Nostr Web Client

Thought experiment. Samourai whirlpool coinjoin is five inputs and five outputs. I guess the participants are selected by the coordinator, which is open source, but there's no way to tell which coordinator they are actually running.

Imagine if they were adversarial. We know they send xpubs to their server if you don't run your own dojo node. How can we be sure they don't let four participants that they know xpub for and one that runs their own node? If every coinjoin is made like this (which it could well be), whole whirpool is a total placebo.

Where am I wrong in this thought? (Excerpt trusting that they are the good guys)?

Could this be happening?

Of course two people who run their own nodes could coordinate and see if they are ever part of one coinjoin. But then the next question is - what if they do this only for "interesting" utxos?

If the coordinator is adversarial, the combination of xpubs and small sets makes this attack easy and very hard to see from the transactions themselves.

I'm just thinking "loud", not accusing anyone, I mainly want to see if I understand this correctly.

Reply to this note

Please Login to reply.

Discussion

Seth For Privacy 2y ago

This is true of any centralized coordinator, if you can't trust them not to Sybil then using the tool is pointless.

You have pointed out the only caveat, in that Samourai could do so more cheaply because they can wield non-Dojo users as Sybil attackers in a sense.

Any time there is a centralized coordinator they could easily be all other participants in a mix and de-anon your spend.

Wasabi could do the same, and could do the same only for inputs flagged by whatever chain surveillance company they fund.

It's all trust.

This is the single biggest issue with Bitcoiners not being willing to do privacy at the base layer (like Monero) and instead pushing it to the app layer - we re-introduce trust where we technically do not have to.

And no, JoinMarket is not a solution as it's easier to Sybil.

Kruw 2y ago

You can't do the same in Wasabi without being detected because the attack target would have to register their non private input first (out of 150) and the malicious coordinator would have to deny registration from non sybil participants, including the attack target's next input. This allows an attacker coordinator performing a sybil attack to be detected by the target.

A second apprpach is a malicious coordinator that purposely never alllows a round to succeed can passively gather input registrations from multiple unsuccessful rounds in order to try to slowly try to cluster them together. This is somewhat detectable I assume since rounds never actually succeed?

Juraj 2y ago

Exactly...

Wasabi has one big round for everyone. People being kicked from the round is noticeable.

Even if you have two utxos, they are registered independently.

So if Wasabi coordinator would do this kind of attack, people would notice being kicked. If Whirlpool coordinator did it, you would never know.

xmrk ₿ ⚡️ 2y ago

Could you explain what is wrong with JoinMarket, please? I would expect that the fidelity bonds they use are an incentive to not do Sybil attack, to use just one identity. I see a problem if a taker does not care and takes offers with no or insufficient bonds. Or perhaps chainalysis and friends have enough money to put in the bonds, so it is not a real obstacle for them?

Kuba 2y ago

@hynek talks exactly about that in the podcast Stackuj.cz today.

Thomas Paine 2y ago

Depending on your level of paranoia, you cannot assume that your xpub is safe anywhere.

A xpub is easy to spot if stored in plain file, so as long as a malicious OS process has read-access and can connect to the internet, all coinjoins are pointless.

Juraj 2y ago

The problem is not your xpub in this case, but coordinator choosing other participants in a way that they know the xpubs. You could be safe and yet not really mixed.

Thomas Paine 2y ago

I agree. The issue you're referring to is the degrading 'quality' of the mix.

I just wanted to point out that mixing quality goes straight to zero if the xpub gets into wrong hands. Obviously such a wallet should no longer be used.

Juraj 2y ago

The attack i mentioned does not degrade the quality of the mix. It also goes to zero immediately.

So you can do everything right, don't share xpub and you are not mixed either - at all.

steepdawn974 2y ago

The standard would be: the coordinator is blinded, so it wouldn't know whom to block.

However - don't know if the blinding happens client side, or server (=coordinator) side. In the latter case, you are obviously at the mercy of Samourai running the actual same coordinator code as on their Gitlab.

Btw, This would be the same attack scenario I described about how Wasabi could use Chainal to deliberately certain into a less private rounds

steepdawn974 2y ago

*standard answer

Juraj 2y ago

Great minds think alike. Enqueued , will listen !