Breaking wasabi and automated wallets
Udi Wertheimer
1127 96A8 DFCA 1A96 C8B8 0094 9211 687A D298 9B12
https://twitter.com/kanzure/status/1137652130611978240
Trigger warnings
Before I begin, some have told me that sometimes I tend to be toxic or provocative. So let's start with some trigger warnings. This presentation might include bad jokes about bitcoin personalitites. It might have some multiplication. I might say "ethereum". There's also a coinjoin warning. If this is triggering to you, then it's okay to leave. The bad jokes are really objectively bad. Otherwise, I hope you stay because I am trying to make this approachable.
Coinjoin
Here is a coinjoin transaction. The goal is to delink a UTXO's past from its future. This is great for identity separation. The output amounts must be equal otherwise the coinjoin adds no privacy. Coinjoin is not magic, so be careful about post-mixing activity on the blockchain. In fact, the behavior of other peers on the network can impact the anonymity you gain from this. This is contrary to the general assumption that coinjoin generally increases your privacy. If someone else in the coinjoin announces which outputs are theirs, then it is obvious which ones are not theirs. You could also have a sybil attack where everyone in the coinjoin is just one person, and you join it, and you think you are anonymizing your outputs but if everyone else in the coinjoin is the same person then they know which outputs are yours.
Wasabi wallet
Wasabi is a wallet with standard features. You can manage your keys, you can use hardware wallets, you can send and receive coins, and you can do manual coin selection for selecting which coins you want to spend which could help you manage your identity. It also has some intelligent usage of Tor where it makes sure the wasabi server or other peers won't be able to link various actions that you do by using a different Tor identity every time. Also, wasabi wallet allows you to do coinjoins. The user selections some coins that they want to mix. These coins are added to a local queue and one at a time wasabi wallet will attempt to add them to a round with other wasabi coins and create a coinjoin transaction. This can take a long time. If you have 10 outputs you want to mix, then you need about 10 rounds to mix them because each round has fixed size. You will probably have to leave your computer on until you have enough rounds with enough participants to get the coinjoin.
The wasabi wallet uses a coordinator called wasabi coordinator. They are using a chaumian coinjoin where they are not supposed to be able to link which inputs belong to which outputs. They shouldn't be able to gain information about you. Also, they are not supposed to be able to steal funds, but maybe they could.
What this talk is about
I am going to talk about a few things that an attacker might be able to do with wasabi. One thing is they could try to deanonymize you, and another is take more funds than you might expect. I am not going to break Chaumian coinjoin but rathe talk about practical concerns of daily usage of wasabi wallet. It's mostly edge cases related to wasabi being an automated wallet. As an automated wallet, the wallet makes some automated decisions for you. Lightning clients or bisq are somewhat automated clients. Whatever is not validated on the client-side of your wallet, is maybe a security hole.
Automated wallets
Automated wallets are also called smart contracts. They have direct access to your private key and they are allowed to use it. They make non-interactive decisions for the end user, like choosing to make a transaction, choosing size of transactions, choosing fees, and these things can effect the integrity of your funds. This could effect your privacy or the availability of your funds, because maybe they are going to be locked for some period of time.
These are like smart contracts-- usually we think of smart contracts as an object, but I see it more as an abstract thing where you want to spend funds and you want some conditions to apply when you're spending them and you want to verify the conditions apply. Anything that does this could be considered a smart contract.
Wasabi is automated because it needs to make decisions for you. When you queue up coins to be mixed, there's a bunch of things that you don't decide. For example, what mining fee are you going to pay for the coordinator, or for mining the transaction? It will decide the denomination of the round, because it's trying to optimize the bitcoin amount going into that round. It's also going to optimize for ring mixing, which is entering additional mixing rounds after you have done one m ixing round.
Remix attacks
What is a remix? It's multiple things. A remix attack is when you have an amazing song and then a grammy-award winning rapper destroys your song completely with a remix. That's one remix attack. But I'll talk about another one. In Wasabi wallet, the user sets an anonymity target where he says I want tmy coin to be mixed until it reaches an anonymity set of 50 and if it isn't reached then I want it to go through additional rounds of coinjoin. When wasabi wallet tries to analyze whether it should put a UTXO in an extra remixing in the queue, the way it does that is by doing some heuristics on figuring out wheterh the output was part of a coinjoin. Another way to do this would be that the wallet would just- if it knows that it's one coinjoin, then it knows it should add it to another round. That's not what wasabi does. It looks into every transaction, it assumes it could be a coinjoin and if it is then it would try to add it. The way it figures out if it is a coinjoin is just based on whether the transaction looks like a coinjoin, and it makes some assumptions based on the number of inputs and outputs. If the target anonymity set isn't reached, then the coin is added to another round.
