- Public payments made private?See https://bitcoin.org/en/bitcoin-paperTransactions on the Bitcoin blockchain have infamously bad privacy. Every historical transfer of coins is recorded publicly and permanently, providing a link between the public keys used as inputs and outputs. Satoshi noted this in section 10 of the whitepaper titled “Privacy”:
you don't need to be a "whale" at all in order to receive absolutely zero privacy from a Wasabi coinjoin.
Okay then, I'll call your bluff again- Here's 20 non whale non matching outputs from WabiSabi coinjoins, try to identify the inputs owned by even a single one of the 20 outputs (which would be 5%):
01 bc1q032caguldmlrrztmrwhv5wqveyywdu2rtmd740
02 bc1q6vgwhsfkg343mmh27vc6prg3clsd4xu3p68vyd
03 bc1qre8jjpu8p9taw8j44r39z56vfr4sw64d4wyaj4
04 bc1qarharg76gfcrvskfw46f67vtqzd6hxa9pnspp5
05 bc1q4sexgt2p96x3ytnjjttp59w6mkj00kedal3xze
06 bc1qwrf50wpjws5mhdg2rhdu5hy7nqdtl8z94lp75n
07 bc1qz0tal2udfpr20x793fdw6v8lzp2qze7z5zje64
08 bc1qqw2h7fa3n8vyxgqru664fmft2trl9sqh9kz3fp
09 bc1qsud748whmum4gpt2qu52z8gqlgzcjyvhd5w2a5
10 bc1qctvxddyvxupjj8w82m8w5grzn59arstlrnaauw
11 bc1qq2fl05cmmhkr3pzg8elyr859v2fpcltynrk2j5
12 bc1qvwkrd3aecrvql5j8mqkmketvw6g6qwzt4juprq
13 bc1qhc2565fac4lrgyfq6n0mzc0l86jeptfnv2um9x
14 bc1qat6445gutyl3qdz3zhmdng9cdt92mevjlvaljs
15 bc1qk5f3mz0fetccey4nyyjedlrmqstkz2hmun96ha
16 bc1q4tpvm378a9d4n0xcnjtwfwujtr8eatjzvru8dx
17 bc1qd5epyjpj6vuejdppj24wew5n4n5rzepjx2xnay
18 bc1qgafud63me5mffn00g90ch08jjn5h20umzwxd62
19 bc1q5u3f2ldrtqa7ea79a8hcd8kssgw2gmalk4uej9
20 bc1qa6n7g7r4j3nv78gzgzmuvg56em4guppckqpz7r
Whirlpool is a centrally coordinated coinjoin that implements the ZeroLink coinjoin protocol with a privacy restriction that limits the anonymity you can gain. This restriction is called “tx0”, it is a self spend transaction prior to the coinjoin that allows the trusted coordinator to custody the fee they charge in order to prevent DoS attacks from being costless. Once the coordinator’s fee is confirmed, they allow the outputs created from the premix tx0 to be added to their liquidity pools. There are 4 different liquidity pools with fixed output values:
0.5 BTC
0.05 BTC
0.01 BTC
0.001 BTC
The coordinator then chooses between 5 and 8 participants for a coinjoin round who use blind signatures to create an equal sized output whose origin input is anonymous to all parties. In order to incentivize liquidity, these participants are composed of new entrants (takers of liquidity) and remixers (makers of liquidity). The mining fee for the block space used by remixers is paid for by the new entrants, so the value a user receives from their first round does not change after they are selected to remix in future rounds.
- Can Whirlpool be traced?Yes, the common input ownership heuristic and change output heuristics are revealed by the premix tx0, creating a 100% link between a Whirlpool user’s addresses. Any UTXO that does not
precisely add up to a multiple of 0.5, 0.05, 0.01, or 0.001 (+fees) cannot gain complete privacy. There are no advanced calculations required to determine these links between addresses, they are visible to the naked eye:
Okay, here's all the payments that can be tracked from the two new participants of the Whirlpool coinjoin transaction:
Entrant 1: bc1q03c0443ausjjdxl2h6ud5m8c0dux0zyg3dqdj7 created 0.00170417 BTC in unmixed change sent to bc1q3fduld0l3r8nclyt5p3r7ak675tekurstn55tl. Since this UTXO is not private, the sats were marked as unspendable and have not been recovered by the wallet owner
Entrant 2: bc1qzc8zku26ej337huw5dlt390cy2r9kgnq7dhtys created 0.00191247 BTC in unmixed change sent to bc1qjlltxr443uy236wl4xhpxlr6dgsu0zltlv3m44. This UTXO was used in a second tx0 transaction, creating a huge trail of transactions that could be traced to each other
The 2nd tx0 transaction created 0.00076348 BTC unmixed change which was sent to bc1qehd7gy8rza9mnzm9wnfjhgw82rp47wmqt7vpgy
Since this unmixed change is below the .001 pool minimum, it was consolidated in a 3rd tx0 with 3 other addresses owned by the same wallet:31x8GPqrhzdaxiBJa9N5UisuoxbX1rAnHa
16Gw5WKjbxZmg1zhZQs19Sf61fbV2xGujx
3LZtsJfUjiV5EZkkG1fwGEpTe2QEa7CNeY
The 3rd tx0 transaction created .00200317 in unmixed change which was sent to bc1q2p7gdtyahct8rdjs2khwf0sffl64qe896ya2y5
This was spent in a 0.00190000 payment to 3B8cRYc3W5jHeS3pkepwDePUmePBoEwyp1 (a reused address)
That payment left .00008553 in change that was tracked to 3Dh7R7xoKMVfLCcAtVDyhJ66se82twyZSn and consolidated with two other inputs in a 4th tx0 transaction:
bc1qeuh6sds8exm54yscrupdk03jxphw8qwzdtxgde
3ByChGBFshzGUE5oip8YYVEZDaCP2bcBmZ
This 4th tx0 created .00533406 in unmixed change which was sent to bc1qzh699s75smwukg9jcanwnlkmkn38r79ataagd9 which was consolidated with 3 more addresses into a 5th tx0:
3F2qiWQJKQjF7XFjEo8FUYP3AU5AC6RqX8
3HAYYVKUpYbr2ARMdZJr9yVu8xi8UcxtPz
3GQtwwRK31wwCc22q6WS5sCgixUHsG5KaT
The 5th tx0 created 0.00058494 BTC in unmixed change that was sent to bc1qvh2zjcwwkj9y70xulla2semvlav3lty0p3l3w3
This was spent in a .00047290 payment to bc1qvzg8jq6wqtr5navn4e3ps4qrkk9r6n4h98gjck
That payment left .00008411 in change that was tracked to bc1qg6j0f0wfhpktt2l8uzdn48ct3um2xyur40eyzd and consolidated with another input into a 6th tx0 transaction:
31iZLXWfoywhuMZTPGxTkpzphzh2NXshpP
The 6th tx0 created .00753775 in unmixed change that was tracked to bc1qgfll2apc27yct6h2c8r8wq4kqhxjsfrudhhn5q
This was spent in a .00737000 payment to bc1q5emzer2t0sq5dez0zsrqgh6scvwn0n24xsladp (a reused address)
This payment left 0.00010896 BTC in change which has not been spent yet, but the payment only took place 11 days ago, so I assume it will eventually be spent, allowing the Whirlpool user to be tracked even further.
Postmix transactions can be traced to premix funds when outputs from child rounds of the same premix transaction are consolidated. Consolidation of mixed outputs from the initial round may be unavoidable since users do not have control over whether or not they remix:
The first is the fee to Whirlpool itself, which is a flat fee depending on the pool you are joining.
The flat pool entry fee structure is designed to incentivize worst privacy practices. Since fees are not collected directly based on volume, it is cheaper to participate in a smaller pool and create more outputs than participate in a larger pool and create less outputs. Additionally, it incentivizes revealing common inputs ownership of premix UTXOs since it is cheaper to consolidate them to enter the pool once than to enter the pool with each UTXO individually. Samourai has never explained why they purposely chose a fee structure that heavily penalizes the most private usage of their protocol.
Because of this backwards design, you can easily link premix inputs to postmix outputs in many cases. Notice how this Whirlpool tx0 premix creates 70 outputs for 0.05 BTC -
https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aaNotice how every single input of this Whirlpool exit transaction is a direct descendant of rounds created by the aforementioned premix transaction:
https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392dbWhen many inputs used in the postmix exit transaction are created directly from a round that the premix transaction entered, it makes it trivial to trace the user through Whirlpool. Fortunately, the user abandoned Whirlpool and upgraded to using the WabiSabi coinjoin protocol instead, which made him completely untraceable:
https://mempool.space/address/bc1qjjw5gaglkycu2lm5fskl7qhktk0hec4a5me3da
