Wasabi Wallet - Open Source, Noncustodial Coinjoin Software - page 3.

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

The vulnerability has been reported by Ginger in here: https://github.com/GingerPrivacy/GingerWallet/discussions/116. I hadn't ever read about it until yesterday. The steps to reproduce are trivial, as you can see. The coordinator issues a different maxAmountCredentialValue for every round-state request, and he can use it to link input and output registration.

So, everything below v2.2.1.0 is now provably trust-requiring.

Quote from: Kruw on December 10, 2024, 09:17:35 AM

Yep, that's exactly how this bug was caught and fixed. Having multiple teams implementing the protocol with open source code is a great advantage for hardening software.

Having multiple teams working on open-source is good, but the numerous poor decisions made by Wasabi developers so far overshadow the greatness of open-source collaboration. I haven't witnessed so many serious vulnerabilities reported in any other privacy software so far...

Kruw

member

Activity: 378

Merit: 93

Enable v2transport=1 and mempoolfullrbf=1

Quote from: Pmalek on December 10, 2024, 05:27:58 AM

Kruw will always tell you how Wasabi is open-source and how you can always inspect the code yourself.

Yep, that's exactly how this bug was caught and fixed. Having multiple teams implementing the protocol with open source code is a great advantage for hardening software.

Pmalek

legendary

Activity: 2730

Merit: 7065

Wasabi Wallet versions 2.2.1.0 and below are vulnerable to a deanonymization vulnerability in the WabiSabi coinjoin protocol. This vulnerability allows malicious coordinators to deanonymize users and link inputs and outputs.

The vulnerability may or may not have been fixed. Kruw will always tell you how Wasabi is open-source and how you can always inspect the code yourself. He will also say that there is no way that a coordinator operator can recover any private information about their users. As usual, it's a load of crap. Whether or not you consider a person like Kruw who wished death on others and defended zkSNACKs' choice to partner with blockchain analysis companies with a passion to be malicious is up to you. I have recommended you stay away from his honeypot service.

Here is an interesting part worth remembering:

Quote

To my knowledge drkgry discovered this independently and disclosed it in good faith, but the members of the team who were present at zkSNACKs during the design phase of Wabisabi were absolutely aware of this issue.

According to this, the team behind Wabisabi and zkSNACKs (the company Kruw worked for and defended until the bitter end) knew about the deanonymization vulnerability. Perhaps it came about by chance or maybe it was left their on purpose...

Sources:
https://www.therage.co/vulnerability-wabisabi-coinjoin/
https://bitcoinmagazine.com/technical/wabisabi-deanonymization-vulnerability-disclosed

Kruw

member

Activity: 378

Merit: 93

Enable v2transport=1 and mempoolfullrbf=1

Wasabi v2.3.1 is out: https://github.com/WalletWasabi/WalletWasabi/releases/tag/v2.3.1

This version is a stability release packed with bug fixes and preparatory changes for upcoming features.

- Bug Fixes
- Settings Layout
- Tor upgraded to v13.5.9
- Buy Anything Button Disabled

Kruw

member

Activity: 378

Merit: 93

Enable v2transport=1 and mempoolfullrbf=1

I plan to create updated video guides for Wasabi, the first one will be on how to use the RPC to make payments directly within coinjoins. If anyone has requests or suggestions for video guides, let me know.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: owlcatz on November 24, 2024, 10:30:48 AM

Quote from: ? on November 22, 2024, 12:23:25 PM

I'm very hesitant to touch Monero to me that just screams criminal activity and afraid the spotlight of government agencies will point my way. I'll stick to Bitcoin, sometimes hiding in the light is easier than hiding in the shadows.

There is absolutely nothing illegal about running a monero node - otherwise we'd have heard more news about such. Roll Eyes

https://monero.fail/

I believe he was merely talking about making transactions in the Monero blockchain, not actually "using" Monero by running his/her own full node and actually doing everything in the network through that node.

