coordinator attack: add clearnet/Tor attack and inconsistent round id attack #1867
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
MarnixCroes
commented
Jan 2, 2025
MarnixCroes
commented
yahiheb
requested changes
Jan 2, 2025
Comment on lines
+151
to
+155
| This allows the coordinator to link all communication and inputs and outputs of the coinjoin and thus complete de-anonymisation. | ||
| This is why Wasabi communicates over Tor by default. | ||
| - (Theoretical) Tor network-level de-anonymisation: | ||
| Wasabi uses Tor by default, assuming that this is the most available and usable anonymous way to communicate, and that it cannot be de-anonymised at the network level. | ||
| If Tor does not uphold these assumptions, the client could be de-anonymised. |
There was a problem hiding this comment.
Nit: "anonymization" is used elsewhere in the docs.
Suggested change
| This allows the coordinator to link all communication and inputs and outputs of the coinjoin and thus complete de-anonymisation. | |
| This is why Wasabi communicates over Tor by default. | |
| - (Theoretical) Tor network-level de-anonymisation: | |
| Wasabi uses Tor by default, assuming that this is the most available and usable anonymous way to communicate, and that it cannot be de-anonymised at the network level. | |
| If Tor does not uphold these assumptions, the client could be de-anonymised. | |
| This allows the coordinator to link all communication and inputs and outputs of the coinjoin and thus complete de-anonymization. | |
| This is why Wasabi communicates over Tor by default. | |
| - (Theoretical) Tor network-level de-anonymization: | |
| Wasabi uses Tor by default, assuming that this is the most available and usable anonymous way to communicate, and that it cannot be de-anonymized at the network level. | |
| If Tor does not uphold these assumptions, the client could be de-anonymized. |
nothingmuch
suggested changes
Jan 3, 2025
| The client asks the coordinator for the active rounds, and the coordinator returns the _Round ID_. | ||
| The round ID is the resulting hash of information about the round, such as when the round started and the parameters. The coordinator could create rounds that do not match the parameters and/or create rounds with inputs that were supposed to be registered in different rounds. | ||
| This allows the coordinator to de-anonymize and/or link users' coins. | ||
| To mitigate against this, the client calculates the round ID by itself to verify, and will abort if it detects the coordinator is doing this. |
There was a problem hiding this comment.
that doesn't mitigate anything because ownership proof "verification" trusts the coordinator to provide prevouts
even if they were, the round id is insufficient to ensure consistency
|
I will wait to merge this until all known potential attacks are clarified & mitigated. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.