WasabiLeaks — Is Wasabi Wallet Deanonymized?

nopara73
nopara73
Jul 21 · 4 min read

I left Twitter to be able to focus on coding. The plan worked great and my productivity skyrocketed. Little I knew a misinformation campaign by the Samourai Wallet team has started the same time and without the ability to push back on the nonsense it got worse and worse, to the point where journalists are now emailing me about “Concerning Alleged Wasabi’s CoinJoin Implementation Fault.” Just what the hell is going on?
This article is my attempt to clear things up.

[source]

Long story short, the major difference is the Tx0.

No, the major difference is that you send your users’ extpubkeys to your backend server, (formerly to Blockchain.info) so you are able to deanonymize every single mix based on this information. And even if you are trying to technoblabla your Dojo into the equation, the fact that Dojo users are so few that they’re deemed to be the only one you cannot deanonymize in every single mix. Oh, wait, you can, since you are only not familiar with one input and one output in the mix and by exclusion, this is the link.
Regarding tx0, you divide your users’ coins into small chunks from the getgo, while we do this division in the mix itself, because it’s more cost-effective.

With Wasabi if you are mixing 10 BTC, I can trivially track that 10 BTC as it is peeled down into smaller utxos.

Bold claim, would you mind backing it up?

The left over change is part of the mix tx, and thus creates a determinstic link that follows it until completion. You literally leave crumbs along the trail.

Yes, that leftover change is denoted by a big red shield in the wallet. It’s like your very first predivision transaction, you call tx0. Great accomplishment deanonymizing something that wasn’t supposed to be anonymous in the first place.

With Whirlpool you mix 10 BTC and the fee and utxo creation is handled in tx0. After tx0, upon first premix, all certainty is lost, there is no crumbs, there are no deterministic links, there is just the theoretical perfect transaction, for every utxo associated with tx0.

I can just repeat myself: you divide your users’ coins into small chunks from the getgo, while we do this division in the mix itself, because it’s more cost-effective, in fact we do this division by mixing on these changes, so it’s not a little more cost effective, but a lot more. There’s no privacy difference between your tx0 division’s outputs and our unmixed, big red change outputs. Although, our delayed utxo division at least confuses my grandma, while your tx0 predivision doesn’t.

So Wasabi, long peeling chain. Whirlpool no peeling chain, after tx0 you cannot with any certainty connect a single input to a single output.

Fuck you. How can you take a stupid design decision you made and act like it’d be a significant advantage over another project that clearly has its basics right? This is madness.

Additionally Wasabi outputs are in the order in which they are registered, allowing you to make educasted guesses that cluster outputs that you can later cross reference when inputs are inevitably merged to make a spend (no postmix tools).

This is a fair point: the red unmixed changes were easier to get deanonymized (if it wouldn’t be easy enough) because I didn’t care about sorting, since it would give our backend server more information than an outside observer can acquire by looking at a transaction in case of accidental equal outputs on changes. Anyhow we discussed it on a dev meeting and 20 days ago I created and merged a PR with an “it doesn’t hurt to shuffle” argument. Although I still acknowledge the counter argument that sorting coinjoin inputs and outputs are somewhat misleading.

BIP69 would fix this issue, we insisted on BIP69 enforcement within ZeroLink for this very reason. In fact, ZeroLink says they should be ordered “randomly” so AFAIK Wasabi isn’t even following ZL at this point.

ZeroLink says to shuffle normal transaction inputs and outputs. It does not talk about coinjoin outputs. And you fucking know it, because you forked my research, renamed it to “Whirlpool” and reworked it. So the only reason you would be saying this in public is to count on the readers’ ignorance not reading the actual research.

Regarding BIP69, it’d be a great way to do ordering, because it is deterministic, but only a small portion of wallets follow it today, so at this point, compared to shuffling, it is just another privacy leak.

 by the author.

nopara73

Written by

https://www.youtube.com/watch?v=QiySI4-MWww

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade