GingerWallet, a fork of WasabiWallet maintained by former zkSNACKs employees, has encountered a significant vulnerability. Notably, developer drkgry disclosed this vulnerability, which could allow a malicious coordinator to entirely deanonymize users’ inputs and outputs in a coinjoin round, thereby completely nullifying any privacy benefits that the coinjoining process might have provided.
Wasabi 2.0 was a comprehensive redesign of the Wasabi coinjoin coordination approach. The new system transitioned from the Zerolink framework, which utilized fixed denomination mix amounts, to the Wabisabi protocol which allowed for dynamic multi-denomination amounts. This shift required a move from homogenous blinded tokens to a dynamic credentials system known as Keyed Verification Anonymous Credentials (KVACs). This innovative system allowed users to register blinded amounts, preventing theft of other users’ coins without revealing plaintext amounts to the server that could be correlated, thereby preventing the linkage of separate inputs’ ownership.
As users start participating in a round, they request information about the round from the coordinator server. The server responds with a value in the RoundCreated parameters, named maxAmountCredentialValue, which is the highest value credential the server can issue. Each credential issuance can be identified based on the value set here.
However, to save bandwidth, several proposed methods for clients to cross-verify this information were never implemented. This omission allows a malicious coordinator to assign each user a unique maxAmountCredentialValue when they start registering their inputs. Thus, in subsequent messages to the coordinator, the coordinator can identify the user based on this value.
By “tagging” each user with a unique identifier, a malicious coordinator can discern which outputs are owned by which users, thereby negating all privacy benefits derived from coinjoining.
It’s important to note that drkgry appears to have discovered this independently and disclosed it in good faith. However, team members who were at zkSNACKs during the design phase of Wabisabi were fully aware of this issue.
Yuval Kogman, also known as nothingmuch, raised this issue in 2021. Kogman was the developer who designed what would become the Wabisabi protocol and one of the designers in actually specifying the full protocol with István András Seres.
Unfortunately, the tagging vulnerability is not sufficiently addressed without Kogman’s suggestion, as well as full ownership proofs bound to actual UTXOs as proposed in his original pull request discussing tagging attacks. The data sent to clients isn’t bound to a specific round ID, meaning a malicious coordinator could still conduct a similar attack by assigning unique round IDs to users and simply copying the necessary data and reassigning each unique round ID per-user before sending any messages.
This is not the only vulnerability in the current implementation of Wasabi 2.0. These vulnerabilities are the result of the development team cutting corners during the implementation phase. A lesson to be learned here is the importance of robust and secure design, particularly when dealing with sensitive financial transactions that require high levels of privacy and security.