Privacy Wallet Wars: Wasabi Vulnerabilities Denied by Developer
OXT Research, the team behind Bitcoin (BTC) wallet Samourai Wallet, has announced that its researchers have identified two potential privacy vulnerabilities in the open-source Wasabi Wallet that could impact the security of CoinJoin transactions carried out through the wallet. This said, zkSNACKs, which developed Wasabi Wallet, rejects these claims and accuses OXT Research of engaging in a conflict of interest.
“In the past we have found numerous issues with Wasabi Wallet CoinJoin," OXT Research said. "Those issues always related to mix quality and mix composition as per the metadata left over on blockchain. We never classified those issues as vulnerabilities, just poor design choices.”
They continued that after "extensive testing and research we were able to complete our internal analysis and verified the existence of two vulnerabilities that have likely existed since the inception of Wasabi Wallet” and could be classified as critical.
In detail, the “vulnerabilities break a core assumption of mixing, with each remix effectively cancelling out the privacy gains of the previous mix,” and OXT Research believes that they “have been present in the Wasabi Wallet code base for a long time, thus it is likely someone less than ethical has already discovered [them] and is exploiting” them.
The researchers claim they contacted zkSNACKs, requesting that they alert the wallet’s users on the vulnerabilities, and provide them with recommendations on how they should proceed to safeguard their cryptocurrency. OXT Research also claimed they would provide the wallet developer with suggested mitigation that could be implemented in the software, potentially fixing the identified vulnerabilities.
However, on August 19, a representative of zkSNACKS reportedly replied to OXT Research, saying they considered the communication as blackmail, and as such, “they have no interest in pursuing this further with us,” according to Samourai Wallet’s developer.
Cryptonews.com has contacted both OXT Research and zkSNACKs with requests for comment to hear their respective sides of the story. As of publication time, we have received a comment from zkSNACKs.
Adam Ficsor, Head of Research at zkSNACKs, told Cryptonews.com that, given that OXT Research is the blockchain analysis department of Samourai Wallet, “there is a conflict of interest”.
“They claimed Wasabi is broken because of the lack of randomness in coin selection for CoinJoins. More specifically, they tried to show that if an adversary knows all the UTXOs in a wallet, then it can tell which coin will be mixed next time. This is pointless as the only entity who knows the UTXOs in a wallet is the user itself,” said Ficsor. “Then they moved onto building more and more on this false premise, repeating their conclusion over and over again, and that's the rest of the technical part of the letter.”
Ficsor said that “OXT/Samourai has claimed to 'deanonymize' Wasabi numerous times in the past without a responsible disclosure, so why the sudden change now?”
According to Ficsor, the “community knows their claims are inflated and in their latest attempt they seek more credibility by trying to get us to play along with their nonsense by writing us a blackmail letter that has all the social engineering tricks in it, like setting deadlines to create a sense of urgency, repeating their false conclusions over and over again, and presenting the possible options that we have and explaining the consequences of us not playing along to create a sense of fear.”
We will update should OXT Research reply.