so I don't believe this connection 19:00:01 large amount of people could use Binance to trade between themself without actually doing it on the chain 19:00:07 the transaction fee will always need to be anchored in real network costs, irrespective of one's ability to afford the transaction fee 19:00:21 We could also think a bit about our limited dev time budget. Every person week going into battling this moves Seraphis/Jamtis and FCMPs further out 19:00:21 I'm not, but I do oppose gauging protocol parameters in dollars. XMRUSD may halve or 5x in a year. 19:01:03 And Seraphis has a much higher ringsize more "naturally" 19:01:07 azunda to move from Binance to on-chain, they first need to withdraw and withdrawals are nowhere near at the capacity needed for this flood 19:01:10 The delisting by Binance eliminated a very significant centralized ledger where settlement of XMR was occurring. This is not unlike what has happened with Bitcoin where centralized ledger settlement has taken over 19:01:23 asticmine same, read my message 19:01:37 You both don't understand that it's just not enough coins there to provide all this flood 19:02:22 Numbers don't add up, so maybe 1-2k transactions per day come from Binance refugees, but not more 19:02:42 And all of a sudden almost magically most people only produce 1 in, 2 out transactions. Nice fairy tale, IMHO. 19:03:06 agreed, this is one of the biggest signs. All 1in/2out is impossible to reconcile at this scale 19:03:09 I understand people want to believe in sudden 5x adoption, but reality is more likely to be some spam 19:03:17 Actually looks at the surge just when Binance delisted. It is close to double 19:03:18 withdrawals were closed but not incoming transactions 19:03:26 they could still do business 19:03:32 now they do it outside 19:03:45 sech1: why are you against raising fees? 19:03:56 because fees are fine? 19:04:00 https://bitinfocharts.com/comparison/monero-transactions.html#3m 19:04:12 Compare to BTC fees (in BTC terms vs XMR fees in XMR terms) 19:04:15 azunda, go a bit back in time and look carefully at block before this attack, how transaction sizes vary if they are "organic" 19:04:15 they're literally the same 19:04:33 you raise fees today, few years down the road you have to drop them because price pumped 10x 19:04:34 stupid 19:05:00 what do you mean fees are fine? fees are supposed to discourage this behavior. Pricing where BTC == XMR makes no sense to me, since the attacker isn't acquiring at those BTC costs 19:05:02 I mean it's a stupid thing to do every time something happens 19:05:05 it's not stupid because the alternative is not having an adequate deterrent 19:05:16 I 100% agree it's shitty 19:05:32 but what else is realistic? not having a deterrent? that's even worse 19:05:32 if it's one or couple more big players that started using some automated tools, the tx could have patterns ? 19:05:52 Really not sure about "no adequate deterrent". They spam well below their technical capacity, no? 19:05:53 If it's a big resourseful attacker, believe me 10x fees won't help 19:05:58 I plotted the daily tx volume of txs with the "spam fingerprint" (1in/2out 20 nanoneros/byte) in Feb and March 2024: https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/images/spam-fingerprint-tx-volume.png 19:06:09 Bigger ring size could help better 19:06:18 From about 15,000 to 100,000 in about a day. 19:06:21 we need to draw the line somewhere, else we should just roll out the "we're fucked" map 19:06:28 that was a 50% surge which then quickly ended. 19:06:54 bigger ringsize is a similar lever as higher fees, but with more network costs 19:06:58 Plus I'm against raising fees because it will screw up p2pool miners big time 19:07:14 Not until there is a cheap way to consolidate p2pool payouts 19:07:21 i.e. coinbase outputs 19:07:30 that's the real reason you hate it; is there no way to give people fewer, larger outputs? 19:07:56 That's the main reason but not the only one 19:08:05 the USD price is the other one 19:08:06 IMHO, when (if) ring size increases in next hard fork, make all coinbase output spends ringless like MRL issue #... 19:08:10 if this is an attack, we would need to increase the fee 100x - that's not "ideal". 