How the syrius autoreceive feature threatens user privacy

Perhaps you’ve noticed that recently some $PP have been transferred to your address.

This is an interesting and fun experiment, except when coupled with Syrius’ autoreceive feature it could be used for tracking addresses owned by the same user.

What’s the problem?

When a transaction is sent to an address, that transaction remains unreceived until the recipient decides to receive it.

However, the recipient might not get a chance to make that decision. When syrius is opened, as soon as it connects to a synced node, it starts scanning all addresses in the wallet and starts receiving all the unreceived transactions, without giving the user any options.

Similar to how dust attacks work on Bitcoin, this situation could provide a way to track which addresses belong to the same user.

How do we fix this?

The solution is quite straightforward, however this doesn’t mean it’s just as easy to implement as it is to articulate it.

Syrius should provide the user with the option to disable autoreceiving and a way for the user to manually decide which transaction to be received.


Seems like a dusting attack.

I can do it.


Another major issue is that it makes holders vulnerable to auto receiving tainted coins. Problematic for institutional custody (for which Metaco and other custodians implement quarantene addresses for inbound txs, but it’s obviously not offering sufficient protection).


This dust attack was used on THORchain to send tainted / fake rune to holders and when the user tried to access them it stole the real rune in their wallet.


To dispel any concerns of coin theft, I can assure you that it’s not possible with ZTS. They’re not programmable.

You’re right to worry about your privacy, though. Some people have been careless in the past.


We’ve had this discussion before. Balances are scoped to the embedded. So the protocol would need to be broken in order for someone to take the tokens.

Do other L1s have this structure?



That’s accurate, ZTSs are not programmable. The main issue here is privacy.

This is a feature the network already has, it’s just syrius that’s not making use of it.


I’ve added a switch for the auto-receiver in SettingsWallet Options where users can turn it on or off.

If the user turns off the auto-receiver, unreceived transactions will appear in TransferPending Transactions widget (below the Latest Transactions) where users will be able to manually pick which transactions they want to receive.

Download the latest Syrius build here.


wow, that was very fast, highly appreciate :pray: Thank you

1 Like

If not already done, probably a better better UX to be able to selectively approve transfers to addresses rather than having to approve each tx manually vs allowing all of them

Hahaha it’s done already! This man is a legend.

This feature gives maximal liberty and sovereignty to your finances.

Also, remember that time they tried blocking transactions/wallets that were tainted because they went through a frowned upon privacy protocol, so then the hacker started sending small amounts to random wallets to taint them as well? It’s just good on every level to have the ability to block unsolicited transactions.


Thanks sir

Scrolling thru the entire transactions to get to pending transactions is tidious, esp if i chose to collect staking rewards daily. Is it possible to bring up the pending transaction widget above latest transactions or in a seperate easily accessible location?

wow. Thank you

1 Like

I’mma need a VPN + TOR + Syrius guide so I can still auto receive all future zhitcoins without compromising privacy, ty.

1 Like


1 Like

We can integrate Tor or a similar privacy layer directly into Syrius in a future release.


Good job on the auto-receiver. For other privacy concerns users should opt for the embedded node.


you’re a machine sir :grin: definitely not human


@aliencoder which branch includes the changes for switching the auto-receiver? I’m planning to include the changes in the upcoming Syrius release.

1 Like

I can confirm the release on Nov 18, 2023 has the auto-receiver and hard coded nodes. I think that was built from master, but I’m not 100% sure. Looks like some stuff was stripped from master too.

1 Like