On August 20 OXT, Samourai wallet’s research team released a disclosure claiming Wasabi wallet’s coinjoin algorithm is deterministic. This means that mixed transactions could be predicted, peeled, and de-anonymized; making the mix act totally useless. To proceed and talk about the details of this allegation, a basic understanding of CoinJoin, Toxic Recall Attack, and of course the background of these two privacy wallets is kind of necessary. So, Let’s start from there.
The term CoinJoin is explanatory itself: it means joining the coins. it is a solution to people willing to hide their transactions as much as possible, for any reason, so that almost no one could link this pseudonym string of characters to their real life identity. CoinJoin makes it happen by aggregating many different inputs and outputs into one single transaction. This big transaction is representing everyone involved so that they don’t need to do it individually.
The interesting part of CoinJoin is that most of the ultimate outputs possess the same value measured in a metric named anonymity set. This means identical transactions make it extremely hard for an observer to link it to the sender.
For example, if there are 10 participants who have joined their coins, they will end up having 10 outputs in value=1; this CoinJoin transaction with an anonset of 10, would make it almost impossible for the observer to point directly at the origins of the outputs.
In other words, you can go into this magic mixer box called CoinJoin, mask your face, dye your hair, change your clothes, get lost in a crowd that looks exactly like you and end up in a destination only known to yourself.
This solution was proposed formally in 2013 by bitcoin developer, Gregory Maxwell. You can find the original proposal here.
The short answer to this question would be privacy. When you join the coins with other people, you reduce vulnerability of your transactions to tracks.
As you might already know, the block chain is designed to be inherently transparent which could be interpreted as an advantage or a disadvantage based on how one views it. The most obvious benefit is that financial corruptions and frauds are not easy to commit. On the other hand, it could do harm to users’ privacy by giving the ability of de-anonymization to somebody with enough tool, time and data.
Additionally, there’s something called fungibility which in short, means interchangeability of an asset. If some specific amount of money is proved to have been involved in illegal activities, it can lose its value. This could question bitcoin as a medium of exchange. Coinjoining prevents that from happening.
Toxic Recall attack named after the movie “Total Recall”, is an attack to CoinJoin mixing algorithm. This attack focuses on tracking unmixed changes in order to find connections between outputs and inputs -with high probability. Some unmixed changes could be attached to their input by 100% certainty and some need to be brute forced: meaning to guess all the possible combinations.
In the example below we have an easy target with 5 inputs which has been CoinJoined and resulted 8 outputs. 4 of them are identical, 1 is an unmixed change that could be accurately linked (due to its value) and the rest could be brute forced by 131 interpretations.
This attack can be done if it meets the following assumptions:
1. A user only runs one mixing client at a time.
2. The mixing client prevents the combination of mixed outputs and “unmixed change”.
So, it seems under some circumstances it’s doable.
(more info about techniques on CoinJoinSudoku and boltzmann.)
Samourai research team has released this note which issues 2 vulnerabilities in Wasabi wallet.
Vulnerability 1: OXT believes Wasabi’s system is acting as a deterministic automaton; which means there is no randomness introduced by the client or by the coordinator (the representing transaction) during the selection of TXOs that will participate in a given mix. This vulnerability could give a persistent observer an opportunity to figure out the coin selection rules; and as a result, a pretty good assumption of transactions’ connections and next moves.
Wasabi’s Adam Fiscor (nopara73) has responded this vulnerability by noting that the observer needs to meet many conditions to achieve this; including the knowledge of all the UTXOs of all Wasabi wallet users at a given point in time.
In addition, observer also has to know what coin is being selected for which round. Therefore, it is unreasonable and not a realistic set up. He also mentions a document privately sent to them which has failed to predict the moves precisely.
The only case that he confirms of is the poor randomness in the GetRegistrableCoinsNoLock method.
Vulnerability 2: this vulnerability points out unmixed changes or so called “toxic changes”.
Here, the idea is that these toxic change outputs can be viewed as:“beacons of certainty” because it’s possible to identify which mixes have spent the toxic changes.“expected checkpoints” that can be predicted to occur at a given round in absence of any exogenous randomness.
What it means is that by analyzing the unmixed change and some luck, the observer will be able to track these changes right to the point.
De-anonymization of each transaction and making accurate prediction of the following rounds, minimizes the privacy of all the other coins. Apparently, this has been proved by OXT where they’ve predicted a mix of a toxic change to reveal itself after 2 rounds and eventually after the confirmation, it did end up where it was expected.
Wasabi wallet hasn’t commented on second vulnerability since they believed these are based on the wrong premises.
The next couple of paragraphs of OXT research is discussing a scenario where there’s one participant coinjoining and one participant who only observers to do the attack. She tracks the funds controlled by the participant of CoinJoin and runs a slightly modified Wasabi client that logs the details of mix rounds. (modifications made in ClientState.UpdateRoundsByStates())
Samourai wallet research team announced that they’ve sent a detailed document to Wasabi to release a tested patch to public that mitigates the concerns in this disclosure. If the condition was not met within 15 Days (September 4th) , full detailed of this disclosure will be published.
Wasabi believes this is just a blackmail and a marketing strategy. therefore, they would not like to further get engaged.
Full disclosure was published on date and is available here.
It might seem surprising but these two wallets are actually based on different implementations of the same core called ZeroLink.
They both contributed on this project to improve privacy and fungibility on 2017.
on 2017 nopara73 reaches Samourai team to cooperate and ZeroLink is formed. but after a while it seems that each party took different paths for implementation.
on 2018: Wasabi wallet 1st release.
August 2019: Samourai mentions a single entity named ANON-2300390908 making a Sybil attack towards Wasabi wallet.
July 2019: Samourai discusses differences between Wasabi and Samourai
July 2019: Nopara73 publishes “Samourai is harassing bitcoin devs”
October 2019: “Samourai vs Wasabi Mixing Architecture” is published which indicates that Whirlpool (Samourai mixer) uses more block space and provides less anonymity
January 2020: nopara73 and shinobi discuss that KYCP’s analysis (created by Samourai) is naive use of Boltzman without the application of other ascertainable metadata. In other words, this explorer is biased and same results might not be achieved with other kinds of explorers.
June 2020: publication of “Toxic Recall Attack — Unwinding JoinMarket Case Study” which mentions that Wasabi CoinJoin model has flaws.
It also mentions European Cyber Centre’s 2-page report on Wasabi which claims to provide an insight into interactions on the next report
August 2020: the statement of 2 vulnerability of Wasabi is published.
August 2020: An update on the disclosed vulnerabilities in response to comments.
Except for Samourai, there are different sources questioning Wasabi’s algorithm; See also this link. And the bitcoin forum discussion about the same topic.
This part is yours to decide. This article’s intention was not to lead you in a specific direction or come to a conclusion but to state facts and gather all the information you need in one place.
You can decide by verifying as much as you can and hear as many different narratives as possible. In that case, you are going to end up with an acceptable conclusion.