19:08:24 to even make a dent 19:08:35 You can't just change fees because price is low and fees are cheap. Next you'll have to change them all the time to fit a new XMR price 19:08:36 the ideal state is not being under attack lol. But given we're here, we need to compromise on something 19:09:00 This one: https://github.com/monero-project/research-lab/issues/108 "Coinbase Consolidation Tx Type" 19:09:01 and I'm begging you all for the compromise to not be massive transactions because we can't agree to make transactions more expensive 19:09:31 With the danger of being a heretic: We do not "have to" do something. I can live with ringsize 5.5 and the danger they will spam more until Seraphis and FCMPs. 19:09:34 sgp pushing hard on fee increase 19:09:43 It targets the spam and not the ham 19:10:08 is there a hidden agenda ? /s :D 19:10:12 Given the "shitty" alternatives 19:10:49 Transaction sizes will increase with Seraphis anyway, so why not increase ring size a little before that? 19:10:53 I don't know what you mean by ham, but fees literally target the spammer directly by requiring them to pay more, without costs to nodes. And it also benefits miners (p2pool mini dust outputs aside) 19:10:59 Not to forget that we always only talk about 1 out of 3 privacy mechanisms ... 19:11:22 as I said before, I'm not against a ringsize increase. But I am begging you to additionally hike the fees 19:11:42 Ham legit transactions as opposed to spam 19:11:55 zunda: you must be new here; I've been a (the?) major proponent of most ringsize increases haha 19:12:04 azunda: you must be new here; I've been a (the?) major proponent of most ringsize increases haha 19:12:07 If ring size increase will reduce the efficiency of the spam attack, why increase the fees then? 19:12:27 because fees arguable reduce the efficiency even more 19:12:31 because fees arguably reduce the efficiency even more 19:12:47 i'm from the very beginning, had different names. 19:12:49 Not against an attacker who presumably has huge resources 19:13:17 sech1, if the attacker has near unlimited resources, then a larger ring won't do anything either 19:13:26 we should assume that attacker has close to "infinite" recources when it comes to fees 19:13:30 nor increased fees 19:13:42 they'll just hike their fees and take a higher ratio to account for the stronger ringsize protections 19:14:04 increased fees will only reduce legit on-chain activity, and spam tx will stay the same 19:14:11 which is why we need to accept that they don't have unlimited resources, or else we would need to admit this is all pointless 19:14:28 seems like an attack, on adoption by forcing devs to increase the fee. 19:14:50 if they can afford 3 XMR today, they can afford x4 easily too 19:14:53 Yes "unlimited resources" will overpower everything, that's not a reasonable base for discussion 19:15:11 anyway, I've made my same points three times now. It's clear that most people here would rather have massive transactions than hike the fee to still-reasonable-levels 19:15:43 how long the attacker could sustain the attack while having "just" 1 Mil USD ? 19:15:51 Ring size 40 is 5.5 Kb for 2in/2out, right? Not massive IMHO. 19:15:52 after increase of the fees 19:15:55 Fee increase does nothing against an attacker with infinite money to spend. Fcmp, keep devs focused and keep moving forward is the only answer. 19:16:10 Secretely I almost start to hope that our decision process will sort-of-deadlock like it did regarding tx_extra stay/remove, and we just do nothing. 19:16:22 that's over a 2x size increase, no? 19:16:39 Yes, we are in the 3rd hour of the "meeting". We have run out of new points to make with the current information available. 19:16:50 yes. Only 2x 19:17:09 I think it's more of a psychological attack than a real black marble attack 19:17:15 Guys, let's discuss other solutions please. The fee increase bandaid is pointless in my opinion. I would rather the Monero general fund spend 3 XMR per day to counter-spam and thereby dilute the effect of the attacker until FCMP is deployed. 19:17:19 it's not intensive enough to deanonymize most rings 19:17:32 forcing devs to "do something" 19:17:40 Agreed 19:17:42 sech1 is correct, and so is rbrunner, there is no forced action here. 19:17:47 I proposed increasing the reference transaction size from 3000 bytes to 8000 bytes, but only increasing the minimum penalty free blocksize from 300000 bytes to 400000 bytes. This requires an increase in the minimum node relay fee of 4x 19:17:47 The 8000 byte figure is to accommodate full membership proofs with tx sizes around 5500 bytes vs around 2000 bytes now 19:17:50 if price of Monero goes up by 10x the new fee would be painful to some 19:18:07 Just raising the fees based on an arbitrary American's understanding of what's reasonable is not how things should be done in Monero. 