GingerWallet, the WasabiWallet branch held by former zkSNACKs employees after Wasabi Coinjoin coordinator shut down, has received approval Vulnerability report From the developer drkgry. This vulnerability would allow users’ inputs and outputs in a coin joining round to be completely de-anonymized, giving a malicious orchestrator the ability to completely undo any privacy gains from coin joining by performing an active attack.
Wasabi 2.0 was a complete redesign of how Wasabi formats coins, moving from the Zerolink framework using fixed denomination mix amounts, to the Wabisabi protocol allowing for dynamic multi-denomination amounts. This process involved a shift from monolithic tokens for recording output to claim your coins back, to a dynamic credential system called Anonymous Verification Credentials (KVACs). This will allow users to record encrypted amounts preventing the theft of other users’ coins without revealing to the server plaintext amounts that can be linked and preventing ownership of separate inputs from being linked.
When users begin participating in a tour, they poll the coordinating server for information related to the tour. This returns a value in the RoundCreated parameters, called maxAmountCredentialValue. This is the highest value of credentials that the server will issue. Each credential version can be specified based on the value specified here.
To save bandwidth, multiple methods suggested for customers to verify this information were never implemented. This allows a malicious orchestrator to give each user a unique maxAmountCredentialValue when they start recording their input. In subsequent messages to the coordinator, including logging the output, the coordinator can determine which user was communicating with based on this value.
By “tagging” each user with a unique ID in this way, a malicious orchestrator can see which outputs each user owns, negating all the privacy benefits they would have gotten from cross-joining.
To my knowledge, drkgry independently discovered this and disclosed it in good faith, but team members who were present at zkSNACKs during the Wabisabi design phase were fully aware of this issue.
The second purpose of round hashing is to protect clients from tagging attacks by the server, credential issuer parameters must be identical for all credentials and other round metadata must be the same for all clients (eg to ensure that the server is not trying to influence on clients to create some detectable bias in the recordings).
It was Originated in 2021 By Yuval Kogman, also known as Nothing Much, in 2021. Yuval was the developer who designed what would become the Wabisabi Protocol, and one of the designers in actually defining the complete protocol with István András Seres.
A final note is that the tagging vulnerability is not actually addressed without it This proposal From Yuval as well as full proofs of ownership associated with the actual UTXOs as suggested in his book Original withdrawal request Discuss labeling attacks. All data sent to clients is not tied to a specific circular ID, so a malicious orchestrator could still perform a similar attack by giving users unique circular IDs and simply copying the necessary data and reassigning each user’s unique circular ID before sending any messages.
This is not the only high-profile vulnerability present in the current implementation of Wasabi 2.0 that was created by the rest of the team during the implementation phase.
Comments are closed, but trackbacks and pingbacks are open.