last week an audit of the samourai wallet whirlpool code revealed that the coordinator could match a coinjoin’s inputs and outputs – thus providing zero privacy against samourai.
nostr:npub1v6qjdzkwgaydgxjvlnq7vsqxlwf4h0p4j7pt8ktprajd28r82tvs54nzyr reported it, didn’t see too many reactions.
why aren’t more people talking about this?
Link? It's zerolink, so there should be at least different identities for each output + one for all inputs iirc
Are you saying that samourai users have zero privacy from samourai as coordinator which means feds since they stole their computers?
Not directly implying that, but it’s very possible. Maybe they deleted this data, maybe they didn’t and the feds have it now.
The issue is that it was possible to have it in the first place.
Sparrow does not manage tor identities, neither does the android app, only the desktop client does, and it constantly reuses the input circuit.
https://primal.net/e/note1wgjud5u2p7s5gm4723q3q7apx9r0jqvw3437sc8kj8y64r4re2esd5ns8x
https://primal.net/e/note190khca9m94r5wruu0tgaddz92c9levkddx4jkggqlv0egjvfx58s8dyu09
https://primal.net/e/note1s8g546a7j2de3ez2x27z8x4gh6qq20qmtfskr930f8wx2t0vysdssc97w9
https://primal.net/e/note1x4gmu82e08pln6h47skck7eg08fyqw4zp0punn00n9l840w0ntvqq2drsz
https://github.com/sparrowwallet/sparrow/issues/1328
I have talked a lot about it, look in my comments.
Because it is even worse than that, or at least that's how I understand it. The Whirlpool client uses a session ID for all requests and the server attachs that session ID to all websockets in order to identify them. The server even logs all that info.
```
> grep log **/*.java | grep username
main/java/com/samourai/whirlpool/server/controllers/websocket/SubscribePoolController.java: log.trace("(<) [" + username + "] " + headers.getDestination());
main/java/com/samourai/whirlpool/server/services/WebSocketService.java: log.warn("(>) " + username + " sendPrivateError: " + message);
main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java: log.trace("(<) " + username + " connect");
main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java: log.trace("(<) " + username + ": disconnect");
main/java/com/samourai/whirlpool/server/services/MixService.java: log.warn("Rejecting already revealed username: " + username);
main/java/com/samourai/whirlpool/server/services/MixService.java: log.info("[" + mixId + "] " + username + " revealed output");
main/java/com/samourai/whirlpool/server/services/MixService.java: log.info("[" + mixId + "] " + username + " registered signature");
main/java/com/samourai/whirlpool/server/services/PoolService.java: log.info("[" + pool.getPoolId() + "] " + username + " removed 1 liquidity from pool");
main/java/com/samourai/whirlpool/server/services/PoolService.java: log.info("[" + pool.getPoolId() + "] " + username + " removed 1 mustMix from pool");
main/java/com/samourai/whirlpool/server/controllers/websocket/ConfirmInputController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());
main/java/com/samourai/whirlpool/server/beans/Mix.java: log.info("[" + mixId + "] " + username + " unregistered from confirming inputs");
main/java/com/samourai/whirlpool/server/controllers/websocket/RevealOutputController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());
main/java/com/samourai/whirlpool/server/controllers/websocket/SigningController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());
main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " subscribe");
main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " connect");
main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " disconnect");
```
```
> grep log **/*.java | grep "ip="
main/java/com/samourai/whirlpool/server/services/RegisterInputService.java: log.warn("Rejecting banned UTXO: [" + banTO.get() + "], ip=" + ip);
```
