Major Vulnerability In WabiSabi Coinjoin Protocol
A vulnerability in the WabiSabi coinjoin protocol allows malicious coordinators to deanonymize coinjoins. Users are urged to update their wallets immediately.
The team behind the Wasabi Wallet fork Ginger Wallet states to have fixed a vulnerability in the WabiSabi coinjoin protocol that allowed malicious coordinators to deanonymize coinjoins.
The vulnerability affects Wasabi Wallet 2.2.1.0 and below, Ginger Wallet 2.0.13 and below, and the BTCPay Server coinjoin plugin 1.0.101.0 and below. Users are urged to update their wallets immediately.
The vulnerability allows malicious coordinators to track users throughout the coinjoin process, effectively allowing for the correlation of inputs and outputs and the grouping of related addresses, resulting in the ability to deanonymize coinjoins, cluster wallets and reduce the user's anonymity set.
WabiSabi is a fundamental redesign of the ZeroLink protocol, in which all users register the same amounts. WabiSabi, in practice, allows users to register different amounts to the same coinjoin, while the amounts are blinded during the output registration using anonymous credentials.
WabiSabi clients generate anonymous credentials using, among other things, a key parameter, and a maximum amount parameter. Both should remain the same throughout each coinjoin round.
The vulnerability allows malicious coordinators to assign unique maximum amount parameters for inputs and outputs, effectively allowing the coordinator to deanonymize the user – also known as a tagging attack.
The projects now all have different explanations as to how the vulnerability came to be.
According to the Ginger Wallet team, WabiSabi clients only checked the maximum amount parameter once to save on bandwidth, alluding that the vulnerability arose out of a conscious design choice.
Lucas Ontivero, Wasabi Wallet maintainer, claims that a fix was implemented to prevent tagging attacks in WabiSabi in 2021 – an implementation that broke during a recent refactoring, leading to the vulnerability.
Yuval Kogman, one of the lead architects of the WabiSabi protocol, points out that he had previously raised concerns about WabiSabi’s tagging attack mitigation, stating that the issue was known among developers. Kogman describes the implemented fixes as partial.
According to Ginger Wallet, the team performed tests on three of the most popular coordinators and found that the amount value responses were consistent in all cases, leading the team to believe that the vulnerability was not actively exploited.
Independent journalism does not finance itself. If you enjoyed this article, please consider donating to our Geyser Fund.