Plus about making it "illegal" to run your own node, I believe that in any part of the world, no nation-state has the legal infrastructure to make it "illegal".

owlcatz

legendary

Activity: 3570

Merit: 1959

Quote from: ? on November 22, 2024, 12:23:25 PM

I'm very hesitant to touch Monero to me that just screams criminal activity and afraid the spotlight of government agencies will point my way. I'll stick to Bitcoin, sometimes hiding in the light is easier than hiding in the shadows.

There is absolutely nothing illegal about running a monero node - otherwise we'd have heard more news about such. Roll Eyes

https://monero.fail/

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: Kruw on November 22, 2024, 12:24:20 PM

Quote from: ? on November 22, 2024, 12:23:25 PM

I'm very hesitant to touch Monero to me that just screams criminal activity and afraid the spotlight of government agencies will point my way. I'll stick to Bitcoin, sometimes hiding in the light is easier than hiding in the shadows.

What are you going to do when the government makes Bitcoin illegal? I'm not saying you should embrace Monero, I'm asking how your strategy works in general.

Philosophically, and if we start considering the technical design and design-decisions made behind Bitcoin, should that actually matter? Because what use would decentralization and censorship-resistance have if a group of old men could simply sign a piece of paper to stop the network?

But as a practical matter, I believe CoinJoin and the Lightning Network - as a layer to hide that you actually used an application to CoinJoin, are needed as a general strategy to disconnect the individual's real identity from his Bitcoins.

JollyGood

legendary

Activity: 2534

Merit: 1713

Top Crypto Casino

Quote from: ? on November 22, 2024, 12:35:21 PM

Call me naive but I don't expect the government to make Bitcoin illegal.

That is my initial sentiment too however there is a possibility anything (literally anything) could happen when it comes to governments and law (as well as corrupt governments and unfair laws). When you add various anti-crypto traditional financial lobbying groups to the equation then the matter looks bleak but Bitcoin and crypto have survived thus far. Who knows what will happen in the future.

Quote from: Kruw on November 22, 2024, 12:39:43 PM

Call me a pessimist, but the government made gold illegal.

I think that was classed as a specific event/special case when the markets collapsed but it still did not justify their actions. In theory they could they do it with Bitcoin but it is highly unlikely as far too many people have invested in crypto.

?

Activity: -

Merit: -

Quote from: Kruw on November 22, 2024, 12:39:43 PM

Call me a pessimist, but the government made gold illegal.

Give it time and maybe like Gold bars you will be able to buy Bitcoin at Costco.

Kruw

member

Activity: 378

Merit: 93

Enable v2transport=1 and mempoolfullrbf=1

Quote from: ? on November 22, 2024, 12:35:21 PM

Call me naive but I don't expect the government to make Bitcoin illegal.

Call me a pessimist, but the government made gold illegal.

?

Activity: -

Merit: -

Quote from: Kruw on November 22, 2024, 12:24:20 PM

What are you going to do when the government makes Bitcoin illegal? I'm not saying you should embrace Monero, I'm asking how your strategy works in general.

Call me naive but I don't expect the government to make Bitcoin illegal. They had their shot to do that but now with the introduction of institutional investors there is why too much pressure to incorporate Bitcoin in the traditional financial pillars. Even where Bitcoin is outlawed I couldn't point to a ban that has been effective. Just pushed users to take a more world view of their holdings.

That said government likes to take their cut from the traditional financial pillars. That is something that needs to be considered as Bitcoin becomes folded in. No one wants governments asking for a handout from 21st century investment strategies.

Kruw

member

Activity: 378

Merit: 93

Enable v2transport=1 and mempoolfullrbf=1

Quote from: ? on November 22, 2024, 12:23:25 PM

I'm very hesitant to touch Monero to me that just screams criminal activity and afraid the spotlight of government agencies will point my way. I'll stick to Bitcoin, sometimes hiding in the light is easier than hiding in the shadows.

What are you going to do when the government makes Bitcoin illegal? I'm not saying you should embrace Monero, I'm asking how your strategy works in general.

?

Activity: -

Merit: -

I'm very hesitant to touch Monero to me that just screams criminal activity and afraid the spotlight of government agencies will point my way. I'll stick to Bitcoin, sometimes hiding in the light is easier than hiding in the shadows.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: Pmalek on November 20, 2024, 01:58:08 PM

Quote from: Wind_FURY on November 20, 2024, 09:03:21 AM

Plus it's probably better to add a layer of privacy by first sending those outputs you want CoinJoined to yourself through the Lightning Network, no?

