GingerWallet, the fork of WasabiWallet maintained by former zkSNACKs workers after the shut down of the Wasabi coinjoin coordinator, has acquired a vulnerability report from developer drkgry. This vulnerability would enable the whole deanonymization of customers inputs and outputs in a coinjoin spherical, giving a malicious coordinator the flexibility to fully undo any privateness positive aspects from coinjoining by performing an lively assault.
Wasabi 2.0 was a whole re-design of how Wasabi coordinated coinjoins, shifting from the Zerolink framework using fastened denomination combine quantities, to the Wabisabi protocol permitting dynamic multi-denomination quantities. This course of concerned switching from homogenous blinded tokens to register outputs to say your cash again, to a dynamic credentials system referred to as Keyed Verification Nameless Credentials (KVACs). This could enable customers to register blinded quantities that prevented theft of different customers’ cash with out revealing to the server plain-text quantities that may very well be correlated and forestall linking possession of separate inputs.
When customers start taking part in a spherical, they ballot the coordinator server for info relating to the spherical. This returns a worth within the RoundCreated parameters, referred to as maxAmountCredentialValue. That is the very best worth credential the server will problem. Every credential issuance is identifiable based mostly on the worth set right here.
To avoid wasting bandwidth, a number of proposed strategies for purchasers to cross-verify this info have been by no means applied. This permits a malicious coordinator to provide every consumer once they start registering their inputs a novel maxAmountCredentialValue. In subsequent messages to the coordinator, together with output registration, the coordinator may establish which consumer it was speaking with based mostly on this worth.
By “tagging” every consumer with a novel identifier on this approach, a malicious coordinator can see which outputs are owned by which customers, negating all privateness advantages they might have gained from coinjoining.
To my data drkgry found this independently and disclosed it in good religion, however the members of the crew who have been current at zkSNACKs through the design part of Wabisabi have been completely conscious of this problem.
“The second goal of the spherical hash is to guard the purchasers from tagging assaults by the server, the credential issuer parameters should be equivalent for all credentials and different spherical metadata needs to be the identical for all purchasers (e.g. to make sure that the server is not making an attempt to affect purchasers to create some detectable bias in registrations).”
It was introduced up in 2021 by Yuval Kogman, also called nothingmuch, in 2021. Yuval was the developer to design what would develop into the Wabisabi protocol, and one of many designers in truly specifying the complete protocol with István András Seres.
One remaining observe is the tagging vulnerability will not be truly addressed with out this suggestion from Yuval in addition to full possession proofs sure to precise UTXOs as proposed in his unique pull request discussing tagging assaults. All the knowledge being despatched to purchasers isn’t sure to a particular spherical ID, so a malicious coordinator continues to be able to pulling an analogous assault by giving customers distinctive spherical IDs and easily copying the required knowledge and re-assigning every distinctive spherical ID per-user earlier than sending any messages.
This isn’t the one excellent vulnerability current within the present implementation of Wasabi 2.0 created by the remainder of the crew chopping corners through the implementation part.
