Wabisabi Deanonymization Vulnerability Disclosed
GingerWallet, a fork of WasabiWallet, has recently been put under the microscope due to a significant deanonymization vulnerability reported by developer drkgry. This critical flaw has raised alarms in the cryptocurrency privacy community, revealing the potential for malicious coordinators to completely strip away users’ privacy gains obtained from coinjoining.
The vulnerability originates from the Wabisabi protocol, which was designed to replace the former Zerolink framework. The critical component of Wasabi 2.0 includes a shift to Keyed Verification Anonymous Credentials (KVACs), aimed at enhancing user privacy by preventing theft and retaining anonymity. However, this update introduces a unique maxAmountCredentialValue for each user during registration, creating a vector for attacks by a malicious coordinator.
As users enter a coinjoin round, they are assigned a maximum credential value that identifies them across multiple communications with the server. This means that a malicious actor can effectively tag each user, allowing them to trace specific inputs and outputs back to their owners, nullifying the intended privacy benefits.
Past Observations and Future Risks
This issue isn’t new; it echoes concerns raised in 2021 by developer Yuval Kogman, who highlighted the importance of maintaining identical metadata across all users’ credentials to safeguard against server tagging attacks. Despite these discussions, the vulnerability remains unaddressed, alongside other potential holes in Wasabi 2.0, which arose from developmental shortcuts.
As the cryptocurrency landscape evolves, the importance of robust privacy measures cannot be overstated. Users need to be aware of these vulnerabilities and stay informed on updates from developers. The community’s trust in privacy-focused solutions like Wabisabi now hangs in the balance, with developers urged to act decisively to mitigate these security flaws before they are exploited.
Conclusion
In order to genuinely protect user anonymity, it is critical for ongoing developments within GingerWallet and Wasabi to prioritize security updates that address these vulnerabilities comprehensively. The proposed solutions, which involve binding data to specific round IDs and generating full ownership proofs tied to actual UTXOs, must be prioritized to restore confidence among users seeking true anonymity in their transactions.
