i appreciate your investigation here floppy
- Still using the centralized coordinator
- Increased coordinator fee
- Only 2 pool size available
Remains vulnerable to https://groups.google.com/g/bitcoindev/c/CbfbEGozG7c/m/w2B-RRdUCQAJ
Discussion
he apparently missed that they have a RSA key hardcoded into the client now
so... 😕
Seems like clients don’t verify that signatures actually come from that hardcoded key (which they are definitely able to do). Until that is done clients are still vulnerable to a coordinator tagging attack.
have you also verified about the signatures
or are you just taking floppy's word for it?
Ya `unblind` is called w/o signature verification. Easy fix http://ashicodepbnpvslzsl2bz7l2pwrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashigaru-Terminal/src/commit/0bbed17ea5130bcf2aec5af6d3cc93f54aa9d871/darkjar/src/main/java/com/samourai/whirlpool/client/mix/MixProcess.java#L206-L214
Gotcha
thanks for the link