On May 10, Ondřej Vejpustek from TREZOR sent a PGP encrypted message to Wasabi. The message had an insightful explanation about a possible Conjoin denial of service vulnerability under Wasabi’s security disclosure policy. These attacks were designed to exploit the Wasabi Bitcoin privacy wallet to steal some coins

An attacker could have exploited the vulnerability to conduct a DoS (denial-of-service) attack before the v4 Hard Fork. In that scenario, it was challenging to identify the source of the attack. Through DoS, the hacker would stop the whole CoinJoin process for every other participant and the Wasabi rounds would no longer operate.

V4 Hard Fork Resolves Wasabi Wallet Vulnerability 1

Since there is no DoS attempt this far, it is assumed that no Wasabi user has been affected by the vulnerability. It is important to note that the attacker could neither steal users’ funds nor deanonymize anyone. What they could do, however, was to prevent the completion of the CoinJoin process.

Users who have already downloaded Wasabi Wallet v1.1.12 that was released on August 5, 2020, can benefit fully from the v4 Hard Fork. The Hard Fork fixed that vulnerability and therefore no user action is necessary. For anyone who is yet to upgrade their Wasabi to v1.1.12 version, they are encouraged to do so since the Hard Fork breaks the compatibility with older software.

Blind Schnorr Signatures

At the start of every round, a new blind Schnorr signature key pair is generated for each round level. At the input registration phase, a participant of the CoinJoin records all unspent outputs in their possession as inputs to the coinjoin transaction. It also registers one or even more blinded addresses as outputs of the coinjoin transaction.

The coordinator determines the number of levels the participant has funds to participate in during the connection confirmation phase. They then return the participant to the corresponding number of blinded addresses that are signed with the corresponding level keys. Turning to the output registration phase, the participant using a different identity reveals their unblended outputs with the unblended signatures that are validated by the coordinator.

Every signature uses a freshly generated nonce for blind Schnorr signatures. In the scenario that a signer generates two signatures using one nonce, it is easy to determine their private key as same as the private part of the particular nonce.

The issue arises that the nonce in the implementation phase is a part of the key pair. As a result, the nonce is the same for all outputs that are registered on the same level. Thus, a participant that registers two or more outputs on the same level can determine the signer’s private key.

How Attackers Operate Before v4 Hard Fork Upgrade

Any attacker who knows the signer’s private key can easily generate a valid signature for every message. Hence, they can register an output that was never blind signed by the coordinator. What happens next? Provided that the implementation of the client is correct and sound, attackers cannot steal many coins and they can also not deanonymize anyone.

The attacker can just prevent the completion of the coinjoin resulting in a denial-of-service attack. The attacker starts by registering their real and fake outputs in the output registration phase. Eventually, several participants are prohibited from registering their outputs because the output registration phase concludes when the registered outputs equal the returned blinded signatures in the connection confirmation phase.

V4 Hard Fork Resolves Wasabi Wallet Vulnerability 2

These participants normally refuse to sign the conjoin transaction. In the end, their unspent output that is registered as input to the coinjoin is banned. The attacker registers one of their real outputs. Apart from that, they register a fake output on a higher level. Since they registered outputs equal to the number of blinded signatures that they got, the other participants might register their outputs.

If that happens, the coordinator creates a transaction that is invalid because the sum of all inputs is less than the sum of all outputs.

Possible Fixes For The Bug

The coordinator generates nonce pair on request, remembers both public part and private part, and then returns the public one. Any participant that registers their unspent outputs and blinded addresses uses this nonce to blind the addresses and sends the nonce in his request. Then, the coordinator gets the corresponding private nonce, blind signs the addresses, and it forgets the nonce pair. Therefore, it is not used repeatedly.

Users can also replace Schnorr blind signatures with RSA blind signatures. That can work because the RSA signature does not need nonce. But, this approach is not popular since RSA in contrast with elliptic-curve cryptography is not quite widespread in the bitcoin community.

About the author

Wanguba Muriuki is an Editor at Large for E-Crypto News and author of the book- "The Exploitative Intrigues of Cryptocurrency Scams Explained." He is also a passionate creator who sees every aspect of life from a written perspective. He loves Blockchain, Cryptocurrency, Technology, and Traveling. He is a widely experienced creative and technical writer. Everything and everyone is describable. The best description is written.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

The Largest Crypto Scams Of 2022 (So Far)
The Largest Crypto Scams Of 2022 (So Far)
June 14, 2022
How Do Scammers Entice Their Prey?
May 10, 2022
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin21,413 0.45 % 0.34 % 12.42 %
Ethereum1,244.8 0.15 % 0.84 % 25.07 %
Tether1.001 0.04 % 0.13 % 0.01 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
BNB239.44 0.27 % 0.70 % 21.31 %
XRP0.3702 0.24 % 0.41 % 19.68 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Binance USD1.002 0.24 % 0.04 % 0.09 %
Solana41.56 0.17 % 1.37 % 30.62 %
Dogecoin0.07057 2.88 % 3.67 % 32.85 %

Bitcoin (BTC) $ 21,483.00
Ethereum (ETH) $ 1,247.20
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 239.69
XRP (XRP) $ 0.370513
Cardano (ADA) $ 0.523114
Binance USD (BUSD) $ 1.00
Solana (SOL) $ 41.76
Polkadot (DOT) $ 8.25