What is Dandelion++ in Monero?

Dandelion++ is a network-level privacy protocol that hides which node originally broadcast a transaction. Instead of immediately flooding the network (which reveals the origin), transactions first pass through a 'stem' phase (forwarded to a single random peer) before entering the 'fluff' phase (normal broadcast). This makes it nearly impossible to trace a transaction back to its originating IP address.

Is Dandelion++ enabled by default in Monero?

Yes. Dandelion++ has been enabled by default in Monero since 2020. No configuration needed. Every transaction you send automatically uses the stem-then-fluff propagation pattern. You don't need to do anything to benefit from it.

Does Dandelion++ replace Tor for Monero?

No. They protect against different attacks. Dandelion++ hides which NODE first broadcast a transaction from network-level observers. Tor hides your IP address from the node you connect to. Both are important: Dandelion++ for network-level privacy, Tor for connection-level privacy. For maximum privacy, use both.

Can an ISP see my Monero transactions with Dandelion++?

Your ISP can see that you're connected to Monero nodes, but Dandelion++ makes it hard to determine whether a transaction originated from your node or was relayed from elsewhere. However, if you're the only Monero node on your ISP's network, they could infer you're transacting. Tor eliminates this visibility entirely.

How does the stem phase work?

In the stem phase, your node forwards the transaction to exactly ONE random peer (not all peers). That peer then either continues forwarding to one peer (extending the stem) or 'fluffs' — broadcasting normally to all peers. Each node independently decides whether to stem or fluff with a probability that ensures the stem is typically 2-5 hops long. The originator is hidden among all stem participants.

Monero Dandelion++ — How XMR Hides Transaction Origins

TL;DR: Dandelion++ hides which node broadcast a transaction. Instead of flooding the network immediately (revealing the origin), transactions pass through a random "stem" of 2-5 nodes before "fluffing" into normal broadcast. Enabled by default since 2020. No configuration needed. Complements Tor for complete IP privacy.

The Problem: Transaction Broadcast Reveals You

When you send a Monero transaction, your wallet passes it to the node you're connected to, which broadcasts it to all its peers, who broadcast to their peers, and so on. This "flooding" pattern is fast but has a privacy problem: the first node to broadcast is almost certainly the sender.

Without Dandelion++: A network observer watching many nodes can identify which node first propagated a transaction. If they can link that node's IP to a person, they know who sent the transaction — even though ring signatures hide the sender on-chain.

With Dandelion++: The transaction is secretly forwarded through a chain of random nodes before being broadcast. The observer sees it "appear" from a random node in the network, not the real sender.

How It Works: Stem and Fluff

Stem Phase

Transaction passes through 2-5 random nodes, one at a time. Each node forwards to exactly ONE peer.

Secret, linear propagation

→

Fluff Phase

At a random point, a node "fluffs" — broadcasting normally to ALL peers. Standard flooding begins.

Public, normal broadcast

You (sender) → Node A → Node B → Node C → Node D (fluffs!) → all peers

Observer sees: "Transaction appeared from Node D"
Reality: You sent it, but Nodes A, B, C are all equally likely origins

The Decision: Stem or Fluff?

Each node that receives a transaction in the stem phase independently decides whether to continue stemming (forward to one peer) or fluff (broadcast to all). The decision is probabilistic — each node fluffs with ~10% probability per hop. This means:

Average stem length: ~4-5 hops
Minimum: 1 hop (10% chance of immediate fluff)
Maximum: No hard limit, but >10 hops is extremely rare
Timeout: If no fluff occurs within ~5 minutes, the transaction is broadcast anyway

Dandelion++ vs Original Dandelion

Feature	Dandelion (v1)	Dandelion++ (v2)
Stem routing	Fixed path per epoch	Random per transaction
Sybil resistance	Weak (attacker controls path)	Strong (random peer selection)
Graph analysis resistance	Moderate	High
Adopted by Monero	No	Yes (since 2020)
Academic paper	Venkatakrishnan et al. 2017	Fanti et al. 2018 (ACM CCS)

The "++" version was specifically designed to resist adversaries who run many nodes (Sybil attacks). In the original Dandelion, an attacker controlling stem nodes could trace the origin. Dandelion++ randomizes peer selection per transaction, making Sybil attacks much harder.

Dandelion++ vs Tor vs I2P

Protection	Dandelion++	Tor	I2P
Hides TX origin node	Yes	Partially	Partially
Hides your IP from nodes	No	Yes	Yes
Hides activity from ISP	No	Yes	Yes
Built into Monero	Yes (default)	Optional	Optional
Extra latency	Minimal (~seconds)	Moderate (~3-5s)	Moderate (~2-4s)
Configuration	None (automatic)	Manual or Feather	Manual

They're complementary, not alternatives. Dandelion++ hides which node broadcast a transaction (network-level). Tor hides your IP from the node (connection-level). For maximum privacy: use both. Dandelion++ runs automatically; add Tor via Feather Wallet for complete coverage.

Limitations

Dandelion++ is not perfect. Known limitations:

Timing analysis: An adversary watching many nodes can still estimate proximity to the origin based on propagation timing. Dandelion++ significantly raises the bar but doesn't eliminate this attack vector.
ISP-level surveillance: Your ISP can still see you're running a Monero node and transmitting data. Dandelion++ doesn't hide this — use Tor/I2P for ISP-level privacy.
Small networks: If there are few nodes, the stem is short and less effective. Monero's large network (10,000+ nodes) makes this a non-issue.
First-spy attack: If an attacker controls the first stem node, they learn the origin. Dandelion++ mitigates this with random peer selection (attacker needs to control many nodes).

Complete Privacy Stack

Monero's privacy is built in layers. Dandelion++ is one layer:

On-chain: Ring Signatures (hide sender) + Stealth Addresses (hide receiver) + RingCT (hide amount)

Address-level: Subaddresses (unlinkable addresses)

Network-level: Dandelion++ (hide TX origin node) + Tor/I2P (hide your IP)

Future: FCMP++ (full-chain membership proofs — eliminates ring size limitations entirely)