# Analyzing Wasabi with KYCP.org

Jan 13, 2020 · 6 min read

Wasabi produced a coinjoin with only 5 participants . This opens the door for a unique opportunity: it is possible to take a look at KYCP’s analysis on this transaction and compare it with the real mapping of the transaction, which is obvious just by looking at it in any block explorer.
Larger Wasabi transactions are problematic, not only because figuring out what’s going on manually is difficult, but also because analyzing them without sophisticated assumptions and heuristics is impossible, due to the exponentially growing complexity in solving subset sum problems.

At the first glance, KYCP’s analysis is just strange. Let’s uncover the real mapping by looking at the transaction in another block explorer instead:

# The Real CoinJoin Mapping

`inputs 0–3` have values of `~0.097` and `input 4` has a value of `~0.388`.
Regarding the outputs, every participant gets back `~0.0969`, and there’s a coordinator fee `~0.001` and a change `~0.291`. It cannot be easier to uncover the real mapping of this transaction:

But that’s not what is shown in KYCP. Why is that?

Let’s see what’s the deal with the coordinator address. We know that nobody got back their money to the coordinator address, thus it has no links with any input. KYCP correctly identifies the Wasabi coordinator address being `output 0`:

But it links inputs to the coordinator address, which is not right. Upon further examination of the links new mysteries emerge.

It identifies `51%` linkability from `input 1` (`~ 0.097`) to the coordinator address. Another `51%` linkability identified from `input 2`. And they also identify a `94%` linkability from `input 3` to the coordinator address.

# Analyzing KYCP: Input Merging

KYCP identified `input 0` and `input 3` as an input merge. We know that every input is a unique participant based on the equal number of outputs, so this isn’t the case. There’s a theory though where the analysis went wrong.

`input 0` is the smallest input: `0.09691275 BTC`, and the mixed outputs have a value of `0.0969102 BTC`. The difference is `0.00000255 BTC` . Thus `input 0` did not pay coordinator fees, but only paid network fee. KYCP may account for coordinator fee all the time, but not everyone pays coordinator fees in Wasabi. As a side note there are cases when the smallest input gets back more money than it puts into the mix, so even if the analyzer lets the coordinator and network fees go, it should also account for some further error.

# Analyzing KYCP: Change

We also know for a fact that `output 6` (`0.291`) came from `input 4` (`0.388`), as this guy was the only participant with a large amount.

KYCP does a better job analyzing the unmixed change, but surprisingly it still isn’t precise. The linkability is not `94%`, it is `100%`. And what’s the deal with the remaining `6%` anyway?

# Analyzing KYCP: Output Merge

KYCP linked `output 1` and `output 6`, which is of course wrong. However it is possible to tell where the analysis went wrong this time.

The output linking by KYCP happened because both of those outputs are registered to the same coinjoin. Because of this, we know exactly they are not only aren’t linked, but they cannot be from the same user, as Wasabi wouldn’t register more than one input into a coinjoin when both inputs are larger than the minimum registration amount. So where did KYCP make the mistake?

It naively applied the most well-known Blockchain analysis heuristic: The Common Input Ownership Heuristic:

Every input of a transaction belongs to the same entity.

And what is the most well-known exception to this heuristic? CoinJoin.

# Conclusion

KYCP’s analysis on Wasabi coinjoins is unreliable, as it does not even resemble the real mapping of the transaction in the simplest possible case:

# Update

It’s been pointed out that KYCP is aware that they are applying common input and output ownership heuristics to coinjoins incorrectly, as they include the incorrect heuristic into their own definition:

Input/output merges show inputs coming from the same tx, and outputs spent with the same tx, thus belonging to the same wallet or collaborating together (no merge = good privacy).

## Is it open source?

Since KYCP rolled out two new updates based on this article: 1.2.6, 1.2.7, it warrants making sure the above provided definition wasn’t modified, but curiously archive.org caches show blank pages and the GitHub repository only consists of autogenerated code like this:

# EDITORS NOTE:

Some errors were made in the above article in regards to what the “input merge” and “output merge” metrics on KYCP signify. These metrics are meant to show that inputs share a predecessor transaction, or outputs share a descendant transaction, not necessarily to show common ownership. This metric is very misleading in relation to coinjoins in both the terminology and graphical layout. The results of this metric mean very different things applied to coinjoins versus normal transactions. The interpretation of the meaning of these metrics was inaccurate in this article.

This does not alter the analysis of probabilities assigned to linkages to Wasabi coordinator fees, or the unmixed change output. (All the information of how Wasabi fees are calculated is open-source and possible to cross check). The overall point of this article, errors aside, was to point out that KYCP’s analysis is a naive use of Boltzman without the application of other ascertainable metadata. Boltzman is a useful tool, and it is good such things are being developed and improved in the space, but this does not give an end all be all measurement of your privacy. Adversaries attempting to deanonymize users will not apply Boltzman or other heuristics in a vacuum, they will weight the results of those heuristics with whatever other available metadata they have.

That was the core point of this article, that Boltzman applied in a vacuum (and what is displayed on KYPC) has definitive margins of errors because KYCP does not apply other available metadata to weight heuristics.

-Shinobi

Written by

Written by