19:18:31 As an interim solution this can also accommodate a ring size of 40 or even more 19:19:24 Can we tie ring size dynamically to spam 19:19:41 No 19:20:07 due to uniformity problem or other technical problem ? 19:20:21 we don't know that. 19:20:57 I prefer ArcticMine's solution, but honestly I don't think this is an urgent situation. I think counterspamming until FCMP comes is something people who are worried about this should do. This doesn't require any hardforks or deployments. 19:22:06 the organic growth we had will counter attack the adversary (if it's adversary) more and more 19:22:26 Uncoordinated counterspam is hard to stop. How do the counterspammers know that the malicious flood is finished? 19:22:27 time is on our side 19:22:46 They don't. But after FCMP it doesn't matter. 19:23:28 Additionally, counterspammers can declare on /r/Monero that we stop counterspamming for a day to see if the attack subsided. 19:24:16 The fundamental issue here is not going to be solved until FCMP, no matter how many bandaids you apply. 19:25:11 Alex | LocalMonero | AgoraDesk: "The fundamental issue here..." I agree. 19:25:31 There is also the possibility of multiple black marble attackers working against each other. This attack only works with only one spammer 19:25:37 (It's a live system and people depend on it for privacy now FWIW.) 19:26:22 yes, as was stated last time, we're looking for the least bad strategy (in case we're looking at all) 19:26:27 Does anybody want to start a counterspam task force? Let's make a group and coordinate this. PM me. 19:28:06 burn 3xmrday on tx spam or fund FCMP development with it 19:28:36 AFAIK, FCMP development doesn't lack funding. 19:29:58 what we really need is more adoption, this attacks would be worthless if we had 100x more real tx 19:30:21 plowsof: why not both? 19:32:26 that is very unwise, for the reasons I outlined in my summary on Github. you don't want to make Monero's privacy depend on the unverifiable altruistic actions of trusted parties. moreover, you don't want Monero to be *seen* like that. it would create a disastrous reputation, which would also reflect in the price. 19:33:09 Like it or not, rings are a weak point of XMR and have been for a while. 19:33:31 That is my understanding. If I understand correctly ring 40 would also significantly mitigate the spam. So this looks like a valid option 19:33:33 If you're worried about the marbles, without FCMP, this is one solution. 19:33:37 localmonero should fund a tumbler address then. every piconero sent to it will be churned over and over. it can have a vanity address "Sp4mt4skforce" 19:34:21 increasing it was the best idea so far but i would leave fee alone as increasing them by 4x or even 10x will do nothing to let's say chainalysis company that earns millions of dollars 19:34:29 and it will only harm adoption which fixes this 19:34:53 *increasing ring size 19:35:05 as articmine suggested 19:36:01 I asked last summer if it lacked talent; the answer was no. 19:37:34 Has there been any effort to reach out to cake, changenow, trocador, localmonero to see if there is any significant bump in usage since binance delisting 19:37:35 Yes FCMP needs more talented labour. 19:37:52 Having capital does not mean that you have labour. 19:38:35 <1​23bob123:matrix.org> Torcador just ask morpheus 19:39:17 <1​23bob123:matrix.org> Not in this room tho 19:39:30 Assuming that yes, it still doesn't explain away the 1 in/2out flood. 19:41:17 a​zunda: you realize a >2x increase in the transaction size also means an implied >2x increase in Monero fees right? Just making sure 19:41:27 I posted charts of Bisq daily trade numbers and volume in the #monero-research-lounge:monero.social . there is nothing there that would explain this volume (not that it would matter). 19:41:56 a​zunda: you realize a >2x increase in the transaction size also means an implied >2x increase in Monero fees per transaction right? Just making sure 19:42:54 yes 19:43:21 Not if you increase the minimum penalty free blocksize by the same amount.. 19:43:30 nice 19:47:16 ArticMine: I really hope you ask for Cake's opinion before you double node requirements lol. Their monthly node cost is already thousands of dollars. They already move over 200 TB/mo 19:47:44 sgp - and how much do they earn ? 