Expert weighs in on Wasabi’s response to wallet security issues

Mario Havel of Paralelni Polis said Samourai’s allegations are correct.

Although the privacy-focused Bitcoin (BTC) wallet Wasabi Wallet recently dismissed allegations that its anonymity features may be compromised, a third-party expert disagrees.

In an August 19 blog post, Wasabi competitor Samourai claimed to have “discovered two potential privacy vulnerabilities in the Wasabi Wallet software.” Per the announcement, the company also found numerous issues with the anonymity of Wasabi Wallet’s CoinJoin Bitcoin mixer.

Mário Havel, co-founder of crypto-and-privacy non-profit Paralelni Polis, said that Samourai’s allegations seem credible and can be verified in Wasabi’s code. He explained:

“Disclosed vulnerabilities […] are not affecting the security of the wallet. [Instead they] affect only [the anonymity in] some CoinJoin scenarios in which the user is mixing more [unspent transaction outputs].”

Wasabi lead developer Adam Ficsor explained that the issue raised by Samourai is the lack of randomness in unspent transaction output, or UTXO, selection when performing CoinJoin mixing. He claimed that this does not impact anonymity, since only the users themselves know all the UTXOs in their wallet.

Havel pointed out that Wasabi users who use its CoinJoin feature should always know how to manage their UTXOs in a way that preserves anonymity:

“Doing privacy correctly, especially with tools like coin control requires some learning and attention. In this case, the user has to be aware of possible attack scenarios and avoid them by managing UTXOs correctly.”

Wasabi’s Ficsor also said that Samourai has “claimed to ‘deanonymize’ Wasabi numerous times in the past.” This statement is in line with July 2019 reports in which Samourai first raised concerns over Wasabi’s CoinJoin implementation. Ficsor said that “the community knows their claims are inflated.” Mário Havel disagrees:

“There were many clashes in the past, more or less reasonable, but generally Samourai research does a good and interesting job for the privacy ecosystem of Bitcoin. Most of the claims against Wasabi are based around [the aforementioned problem, which is that] it requires some knowledge to use it properly privately.”

Havel does admit, however, that “Samourai and Wasabi are competition” and that both capitalize on their users’ CoinJoin fees. Both companies also benefit from damaging the reputation of their competition. He concluded:

“Personally, I use both wallets since both have different features and perks. […] Both are great wallets even without the CoinJoin feature and it is only up to the user how he uses it and what features of the wallet he needs.”