GingerWallet, the WasabiWallet fork maintained by former zkSNACKs employees after the closure of the Wasabi coin union coordinator, received a vulnerability report from the developer drunk. This vulnerability would allow full deanonymization of user input and output in a coinjoin round, giving a malicious coordinator the ability to completely undo any privacy gains from the coinjoin by conducting an active attack.
Wasabi 2.0 was a complete redesign of how Wasabi coordinated coin combinations, moving from the Zerolink framework that uses mixed amounts of fixed denominations to the Wabisabi protocol that allows dynamic amounts of multiple denominations. This process involved switching from homogeneous blind tokens for recording outputs to claim their coins, to a dynamic credential system called Keyed Verification Anonymous Credentials (KVAC). This would allow users to register blind amounts that prevent the theft of other users’ coins without revealing to the server plain text amounts that could be correlated and avoid linking ownership of separate entries.
When users begin participating in a round, they query the coordinating server for information about the round. This returns a value in the RoundCreated parameters, called maxAmountCredentialValue. This is the highest value credential the server will issue. Each credential issue is identifiable according to the value established here.
To save bandwidth, multiple proposed methods for clients to cross-check this information were never implemented. This allows a malicious coordinator to give each user, when they start logging their entries, a unique maxAmountCredentialValue. In subsequent messages to the coordinator, including checking out, the coordinator could identify which user it was communicating with based on this value.
By “tagging” each user with a unique identifier in this way, a malicious coordinator can see which outputs belong to which users, negating any privacy benefits they could have gained from joining a coin.
To my knowledge, drkgry discovered this independently and disclosed it in good faith, but the team members who were present at zkSNACKs during the Wabisabi design phase were absolutely aware of this issue.
“The second purpose of the round hash is to protect clients from tagging attacks by the server, the credential issuer parameters must be identical for all credentials and other round metadata must be the same for all clients (e.g. to ensure that the server is not the same). t try to influence clients to create any detectable bias in the logs).
Was bred in 2021 by Yuval Kogman, aka Nothingmuch, in 2021. Yuval was the developer who designed what would become the Wabisabi protocol, and one of the designers who actually specified the entire protocol with IstvƔn AndrƔs Seres.
A final note is that labeling vulnerability is not addressed without this suggestion from Yuval, as well as proofs of full ownership tied to actual UTXOs as proposed in his original pull request discussing tagging attacks. All data sent to clients is not tied to a specific round ID, so a malicious coordinator is still able to perform a similar attack by providing users with unique round IDs and simply copying the necessary data and remapping each unique round ID. per user before sending any message.
This is not the only outstanding vulnerability present in the current Wasabi 2.0 implementation created by the rest of the team taking shortcuts during the implementation phase.
