It says on their blog post that it's fixed.
Discussion
Yeah but is there a way to verify that independently other than the trust me bro approach? I'm not capable but I'm sure plenty of people are
Ah I see, the OP is saying that it isn't in code. Guess we'll have to wait for public comment. I dont have the tech chops to verify either way, nor do I have any direct contact with anyone from Ashigaru.
but isn't that wording kind of weird?
we're not concerned with the keys being sent to the client... we're concerned the *coordinator being able to link inputs/output, not the clients.
it seems like theyre addressing a different issue there.
what I'm saying is that the blog post doesn't seem to be addressing that issue at all
Looks like he might be barking up the wrong tree.
Bug is in whirlpool and not the wallet.
Seems like the terminal client has a hard coded key. Is the client using that to check that against the one sent from the coordinator?
No match, no mix?
Yes they have hardcoded a key in terminal. This introduces another vulnerability. I will add the details in the bitcointalk post.
its not a vulnerability if they're modulating the hardcoded key per CJ round correct?
as nostr:nprofile1qqsxwkuyle67y94tj378gw8w2xw2wa6nwmwlqhddlwnz0z7sztsaw2qpz9mhxue69uhkummnw3ezuamfdejj7nxasma suggested on original vulnerability disclosure post Jan 7th?
either way, the server CANNOT give clients a unique key for identification.