That's one way of doing it. You can also opt to go the Monero way and avoid coinjoining altogether. If you have someone interested in swapping their monero for your bitcoin or a service that you don't deem to expensive, you can make that swap.

Move that monero around a bit and exchange it back to bitcoin and into a wallet and address not connected to your identity.

I read a post about an update in BISQ, that the developers will add a feature for Atomic Swaps from Bitcoin to Monero, then Monero to Bitcoin. That's going to be very convenient, especially for users who don't want to use centralized services where they could leak information.

But sending a transaction to yourself through the Lightning Network might still be necessary. Your wallet could also be given a "negative rating" by exchanges and other fiat on and off-ramps if you're using BISQ.

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Wind_FURY on November 20, 2024, 09:03:21 AM

Plus it's probably better to add a layer of privacy by first sending those outputs you want CoinJoined to yourself through the Lightning Network, no?

That's one way of doing it. You can also opt to go the Monero way and avoid coinjoining altogether. If you have someone interested in swapping their monero for your bitcoin or a service that you don't deem to expensive, you can make that swap. Move that monero around a bit and exchange it back to bitcoin and into a wallet and address not connected to your identity.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: Pmalek on November 20, 2024, 08:10:44 AM

Quote from: Wind_FURY on November 20, 2024, 01:01:24 AM

I'm asking for a friend - If a person bought his/her Bitcoins from a centralized exchange, and he/she wants to maintain some privacy before sending his/her coins in cold-storage, are there some centralized coordinators that are currently filtering outputs to prevent their tainting their coordinator's pool?

Even if you used a service that checks your coins for "taint" and "dirtiness" before allowing you to coinjoin, it's not going to trigger any red alarms if the bitcoin came from a known centralized exchange. However, when you do it the other way and coinjoin before depositing to a CEX, you might have to answer a few questions about the source of your coins, why you coinjoined them, etc.

🤔

That's actually a good point. I'll just tell my friend to store them directly in cold-storage and worry about CoinJoins later if he decides to use his coins in those services that shouldn't he connected to his real identity.

Plus it's probably better to add a layer of privacy by first sending those outputs you want CoinJoined to yourself through the Lightning Network, no?

Pmalek

legendary

Activity: 2730

Merit: 7065

Quote from: Wind_FURY on November 20, 2024, 01:01:24 AM

I'm asking for a friend - If a person bought his/her Bitcoins from a centralized exchange, and he/she wants to maintain some privacy before sending his/her coins in cold-storage, are there some centralized coordinators that are currently filtering outputs to prevent their tainting their coordinator's pool?

Even if you used a service that checks your coins for "taint" and "dirtiness" before allowing you to coinjoin, it's not going to trigger any red alarms if the bitcoin came from a known centralized exchange. However, when you do it the other way and coinjoin before depositing to a CEX, you might have to answer a few questions about the source of your coins, why you coinjoined them, etc.

Kruw

member

Activity: 378

Merit: 93

Enable v2transport=1 and mempoolfullrbf=1

Quote from: Wind_FURY on November 20, 2024, 01:01:24 AM

are there some centralized coordinators that are currently filtering outputs to prevent their tainting their coordinator's pool?

Ginger Wallet's coordinator has such a policy.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: Kruw on November 16, 2024, 07:45:44 AM

On chain fees are below the monthly median, it's a great time to coinjoin if you haven't taken the opportunity yet!

I'm asking for a friend - If a person bought his/her Bitcoins from a centralized exchange, and he/she wants to maintain some privacy before sending his/her coins in cold-storage, are there some centralized coordinators that are currently filtering outputs to prevent their tainting their coordinator's pool?

He/she doesn't mind the filter, and he/she doesn't need complete privacy. He/she merely wants to disconnect his/her outputs from the centralized exchange.

Topic: Wasabi Wallet - Open Source, Noncustodial Coinjoin Software - page 3. (Read 11758 times)