GingerWallet, the fork of WasabiWallet maintained by former zkSNACKs workers after the shut down of the Wasabi coinjoin coordinator, has obtained a vulnerability report from developer drkgry. This vulnerability would permit the whole deanonymization of customers inputs and outputs in a coinjoin spherical, giving a malicious coordinator the power to fully undo any privateness good points from coinjoining by performing an energetic assault.
Wasabi 2.0 was a whole re-design of how Wasabi coordinated coinjoins, shifting from the Zerolink framework using fastened denomination combine quantities, to the Wabisabi protocol permitting dynamic multi-denomination quantities. This course of concerned switching from homogenous blinded tokens to register outputs to assert your cash again, to a dynamic credentials system known as Keyed Verification Nameless Credentials (KVACs). This might permit customers to register blinded quantities that prevented theft of different customers’ cash with out revealing to the server plain-text quantities that may very well be correlated and stop linking possession of separate inputs.
When customers start collaborating in a spherical, they ballot the coordinator server for info concerning the spherical. This returns a worth within the RoundCreated parameters, known as maxAmountCredentialValue. That is the very best worth credential the server will situation. Every credential issuance is identifiable primarily based on the worth set right here.
To save lots of bandwidth, a number of proposed strategies for shoppers to cross-verify this info had been by no means carried out. This enables a malicious coordinator to present every consumer after they start registering their inputs a singular maxAmountCredentialValue. In subsequent messages to the coordinator, together with output registration, the coordinator may establish which consumer it was speaking with primarily based on this worth.
By “tagging” every consumer with a singular identifier on this manner, a malicious coordinator can see which outputs are owned by which customers, negating all privateness advantages they may have gained from coinjoining.
To my data drkgry found this independently and disclosed it in good religion, however the members of the crew who had been current at zkSNACKs in the course of the design part of Wabisabi had been completely conscious of this situation.
“The second purpose of the round hash is to protect the clients from tagging attacks by the server, the credential issuer parameters must be identical for all credentials and other round metadata should be the same for all clients (e.g. to ensure that the server isn’t trying to influence clients to create some detectable bias in registrations).”
It was introduced up in 2021 by Yuval Kogman, also called nothingmuch, in 2021. Yuval was the developer to design what would develop into the Wabisabi protocol, and one of many designers in truly specifying the complete protocol with István András Seres.
One remaining observe is the tagging vulnerability isn’t truly addressed with out this suggestion from Yuval in addition to full possession proofs certain to precise UTXOs as proposed in his authentic pull request discussing tagging assaults. All the knowledge being despatched to shoppers isn’t certain to a particular spherical ID, so a malicious coordinator continues to be able to pulling the same assault by giving customers distinctive spherical IDs and easily copying the mandatory knowledge and re-assigning every distinctive spherical ID per-user earlier than sending any messages.
This isn’t the one excellent vulnerability current within the present implementation of Wasabi 2.0 created by the remainder of the crew slicing corners in the course of the implementation part.
