This Friday the 21st, OXT Research had informed those responsible for Wasabi Wallet of the detection of the flaws, but due to disagreements between them, it decided to publicly reveal them.
Samourai published this Saturday a detailed report on the vulnerabilities detected in Wasabi Wallet, mentioned in a previous announcement. The study highlights that there is a lack of randomness in the choice of Bitcoin transactions that are included in a CoinJoin mix, which allows an attacker to determine the chosen transaction. Thus, nullifying the privacy benefits of the mix.
Samourai posted on Twitter that its blockchain data analysis unit, OXT Research, released the technical report with data about the vulnerabilities. “A vulnerability related to the deterministic nature of coin selection in mixing rounds in the Wasabi Wallet has been published by OXT Research.”
OXT Research explains that a malicious user is not usually in need to know the logs of ZkSnacks, the company behind the Wasabi wallet, to compromise the privacy of such a wallet. This is due to the nature of the process on which the transactions are mixed.
In the Wasabi operation, OXT Research explains, it is necessary to first choose a target anonymity set that is the size of the group of transactions with equivalent amounts to the transaction that we want to mix; with which our transaction will find major complications. After the anonymity is chosen, the operation goes into a queue to wait for a shuffling round that meets the established environment. Then finally, the mixture proceeds to happen.
If three people with equivalent amounts participate in a CoinJoin, the anonymity set will be 3. The more transactions that participate in a mix, the greater the degree of privacy is.
OXT Research also clarifies about the remix process. Take as an example a mix with an anonymity set of 50, that is, the transaction to be mixed and 49 transactions with identical output. For remixing, the output set is selected and mixed again (subtracting the transaction to be mixed).
Wasabi’s reaction to vulnerabilities revealed by Samourai
For the creator of the Bitcoin wallet Wasabi, known by the pseudonym Nopara, the vulnerabilities described by Samourai stem from “false premises and unreasonable conditions.” This was said through a thread on Reddit, which asked for a response to the accusations.
Nopara, who claims to be wary of anything that comes from the Samourai team, only acknowledges as “correct” the OXT Research claims that there is little randomness during the selection of coins to participate in a mix.
There is an open investigation going about the leak of a report from the European Cybercrime Center (EC3) of Europol, in which a set of transactions were carried out with Wasabi, with the participation of the company Chainalysis. The report was able to establish that almost $ 50 million had been deposited in the Wasabi Wallet, of which 30% came from the dark web markets.
While Europol officials acknowledged the difficulty in “unmixing” the Wasabi transactions, they conceded that careless use of this wallet could allow the reversal of the mix and lead to the identification of the transactions.
By Jenson Nuñez.
