Bitcointalk Mobile Browser presented by IRLBTC™

<< >> (p.3)

Author

Topic: New ashigaru whirlpool coordinator can de-anonymize users (Read 230 times)

1440000bytes (OP)

Newbie

Offline

Activity: 24
Merit: 57

New ashigaru whirlpool coordinator can de-anonymize users

June 23, 2025, 07:25:17 AM
Last edit: June 23, 2025, 09:01:18 AM by 1440000bytes

Merited by LoyceV (12), NotATether (6), d5000 (5), cAPSLOCK (5), theymos (2), ABCbits (1), DireWolfM14 (1)

Ashigaru announcement: https://ashigaru.rs/news/announcement-whirlpool/

https://i.ibb.co/Q7G2rDBr/rsa.png

Background: Nothingmuch had reported a vulnerability in whirlpool in December 2024: https://groups.google.com/g/bitcoindev/c/CbfbEGozG7c/m/w2B-RRdUCQAJ

This allows a malicious coordinator to link inputs and outputs by providing each input with a unique RSA public key. Since the unblinded signatures are possibly made by different keys, the server can learn the mapping from inputs to outputs.

The blind signing process requires a server or coordinator to share the public key. The highlighted text in the announcement is misleading. I looked at the code in Whirlpool-Client and Whirlpool-Server and found that the vulnerability is not fixed.

Code:

   // generate a secret bordereau. keep it private and register INPUT with blindedBordereau
   // bordereau will be provided with unblindedSignedBordereau to register POSTMIX with another
   // identity
   this.bordereau = ClientUtils.generateBordereau();
   byte[] publicKey = WhirlpoolProtocol.decodeBytes(confirmInputMixStatusNotification.publicKey64);
   RSAKeyParameters serverPublicKey = ClientUtils.publicKeyUnserialize(publicKey);
   this.blindingParams = clientCryptoService.computeBlindingParams(serverPublicKey);

   String mixId = confirmInputMixStatusNotification.mixId;
   String blindedBordereau64 =
   WhirlpoolProtocol.encodeBytes(clientCryptoService.blind(bordereau, blindingParams));
   String userHash = premixHandler.computeUserHash(mixId);
   ConfirmInputRequest confirmInputRequest =
   new ConfirmInputRequest(mixId, blindedBordereau64, userHash);

   confirmedInput = true;
   return confirmInputRequest;
  }

http://ashicodepbnpvslzsl2bz7l2pwrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashigaru-Whirlpool-Client/src/commit/a64bd8b4e0ee8a4cfab03da4565f166d07caa7ec/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java

Code:

   // register confirming input
   String publicKey64 = WhirlpoolProtocol.encodeBytes(mix.getPublicKey());
   ConfirmInputMixStatusNotification confirmInputMixStatusNotification =
   new ConfirmInputMixStatusNotification(mix.getMixId(), publicKey64);
   mix.registerConfirmingInput(registeredInput);

http://ashicodepbnpvslzsl2bz7l2pwrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashigaru-Whirlpool-Server/src/branch/main/src/main/java/com/samourai/whirlpool/server/services/MixService.java

Conclusion: Users should not trust this centralized coordinator and do their own research before paying 5% coordinator fees.

NotATether

Legendary

Offline

Activity: 2114
Merit: 9047

Search? Try talksearch.io

Re: New ashigaru whirlpool coordinator can de-anonymize users

June 23, 2025, 08:21:08 AM

We seriously need to make a dedicated website on github.io or something that lists all of the information related to coordinators, because it's fragmented everywhere at the moment.

People need to know which coordinators are safe to use.

Although I know this pertains only to whirlpool coordinators, I'm only aware of one running at the moment, ever since Samourai's was shut down.

██
██
██
██
██
██
██
██
██
██
██
██
██

...^{⬤^⬤ LIVECASINO.io} ^│^P^l^a^y^Lⁱ^v^e^G^a^m^e^s^wⁱ^t^h^u^p^t^o^20%^c^a^s^h^b^a^c^k^!...

██
██
██
██
██
██
██
██
██
██
██
██
██

1440000bytes (OP)

Newbie

Offline

Activity: 24
Merit: 57

Re: New ashigaru whirlpool coordinator can de-anonymize users

June 23, 2025, 02:18:47 PM

It seems they aren't using code from whirlpool-client repository in the terminal. Instead hardcoded a public key for signing:

Code:

Code:

/ use receiveAddress as bordereau. keep it private, but transmit blindedBordereau
/ clear receiveAddress will be provided with unblindedSignedBordereau by connecting with
/ another identity for REGISTER_OUTPUT
final RSAKeyParameters rsaPublicKey;
byte[] publicKey = WhirlpoolProtocol.decodeBytes(confirmInputMixStatusNotification.publicKey64);
if (publicKey != null && publicKey.length > 0) {
throw new ProtocolException("not expected to receive public key for blind signature from whirlpool server");
/rsaPublicKey = ClientUtils.publicKeyUnserialize(publicKey);
} else {
rsaPublicKey = blindSignaturePublicKey;
}

this.blindingParams = clientCryptoService.computeBlindingParams(rsaPublicKey);

