Incognito is vulnerable to dusting attacks. However, attackers have less chance than other public chains !!!
First, this kind of attack focuses on UTXO based ledger and the objective is deanonymized the owner of crypto-assets when they have more than one address to receive crypto-assets (eg., hierarchical deterministic wallets). In case the owner uses only one address for all transactions, the problem becomes trivial.
The attackers will have less chance than other public chains. The reason is for each transaction, some random existing UTXOs will be used to mix with the real UTXO. Thus, the attacker only can guess that some of their dusting UTXOs are used by someone. They cannot confirm 100% because maybe one of the dusting UTXOs is only a decoy input.
This kind of attack is easy to fix. Some suggestions for Incognito Chain:
- Implement a mechanism to detect dusting attack transactions.
- Don’t use dusting UTXOs, or only use one dusting UTXO per transaction (attackers cannot analyze or combine to deanonymize the owner)
- Consider disabling “Defragment UTXOs with small value” feature. This action will let the world know who are you.