19:48:21 it's probably a fraction of their income... 19:48:27 *small fraction 19:49:12 In my proposal the minimum penalty free zone would be increased by half. So in terms of the current penalty free blocksize this is equivalent to 150000 bytes. With quadratic scaling the fee would fall back to the current at 300000 bytes equivalent or 800000 bytes. 19:49:21 so on one hand we have a company that earns a lot of money to pay a bit more for their servers and on the other hand ALL users of Monero 19:49:25 I don't think we know how increasing ring size affects remote node performance. How much of the ring sig data actually needs to be sent to wallets? 19:49:44 not that I wish ill on Cake, but calibrating the protocol according to the needs of large centralized RPC providers is quite against the ethos of decentralization. 19:50:15 Pruning eliminates most rig sig data and it is not supposed to affect wallet operation at all. 19:51:25 If you need to keep the whole blockchain in RAM, prune the node in RAM. 19:51:38 so we can assume roughly 50% more p2p traffic with this proposal? 19:52:14 unless there's something else I'm missing 19:54:08 A better solution in my view is to optimize monerod and support large scale parallel processing on CPU and GPU. This will help all users both large and small 19:55:33 boog900, hinto , SyntheticBird45 : Any comments about how cuprate plans to parallelize? 19:57:23 It is 2.5x in bandwidth, and the same as expected for FCMP 19:57:59 FCMP 19:58:43 the issue is that cake can't whip up a custom, prod-ready lmdb reader in a week. In time for FCMP, sure 19:59:36 This hard fork will not happen in a week. Seriously 20:02:04 ArticMine: When you have a range of fee and blocksize adjustment options available, I can do some modeling. 20:03:11 better and we will have no locks for RPC requests. 20:03:11 For my last CCS while I was implementing Monero's consensus rules in Cuprate I made an RPC scanner to test them, it gets data like outputs from public node's RPC. I ran it side by side with monerod doing full verification and the RPC scanner completed first around 170,000 blocks ahead 20:15:42 👍 20:16:32 monerod was ahead until RCT and then the RPC scanner started to catch up, over taking around block `2428000` 20:19:02 that's great news. for scanning speed, is that number relevant though (blocks per full chain scan)? wouldn't a metric like "tx type 6 rings per second" be more descriptive? 20:20:53 some thoughts as im reading through logs. re: raising the fence. adding a tx-pow might do stuff. oh i see rbrunner7 brought that up. And yeah, somehow hooking the PoW difficulty into tx_pool size could be interesting. I share the concern about "real" fees re: the need to have lots of ham for monero's ring sigs to work right. And yeah Rucknium , i've talked about tieing fees to h ashpower. i personally think hashrate is closes we can get to a within-chain metric of monero's extrinsic value. ArticMine , how does PoW to submit discriminate against most of the developing world? I'd imagine the PoW requirement for a single tx would be minimal, but if we could somehow find a way to connect the PoW requirement to volume. Perhaps its at the peer level. I.e., I al ready received a transaction from this peer within the past 10 usec. I need a higher PoW to receive another. 20:25:21 Those exact numbers don't really mean anything more just the point that we are requesting outputs for rings over RPC and we completing verification faster than monerod getting them locally and that monerod becomes significantly slower around RCT. 20:25:22 We don't have a working database yet so until then I don't think any measurements of how fast we can verify txs will be completely accurate. I am planning to bench Cuprate vs monerod more thoroughly though when more is done. 21:05:22 I realize I'm late to the party, but this has been discussed elsewhere. Network difficulty serves as a responsive and trustless Oracle to the purchasing power of the coins. You should consider setting fee as a function of difficulty 21:43:22 it is being considered, with the latest mention two messages before yours (hash power and difficulty are highly positively correlated). it looks like now a good deal of the messages from monero.social users are making it through to the matrix.org home server, but maybe some earlier mentions are not visible to you. 21:44:48 Ah great. Sorry for the noise then 😅 22:08:28 A really rough draft of my initial privacy impact estimates of the suspected black marble flooding: https://rucknium.me/html/monero-black-marble-flood.pdf 22:09:20 It's basically a writeup of the methodology for the plots I shared earlier. This version will be accessible at that link for about 24 hours. 