GingerWallet, a fork of WasabiWallet maintained by former zkSNACKs staff after the shutdown of Wasabi coinjoin, received a vulnerability report from developer drkgry. This vulnerability would allow complete anonymization of user input and output in a joint session, giving a malicious eavesdropper the ability to completely reverse any privacy benefits from joint sessions by performing an active attack.
Wasabi 2.0 was a complete redesign of how Wasabi links coins, moving from the Zerolink framework using fixed denomination combination values, to the Wabisabi protocol allowing for variable multi-denomination values. This process involves switching from the same blinded tokens to register your output for your coin, to a flexible verification system called Keyed Verification Anonymous Credentials (KVACs). This will allow users to register anonymous values ​​that prevent the theft of other users’ coins without revealing to the server the plain text values ​​that may be associated and prevent linking the identities of different entries.
When users start participating in a round, they poll the coordinator server with information about the round. This returns a value to the RoundCreated parameters, called maxAmountCredentialValue. This is a guarantee of the highest value the server will issue. Each confirmation release is recognized based on the value set here.
To save bandwidth, many of the proposed methods for clients to verify this information were not implemented. This allows a malicious broker to assign each user when they first register their input a unique maxAmountCredentialValue. In subsequent messages to the broker, including outbound registrations, the broker can identify which user it was communicating with based on this value.
By “tagging” each user with a unique identifier in this way, a malicious broker can see what results users are holding, negating all the privacy benefits they could gain from the association.
As far as I know drkgry discovered this independently and disclosed it in good faith, but the team members present at zkSNACKs during the design of Wabisabi were well aware of this issue.
“The second purpose of the circular hash is to protect clients from tagging attacks by the server, the credentialing parameters must be the same for all authentications and other circular metadata must be the same for all clients (eg to ensure that the server is not the same” t trying to influence clients to create some visible bias in registration).
It was raised in 2021 by Yuval Kogman, also known as nothing, in 2021. Yuval was the engineer who designed what would become the Wabisabi protocol, and one of the designers in defining the complete rule with István András Seres.
One last thing is that the tagging vulnerability was not addressed except for this proposal from Yuval and the full proof of identity tied to the original UTXOs as proposed in his original pull request discussing the tagging attack. All data sent to clients is not tied to a specific circular ID, so a malicious intermediary still has the ability to pull off the same attack by giving users unique circular IDs and simply copying the required data and reassigning each unique circular ID. each user before sending any messages.
This is not the only prominent vulnerability present in the current Wasabi 2.0 implementation created by the entire team cutting corners during the implementation phase.
Source link