The developers of Wasabi Wallet are urging users to update to the latest version, which fixes issues related to the use of CoinJoin mixing technology.
On Thursday, the Wasabi Wallet team forked the wallet to address a vulnerability discovered by leading hardware wallet maker Trezor. According to the article in the blog Wasabi Wallet, developer Trezor Ondřej Veypustek (Ondřej Vejpustek) revealed information about the potential DoS-attacks Wasabi team May 10.
“Waypustek has been actively cooperating with us from the beginning and gave us complete freedom to disclose vulnerability information, both in terms of timing and communication. This demonstrates the importance of communication between security researchers and development teams. This is what responsible disclosure should be, ”said Wasabi Wallet marketing strategist Riccardo Masutti, adding that Waypustek has been rewarded in BTC for his efforts.
This hypothetical Denial of Service (DoS) attack, which the Wasabi Wallet speculates was never carried out, would prevent the wallet from implementing CoinJoin, a privacy protocol that allows users to mix their BTC with others to hide their transaction history.
The CoinJoin implementation of the Wasabi wallet requires each participant to receive the same amount of coins as they contributed for mixing. If, for example, ten participants join the mixing of 0.1 BTC, then each user must send exactly this amount and receive the same amount of BTC for successful mixing and maintaining the confidentiality of CoinJoin.
The discovered vulnerability would have stopped the mixing process. An attacker could have deposited bitcoins for mixing without having his BTC verified by the mixing coordinator, while simultaneously sending a real, verified transaction for mixing.
This would lead to a mismatch between the total size of CoinJoin inputs and the size of expected outputs. As a result, the coordinator would unwittingly “create a transaction that cannot be valid because the sum of all inputs is less than the sum of all outputs.” If the attack were carried out, it would interfere with the implementation of the CoinJoin function, although it would not give an attacker the opportunity to steal coins, and would not allow disclosing the information of the mixing participants.
Wasabi Wallet fixed this issue with a fork posted on Thursday. This update was applied to version 1.1.12 of the wallet released on August 5th.
Recall that the developers of the Wasabi Wallet recently announced plans to create their own WabiSabi technology instead of the CoinJoin transaction privacy feature.