A statement issued by the developers of the Samourai wallet indicates that the Wasabi wallet has two privacy vulnerabilities that affect transactions made with CoinJoin, while the Wasabi team denies the existence of these vulnerabilities.
In a publication recently, the team of developers of Samourai Wallet, a privacy wallet for Bitcoin, points out that during investigations carried out to find out the flow of bitcoins related to the hack to the Twitter platform, they discovered the presence of two privacy vulnerabilities in Wasabi wallet, which are perhaps present since the beginning of the wallet and that some malicious actor may already be exploiting.
According to the team behind Samourai, OTX Research, in the past they had already found several problems related to the privacy of Wasabi in the transactions they use the coinjo, but these were classified as design issues and not critical vulnerabilities. So what makes this case different is that the developers claim that the detected vulnerabilities are in the wallet’s codebase, and that they break the ZeroLink guarantee when making transactions by remixing a mixed output, an action that eliminates the privacy benefits of previous coin mixing.
However, despite the fact that the Samourai team decided to privately but immediately inform Wasabi about these vulnerabilities, zkSNACKs Ltd, the team behind the development of the affected wallet, denies that these vulnerabilities can exist. In this regard, zkSNACKs alleges and accuses OTX Research of participating in a conflict of interest that seeks to affect and harm the development of the wallet, which is Samourai's main competition.
It may interest you: Wasabi Wallet in the crosshairs of Europol and Chainalysis: Another attack on privacy
48 hours to inform Wasabi Wallet users
According to Samourai's statements, the team of investigators contacted directly Adam Ficsor, founder of zkSNACKs Ldt and David Molnár, the company’s CTO, as well as a third party neutral to the situation. In the statement, Samourai claims that he informed Fucsor and Molnár about the vulnerabilities by providing evidence and a verifiable means to reproduce said vulnerabilities, which the Wasabi teams were given to analyze and report on the situation.
However, Samourai notes that it gave Ficsor and Molnár 48 hours to inform wallet users of these vulnerabilities, so that they can be wary of using the CoinJoin feature until the teams report a fix for these issues.
“A user may choose not to use the CoinJoin feature of the Wasabi Wallet software during the time period when a solution is still in development, but would not be able to make that choice if they were not informed in the first place.”
Based on the argument of protecting users, the Samourai Wallet team asked Wasabi to issue an official statement to alert wallet users about the impact of the vulnerabilities and tell them how they should proceed in the face of the situation, a request that Fiscor took as blackmail by refusing to collaborate with them. Fiscor claims that there is a conflict of interest on the part of OTX Research and Samourai Wallet and that is why they are spreading false information and creating feelings of urgency and fear through social engineering techniques.
The founder of zkSNACKs assures that he will not fall for the game, since the alleged vulnerabilities that Samourai points out indicate that a malicious actor who knows the utxos From the transactions in CoinJoin you will be able to discover which coin will be mixed next, something that is impossible according to Fiscor, since the UTXOs are only known by the same user.
Samourai: Wasabi leaves crumbs along the way
In 2019, Samourai reported via its Telegram channel about a possible lack of privacy in Wasabi, alerting users that the wallet literally leaves “breadcrumbs along the way” when executing mixing transactions and these are broken down into smaller UTXOs.
In summary, Samourai pointed out that the biggest difference is found in the Tx0, since Wasabi, when mixing for example 10 BTC, the returns or changes of these transactions are associated with the tx mix, creating a determining link that allows the tracking of the transactions until their completion.
In response to these statements, a user under the pseudonym SW pointed out that there are ways to mitigate these "breadcrumbs" but that common users do not know or have no idea how to do it.
Continue reading: Researcher discovers security vulnerability in Ledger that allows Bitcoin spending with fully valid signatures
