New ashigaru whirlpool coordinator can expose user identities

7 replies 485 views
mr_gasMember
Posts: 24 · Reputation: 174
#1Mar 8, 2023, 10:09 PM
So, Ashigaru just dropped this announcement: https://ashigaru.rs/news/announcement-whirlpool/ Here's the scoop: back in December 2024, someone pointed out a security issue with whirlpool: https://groups.google.com/g/bitcoindev/c/CbfbEGozG7c/m/w2B-RRdUCQAJ The problem is that a shady coordinator can connect inputs and outputs by giving each input its own RSA public key. Since the signatures that aren't blinded might come from different keys, the server can figure out how inputs connect to outputs. For the blind signing thing to work, a server or coordinator has to share the public key. The part they highlighted in the announcement is kinda misleading. I checked out the code for both Whirlpool-Client and Whirlpool-Server, and it seems like the issue is still there. Here’s the link to the Whirlpool-Client code: http://ashicodepbnpvslzsl2bz7l2pwrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashigaru-Whirlpool-Client/src/commit/a64bd8b4e0ee8a4cfab03da4565f166d07caa7ec/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java And here’s the link for the Whirlpool-Server: http://ashicodepbnpvslzsl2bz7l2pwrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashigaru-Whirlpool-Server/src/branch/main/src/main/java/com/samourai/whirlpool/server/services/MixService.java Bottom line: Don't just trust this centralized coordinator blindly and make sure to do your own homework before coughing up that 5% fee to them.
3 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#2Mar 8, 2023, 10:17 PM
We seriously need to make a dedicated website on github.io or something that lists all of the information related to coordinators, because it's fragmented everywhere at the moment. People need to know which coordinators are safe to use. Although I know this pertains only to whirlpool coordinators, I'm only aware of one running at the moment, ever since Samourai's was shut down.
6 Reply Quote Share
mr_gasMember
Posts: 24 · Reputation: 174
#3Mar 9, 2023, 02:09 AM
It seems they aren't using code from whirlpool-client repository in the terminal. Instead hardcoded a public key for signing: This introduces other issues in the coinjoin process. I will add more details after doing some research and testing.
1 Reply Quote Share
Posts: 5 · Reputation: 119
#4Mar 9, 2023, 05:16 AM
They specifically mention this in their update. And there seems to be a coordinated effort across all platforms by the Wasabi fans to just pump FUD. It’s becoming very cultish. Maybe you should’ve done your testing before making the post. You make a conclusion in your title that has not yet been tested.
2 Reply Quote Share
mr_gasMember
Posts: 24 · Reputation: 174
#5Mar 9, 2023, 08:04 AM
1. The coordinator can link input-outputs even with the hardcoded key The client doesn't verify that the unblinded signature is actually a valid RSA signature for the hardcoded public key. The coordinator can still do tagging and link inputs-outputs after output registration. 2.  New DoS vector is introduced in the code If you confirm an input getting a blind sig, and then just time out, you can later use the same unblinded sig in a subsequent session and register an additional output which is a DoS issue. Related tweets by nothingmuch: https://xcancel.com/not_nothingmuch/status/1937176085461930033
3 Reply Quote Share
mr_gasMember
Posts: 24 · Reputation: 174
#6Mar 9, 2023, 01:02 PM
I am not associated with Wasabi. This is a free review and testing unlike others who trust the anonymous developers or not competent enough to review. Denying the bugs based on an announcement to use suboptimal tools sounds cultish. The conclusion is still the same. Too many red flags to trust this coordinator and everyone should do their own research before wasting money in coordinator fees.
3 Reply Quote Share
mr_gasMember
Posts: 24 · Reputation: 174
#7Mar 9, 2023, 05:49 PM
Lucas has shared another method that can be used by the coordinator to link inputs and outputs:: https://njump.me/nevent1qqsqqqpslx5y7asqkckk92d2vfcat535t5r5k4pt7xy0ynmcepd4lcgpz4mhxue69uhkummnw3ezummcw3ezuer9wchsygy7xr55qguvm847h33js9md6ngsnqfp99zz72nv8pe8l3n05l4fpgpsgqqqqqqsqg4s4v The coordinator can use different mixid for each input. At this point it wouldn't be wrong to say that zerolink protocol (as implemented in whirlpool) has multiple vulnerabilities that could be exploited by the coordinator. I do not expect Ashigaru team or the delusional cult to ever acknowledge and fix these vulnerabilities.
3 Reply Quote Share
SilentFoxMember
Posts: 7 · Reputation: 65
#8Mar 10, 2023, 02:13 AM
Hi, Wasabi maintainer here. I think your assumption doesn't match reality. None of the "attacks" that I have read come from Wasabi fans, but from people who also criticize Wasabi. Privacy advocates, freedom fighters, or however you want to call us, have been very cool and welcoming regarding Whirlpool's comeback, and we have rushed to audit the code and report our findings publicly ASAP because at this early stage it is easier and cheaper to fix the app and the protocol (once your user base grows it become almost impossible to do). These findings are not destructive FUD but real problems for which we also suggest solutions. Look at this one, for example: https://njump.me/nevent1qqsqqqzgvgp66qxznw3mqvw9xsl9c9j6t8warcgvh283n67mlzuucdsppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj7qg3waehxw309ahx7um5wgh8w6twv5hsp94pph
0 Reply Quote Share

Related topics