String mixId = confirmInputMixStatusNotification.mixId;
this.bordereau = ClientUtils.generateBordereau();
String blindedBordereau64 =
WhirlpoolProtocol.encodeBytes(
clientCryptoService.blind(this.bordereau, blindingParams));
String userHash = premixHandler.computeUserHash(mixId);
ConfirmInputRequest confirmInputRequest =
new ConfirmInputRequest(mixId, blindedBordereau64, userHash);

confirmedInput = true;
return confirmInputRequest;
}

This introduces other issues in the coinjoin process. I will add more details after doing some research and testing.

dmatthewstewart

Sr. Member

Offline

Activity: 444
Merit: 253

Re: New ashigaru whirlpool coordinator can de-anonymize users

June 23, 2025, 11:48:33 PM

They specifically mention this in their update. And there seems to be a coordinated effort across all platforms by the Wasabi fans to just pump FUD. Its becoming very cultish.

Maybe you shouldve done your testing before making the post. You make a conclusion in your title that has not yet been tested.

▁ ▂ ▄ ▅ ▆ Cloudmining 101: how to avoid scams ▆ ▅ ▄ ▂ ▁

1440000bytes (OP)

Newbie

Offline

Activity: 24
Merit: 57

Re: New ashigaru whirlpool coordinator can de-anonymize users

June 24, 2025, 12:31:32 AM

1. The coordinator can link input-outputs even with the hardcoded key

The client doesn't verify that the unblinded signature is actually a valid RSA signature for the hardcoded public key. The coordinator can still do tagging and link inputs-outputs after output registration.

2. New DoS vector is introduced in the code

If you confirm an input getting a blind sig, and then just time out, you can later use the same unblinded sig in a subsequent session and register an additional output which is a DoS issue.

Related tweets by nothingmuch: https://xcancel.com/not_nothingmuch/status/1937176085461930033

1440000bytes (OP)

Newbie

Offline

Activity: 24
Merit: 57

Re: New ashigaru whirlpool coordinator can de-anonymize users

June 24, 2025, 12:39:56 AM

Merited by vapourminer (2)

Quote from: dmatthewstewart on June 23, 2025, 11:48:33 PM

I am not associated with Wasabi. This is a free review and testing unlike others who trust the anonymous developers or not competent enough to review. Denying the bugs based on an announcement to use suboptimal tools sounds cultish.

The conclusion is still the same. Too many red flags to trust this coordinator and everyone should do their own research before wasting money in coordinator fees.

1440000bytes (OP)

Newbie

Offline

Activity: 24
Merit: 57

Re: New ashigaru whirlpool coordinator can de-anonymize users

June 25, 2025, 12:46:43 AM

Lucas has shared another method that can be used by the coordinator to link inputs and outputs:: https://njump.me/nevent1qqsqqqpslx5y7asqkckk92d2vfcat535t5r5k4pt7xy0ynmcepd4lcgpz4mhxue69uhkummnw3ezummcw3ezuer9wchsygy7xr55qguvm847h33js9md6ngsnqfp99zz72nv8pe8l3n05l4fpgpsgqqqqqqsqg4s4v

Code:

String mixId = confirmInputMixStatusNotification.mixId;
this.bordereau = ClientUtils.generateBordereau();
String blindedBordereau64 =
WhirlpoolProtocol.encodeBytes(
clientCryptoService.blind(this.bordereau, blindingParams));
String userHash = premixHandler.computeUserHash(mixId);
ConfirmInputRequest confirmInputRequest =
new ConfirmInputRequest(mixId, blindedBordereau64, userHash);

The coordinator can use different mixid for each input. At this point it wouldn't be wrong to say that zerolink protocol (as implemented in whirlpool) has multiple vulnerabilities that could be exploited by the coordinator. I do not expect Ashigaru team or the delusional cult to ever acknowledge and fix these vulnerabilities.

lontivero

Full Member

Offline

Activity: 189
Merit: 168

Amazing times are coming

Re: New ashigaru whirlpool coordinator can de-anonymize users

June 25, 2025, 03:04:43 PM

Quote from: dmatthewstewart on June 23, 2025, 11:48:33 PM

And there seems to be a coordinated effort across all platforms by the Wasabi fans to just pump FUD. Its becoming very cultish.

Hi, Wasabi maintainer here.

I think your assumption doesn't match reality. None of the "attacks" that I have read come from Wasabi fans, but from people who also criticize Wasabi. Privacy advocates, freedom fighters, or however you want to call us, have been very cool and welcoming regarding Whirlpool's comeback, and we have rushed to audit the code and report our findings publicly ASAP because at this early stage it is easier and cheaper to fix the app and the protocol (once your user base grows it become almost impossible to do).

These findings are not destructive FUD but real problems for which we also suggest solutions. Look at this one, for example: https://njump.me/nevent1qqsqqqzgvgp66qxznw3mqvw9xsl9c9j6t8warcgvh283n67mlzuucdsppemhxue69uhkummn9ekx7mp0qyg8wumn8ghj7mn0wd68ytnddakj7qg3waehxw309ahx7um5wgh8w6twv5hsp94pph

Pages: [1]

Page 2

Viewing Page: 3