22:22:41 Thanks for the preview. 22:29:07 1) The cost of PoW is dependent on the ambient temperature. This is a common misconception regarding PoW. People do not take the cost or value of the heat produced into account. Most developing countries are at or near the tropics. 22:29:07 2) The processing impact is going to be higher on older less capable devices. Again this is more prevalent in poorer developing countries. 22:32:25 The attacker can on the other hand launch the spam from a cold developed country. Canada comes to mind. So think of this as the ArticMine attack. It works best when it is nice and cold. Say -40 22:32:37 C or F 22:34:24 The spammer stays warm using the heat produced by the attack in face of the very cold temperatures 23:30:35 that was an enlightening part of your Monerotopia interview: the way the current protocol provides security is very energy-efficient (the only parties doing PoW are specialized and can be at the most efficient locations, regardless of where users are). but I want to point out that in a protocol with txPoW, the reasons for hashing aren't the same: miners hash for the block reward a 23:30:35 nd fees above penalty; senders hash for inclusion. you can't offload txPoW to miners; the practical equivalent would be to simply raise fees. 23:31:19 it would be a sci-fi event 23:32:07 Proof of Work (PoW) on mobile devices? How many transactions per second does the attacker need to perform right now? And how many VPS can easily handle it? It's absurdly easy to scale for an attacker. Unless you want mobile users to do PoW for a few hours before they can broadcast a transaction. 23:32:16 yeah, they stay warm but they get extremely throttled. and/or they have to own a lot of IPs (of course, ipv6 or i2p/tor negates this). meanwhile someone in the tropics doesn't need to hit as high a diff, because the node that receives their transaction hasn't seen a tx from that IP yet. a lot of moving parts with that one though 23:34:40 i think you could tie it to peer ID. Node A goes "man, there are a lot of txs coming from Peer B. I'm going to only accept txs from B if they submit a higher difficulty" 23:35:44 https://matrix.monero.social/_matrix/media/v1/download/monero.social/eenMzjFuRGnlzhUJnjllEnSu 23:35:56 We might have a TX stuck in the mempool since ~40 minutes 23:35:56 weird 23:36:51 wheres the data pulled from 23:38:18 My public node 23:38:20 so node A goes "OK, i'll remake the package with a higher diff" and then sends it. 23:43:41 ok, let's note we are talking about two distinct txPoW designs: 23:43:41 1. one is enforced on the network level, tied to node identities 23:43:42 2. the other enforced on the protocol level (I have been referring to this so far) 23:49:11 network-level txPoW offers some interesting options (e.g. for wallets that use RPC providers, the provider could take on the burden of the txPow). however, just like with the minimum node relay fee, this can be circumvented by a black marble attacker by colluding with the mining pools. 23:49:48 of course, if thats the case, node B would know that node A was the originator of the tx 23:50:14 but a standard operation of a node would be to repackage some transactions that get kicked back 23:50:23 i think this ends up being a graph theory thing 23:50:31 how did neo do it or whatever the coin was 23:50:54 did they have any fancy stuff? 23:51:51 chaser: , ah, protocol level. yeah that could make sense too. 23:52:08 honestly the "colluding with mining pools" is like... well, nothing holds together with that branch of logic 23:52:34 regarding a PoW-based blockchain cryptocurrency network. IMO. 23:57:28 why doesn't it? in the standard Nakamoto setting, which applies to Monero too, miners are solely interested in turning their expenditure on hardware and electricity to money, in the way that provides the widest profit margin. they couldn't care less about the ethos of a network, its health, its community or any such factor. we are not at the mercy, nor under the protection, of miners.