Replying to Avatar Vlad, Bitcoin Takeover Podcast

last week an audit of the samourai wallet whirlpool code revealed that the coordinator could match a coinjoin’s inputs and outputs – thus providing zero privacy against samourai.

nostr:npub1v6qjdzkwgaydgxjvlnq7vsqxlwf4h0p4j7pt8ktprajd28r82tvs54nzyr reported it, didn’t see too many reactions.

why aren’t more people talking about this?
5b
5b459807... 1y ago

Because it is even worse than that, or at least that's how I understand it. The Whirlpool client uses a session ID for all requests and the server attachs that session ID to all websockets in order to identify them. The server even logs all that info.

```

> grep log **/*.java | grep username

main/java/com/samourai/whirlpool/server/controllers/websocket/SubscribePoolController.java: log.trace("(<) [" + username + "] " + headers.getDestination());

main/java/com/samourai/whirlpool/server/services/WebSocketService.java: log.warn("(>) " + username + " sendPrivateError: " + message);

main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java: log.trace("(<) " + username + " connect");

main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java: log.trace("(<) " + username + ": disconnect");

main/java/com/samourai/whirlpool/server/services/MixService.java: log.warn("Rejecting already revealed username: " + username);

main/java/com/samourai/whirlpool/server/services/MixService.java: log.info("[" + mixId + "] " + username + " revealed output");

main/java/com/samourai/whirlpool/server/services/MixService.java: log.info("[" + mixId + "] " + username + " registered signature");

main/java/com/samourai/whirlpool/server/services/PoolService.java: log.info("[" + pool.getPoolId() + "] " + username + " removed 1 liquidity from pool");

main/java/com/samourai/whirlpool/server/services/PoolService.java: log.info("[" + pool.getPoolId() + "] " + username + " removed 1 mustMix from pool");

main/java/com/samourai/whirlpool/server/controllers/websocket/ConfirmInputController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());

main/java/com/samourai/whirlpool/server/beans/Mix.java: log.info("[" + mixId + "] " + username + " unregistered from confirming inputs");

main/java/com/samourai/whirlpool/server/controllers/websocket/RevealOutputController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());

main/java/com/samourai/whirlpool/server/controllers/websocket/SigningController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination());

main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " subscribe");

main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " connect");

main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " disconnect");

```

```

> grep log **/*.java | grep "ip="

main/java/com/samourai/whirlpool/server/services/RegisterInputService.java: log.warn("Rejecting banned UTXO: [" + banTO.get() + "], ip=" + ip);

```

Reply to this note

Please Login to reply.

Discussion

No replies yet.