Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible privacy leakage due to ordered transaction inputs #1086

Open
yixiao5428 opened this issue Jul 17, 2021 · 3 comments
Open

Possible privacy leakage due to ordered transaction inputs #1086

yixiao5428 opened this issue Jul 17, 2021 · 3 comments

Comments

@yixiao5428
Copy link

This a security vulnerability.

The wallet uses ordered inputs of transactions (src/wallet/wallet.cpp, line 3657 - 3671), which may incur privacy risks like fingerprinting the wallet to observers.

A possible solution is to clear the original order, shuffle it, and push back the new order before signing the transaction.

Similar fix from Bitcoin: bitcoin/bitcoin@2fb9c1e.

Reported by 6004ed5feaa31ae9df36b5dbc60f0fa53255a5fb734334082c6d202405fc738c.

@m4r1m0
Copy link
Contributor

m4r1m0 commented Jul 17, 2021

Great catch! Following this issue.

@jeroz1
Copy link
Contributor

jeroz1 commented Jul 17, 2021

If this is going to be fixed: make sure it doesn’t clash with the new asset transaction order. Or the reissue transactions.

@kralverde
Copy link
Contributor

If i'm understanding correctly, this has to do with VINs not VOUTs; the special asset order should not be affected @jeroz1

@fdoving fdoving self-assigned this Dec 6, 2021
@fdoving fdoving modified the milestone: 4.7.0 Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants