On Saturday, the team behind open-source privacy wallet Wasabi disclosed a vulnerability that could have been exploited to perform a denial-of-service (DOS) attack.
The vulnerability had previously been disclosed by Trezor’s Ondrej Vejpustek on May 10th via a PGP-encrypted message with a detailed explanation of the bug.
Although according to Wasabi Wallet, the vulnerability did not put user funds at risk or affect its users’ privacy, an attacker would have had the ability to interrupt CoinJoins and prevent them from completing.
What Is CoinJoin?
CoinJoin is the method of combining Bitcoin transactions from multiple senders into a single transaction in order to make it more difficult for transactions to be deanonymized by outside observers. By using CoinJoin, Bitcoin users can break heuristics used in chain analysis in order to increase their financial privacy.
There are currently several CoinJoin implementations available including Wasabi Wallet and JoinMarket as well as a specialized type called PayJoin.
What Was the DOS Vulnerability?
For Wasabi Wallet, a user goes through several phases in order to complete a CoinJoin transaction.
In the beginning, a Wasabi Wallet user registers the output they want to add to a CoinJoin. The wallet privately communicates this information by blinding the output to the coordinator server. The coordinator then signs it and sends it back to the participant.
In the following phases, the coordinator works to verify that all participants are still available to complete the round. The participants then send the necessary information for the coordinator to build the CoinJoin by registering their outputs. The final phases involve the participants signing the CoinJoin transaction and the coordinator broadcasting it.
The vulnerability that Ondrej Vejpustek discovered resided in the initial setup of the CoinJoin when the coordinator server publicly shares a piece of information, called a “nonce,” that all the participants use to blind their outputs.
“The problem was that the clients received a public nonce per mixing level and the nonce was the same for all participants in the CoinJoin,” explained marketing strategist and Wasabi contributor Riccardo Masutti to the BTC Times.
By sharing the same nonce with everyone, an attacker is capable of determining the private key the coordinator used to sign the blinded outputs at the start of the CoinJoin. The attacker could then use the private key to generate valid signatures and register fake outputs in the output registration phase. This would eventually prevent the coordinator from building a valid CoinJoin transaction, resulting in the round failing.
What’s the Solution?
The fix that Wasabi Wallet developers implemented was to generate and give fresh nonces every time a participant requested the status of a CoinJoin round. Ondrej Vejpustek detailed in his disclosure:
The coordinator on request generates nonce pair, remembers both private and public part, and returns the public one. A participant that registers their unspent outputs and blinded addresses uses the nonce to blind the addresses and sends the nonce in his request. The coordinator finds the corresponding private nonce, blind signs the addresses, and forgets the nonce pair, so it's not used repeatedly.
Wasabi Wallet included this fix in v.1.1.12 on Thursday, August 5th. The update is not backwards-compatible, which means Wasabi users are required to upgrade should they plan to participate in future CoinJoins.