-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address Reuse occurs in Blinded Outputs #2034
Comments
I am running mix for a week and will see if address reuse is happening or not. Will get back here on Monday. |
Do you know if they were queueing and dequeueing before this happened? |
I have decided to take a quick look at the types and frequency of address re-use among recent transactions. I have taken 1 transaction as a sample: I exclusively checked the blinded outputs to see if they had been re-used. Observations:
Further observations:
I hope this saved you some time nopara73. |
Quite interesting, thanks for the detailed write-up @AvivMilner! 1] I confirmed this in the Slack, and unfortunately there is no way for the coordinator to see if a blinded coin join output has address reuse, because, well, it is blinded... So the coordinator can only abort the round after 3] #1927 #1944 change the input and output ordering, that might help you. Not sure about what exactly you mean though... 4] So, if this is a malicious adversary, then their attacks do not lead to de-anonymization, but it makes the CoinJoin "look bad" and scare away users. If it is a bug, then it affects only a small subset of users. Can you maybe calculate a median of the recent cases? And we would need more info from the users, what version of Wasabi and OS they are running, and how they use the wallet in general [multiple instances, often de-queueing, etc.] 5] Mhhh - ok, then this means that it is probably not the mempool dropping issue, which was fixed several versions back. |
Regarding address |
Additional input from a client:
This is the most detail I have received yet about the issue. |
Thanks Aviv.
|
As it has been discussed many times and many places, address reuse was a known issue when we lost unconfirmed transactions before 1.1.6. However, we cannot fix again what's already fixed, so looking at historical data is irrelevant. As I said, I am mixing since Monday, and I just checked: I did not experience any address reuse so far, I will wait out the whole week and get back here. |
Worst-case solution could be just stopping any Bob from registering an output that's address has been previously used. This would stop malicious attackers from doing this on purpose, however, requires us to index every address which would be a lot of overhead. |
The results of the 1week mixing test: #2077 |
When we get an inv from a node we try to acquire the tx from that node and don't bother with other nodes' invs for the same tx. So if the tx acquiring fails with this node, then it's possible we never get to know about the tx until it confirms. It could be the reason why we experience this issue. I'll address it in my mempool refactoring PR. |
Possibly resolved: #2292 Should start another test. |
I'm running the 1week test. |
Results of 1 Week Mixing Test 2Note that during the testing, I needed to use my Linux for development, I was running multiple instances and made the computer freeze and the index was corrupted a few times, so if there's address reuse then the test is invalid and needs to be repeated with more laboratory environment, but if there isn't, then the test is valid, in fact it gives us more confidence that it can withstand a couple of failure scenarios. (without doxxing the exact amounts)
So far the stats are very similar as the first test. Address ReuseThere were none. |
General Description
Address Reuse has been detected by a handful of users. In particular, the address that is re-used is the address given to the coordinator in the form of a blinded output. The result is that a user will mix coins, and have several mixed coins of various denominations in the same address.
How To Reproduce?
Screenshots
Please look at the following transactions as examples:
(a) 4 transactions - 2 were blinded oututs of 0.1 BTC, 2 were remixes of the 0.1 BTC outputs.
(b) The 2 coinjoins with same outputs were confirmed in the same block.
https://blockstream.info/address/bc1qr3l94myyg5ex82lydveuhawg08hw72va3xaxjq
(a) 4 Transactions - where the address was used as change twice in a CJ, then spent in a CJ twice
(b) Both transactions were confirmed in the same block.
https://blockstream.info/address/bc1qhzq5ck87rr5cfw9wjhfwnfalcn80fcy54mgwv9
The above two examples happened a while ago, these transactions below happened more recently and include a user who had address reuse on both sides of the transaction.
https://blockstream.info/address/bc1qtsypsw9aejrhphf28tzuhld7wgk5aj53l6tazv
Operating System
Users described this problem with:
Windows 10
macOS
Logs
Logs of certain users may be available upon request.
Wasabi Version
Users claim to be using 1.1.6
The text was updated successfully, but these errors were encountered: