GingerWallet, the WasabiWallet fork run by former zkSNACKs employees following the shutdown of coinjoin coordinator Wasabi, has received a vulnerability report from developer drkgry. This vulnerability would allow full deanonymization of user inputs and outputs in a coinjoin round, giving a malicious coordinator the ability to completely negate any privacy gains from the coinjoin by performing an active attack.
Wasabi 2.0 was a complete redesign of how Wasabi coordinated coinjoins, moving from the Zerolink framework that used fixed denomination mix amounts, to the Wabisabi protocol that allowed dynamic multi-denomination amounts. This process involved moving from blind homogeneous tokens to record outputs for requesting coins back, to a dynamic credential system called Keyed Verification Anonymous Credentials (KVAC). This would allow users to blind record amounts that would prevent the theft of other users’ coins without revealing to the server plain text amounts that may be related and prevent linking of ownership of separate inputs.
When users start participating in a round, they query the coordinator server for information related to the round. This returns a value in the RoundCreated parameters, called maxAmountCredentialValue. This is the highest value credential issued by the server. Each credential issue is identifiable by the value set here.
To save bandwidth, more proposed methods have never been implemented for clients to cross-verify this information. This allows a malicious coordinator to provide each user when they begin recording their inputs with a unique maxAmountCredentialValue. In subsequent messages to the coordinator, including logging the output, the coordinator could identify which user he was communicating with based on this value.
By “tagging” each user with a unique identifier in this way, a malicious coordinator can see which outputs are owned by which users, negating any privacy benefits they might have gained from coinjoining.
As far as I know, drkgry discovered this independently and disclosed it in good faith, but the team members who were present at zkSNACKs during the design phase of Wabisabi were absolutely aware of this problem.
“The second purpose of the hash round is to protect clients from tagging attacks by the server, the credential issuer parameters should be identical for all credentials, and the other round metadata should be the same for all clients (e.g. to ensure that the server is not trying to influence customers to create any detectable bias in the recordings).”
It was introduced in 2021 by Yuval Kogman, also known as Nothingmuch, in 2021. Yuval was the developer who designed what would become the Wabisabi protocol and one of the designers in specifying the complete protocol with István András Seres.
One final note is that the tagging vulnerability isn’t actually fixed without this suggestion from Yuval and without proofs of full ownership tied to actual UTXOs as proposed in his original pull request discussing tagging attacks. All data sent to clients is not tied to a specific round ID, so a malicious coordinator is still able to carry out a similar attack by providing users with unique round IDs and simply copying the necessary data and reassigning each unique round ID. per user before sending any message.
This is not the only outstanding vulnerability present in the current implementation of Wasabi 2.0 created by the rest of the team by taking shortcuts during the implementation phase.