Say two users get their coins in a coinjoin and after a few rounds of mixing they have some identical outputs on different scriptpubkeys. Wasabi publishes a list of all the coinjoin transactions that it does, because it's easy to figure that out anyway. It's easy to identify coinjoin transactions. This is normal usage so far. There's nothing wrong with doing a coinjoin and then later publicly stating what you just did. So far there's no link between our two users. However, say you suspected that these two users are the same individual. So you will construct a transaction that looks like a coinjoin transaction where he owns the inputs and creates four outputs, two of the addresses are from the suspected users that we previously saw. When Wasabi sees this transaction on both ends, both on the two user's ends, what the client sees is a transaction that seems like a coinjoin with an anonymity set of 2 because there's only 2 outputs and it would assume that you would want to remix them and enter them into a future round. If it happens to be that the two users are the same person and using the same instance of Wasabi wallet, then the wallet will take both of the coins and insert them into a queue for mixing in the future because the wallet thinks it needs more mixing. If this happens, then the adversary has proof that they are the same person because they are used in the same wallet. You had wasabi wallet running over night because it was doing the mixing, but maybe wasabi made a decision over night while it was working that breaks your privacy.
For remix attacks to work, the wallet has to be opened and unlocked. In order to make coinjoins, the wallet needs to know your private key. You need to input your password into your wallet. The only way to do this in the UI is to already queue some coins. So this only works if you have some coins queued up for mixing. Now, outputs could get mixed separately but as an attacker you're hoping that they are not mixed separately but you don't know for sure which will happen. Also, you need to have a very clear suspect. This attack is not cheap, you will have to spend around 0.1 BTC for mixing in wasabi so you will have to pay something like that to have a chance of maybe proving what you want to prove... but maybe the attacker has more money than your country so maybe he can afford to pay a lot. So, it's possible.
End users should be aware that the wallet makes decisions for you. Maybe use a different wallet account. Wasabi wallet supports multiple accounts, maybe use one per each identity you want to have. Maybe turn off automatic re-queueing and manage it manually. If some coin doesn't meet your target anonymity set then maybe requeue it yourself based on your own understanding of what's going on. For the Wasabi wallet, maybe don't show or queue outputs that we already know were previously used in an address; or maybe don't support any address reuse or don't requeue reused addresses. If some coins arrived at an address that were previously used together in the same transaction, in other words never spend just one coin from the address always spend all of the coins locked in an address. Someone tried to fix this, they tried to hide dust amounts or small amounts, and improve coinjoin detection heuristics. The other options are under discussion at the moment.
Coordinator-fee attack
The next attack is about the security of your funds. You pay a coordinator fee, which is a service fee to the wasabi wallet operators. We consider wasabi wallet to be a non-custodial wallet because it's a self-custodial wallet and you hold the keys and decide where the coins go. There's a fee of 0.003% multiplied y the round denomination multiplied by the size of the anonymity set for each participant.
Maybe the server gets compromised and maybe the compromising entity wants to steal your funds. So maybe we can try to maximize the fee here? The 0.003% is hard-coded. But other things we might be able to change. We could try to effect the round denomination, or effect the anonymity set just to make the total fee higher. One obvious way that was discussed a lot was that you can have just a larger anonymity set, say you have 100 fake participants and you target one specific person to steal from them. If you do the math, you'll find that it costs you more in mining fees if you attack one specific person. But you don't have to choose a single target, you can just wait until you get some number of honest participants in your fake coinjoin. At 10,000 fake participants it would fill an entire segwit block. This would be a non-standard transaction, so it would have to be given directly to miners. The bitcoin network won't relay a transaction like that due to standardness rules. It's possible the attacker is a miner so it's possible. What if try to increase the round denomination? The round denomination is also changing because wasabi wallet tries to optimize it because sometimes people have 0.01 BTC in an output and after they pay fees it's a little less so they try to make each denomination of a round ever so slightly different so they can accomodate more people, the amount can be increased to be much higher and hten hopefully for the attacker you can try to get more money out of the round.
To fix this, you could put a hard client-side limit on the number of participants in a round. This could probably be around 100? This is the maximum that is probably possible right now just based on how the protocol works. So that is probably a reasonable setting. Also, you could put a hard limit on the client side for the round denomination. I think these ideas are being discussed and it will be fixed in future versions.