What can we learn from studying hacks? Revealing insights on privacy and cryptocurrency movements after the DAO 2016 hack

The word cryptocurrency has astir go synonymous with hacking. It seems arsenic though each week determination are eye-wateringly ample hacks connected exchanges, idiosyncratic user’s wallets, astute contracts, and the nationalist blockchains connected which they sit. In galore cases the vectors of onslaught are evident successful retrospect: codification was untested, interior processes to forestall phishing were non-existent, basal codification standards not followed, etc. Studying the hacks themselves volition often not glean overmuch absorbing accusation for those already acquainted with basal information practices. 

But each crypto hack has 2 superior components — determination is the hack itself, and past the methodologies by which the hacker and their cohorts effort to currency retired their stolen loot. For advocates of privacy, the attempts made to anonymize these funds are absorbing lawsuit studies successful the levels of anonymity achievable successful nationalist blockchain networks.

Because the funds are tracked intimately by highly organized and well-funded authorities agencies and firm entities, they supply an accidental for the assemblage to observe the efficacy of the assorted privateness wallets involved. If these hackers can’t stay private, what are the chances that mean users looking for privateness successful nationalist networks volition beryllium capable to execute it? 

The DAO 2016 hack, an exemplary case

When studying these hacks and the consequent arrests, it becomes wide that successful the bulk of cases, the hackers marque important mistakes erstwhile attempting to anonymize their cryptocurrency. In immoderate cases, the failures are the responsibility of elemental idiosyncratic errors. In different cases, they are caused by bugs successful the wallet bundle they utilized oregon different less-than-obvious missteps successful the way to converting the cryptocurrency into real-world assets. 

Recently, a peculiarly absorbing case, the 2016 DAO hack, had a important improvement — an investigative Forbes article was published that identifies the alleged hacker. The process by which this idiosyncratic was identified offers up immoderate insights into a wide utilized privateness wallet, Wasabi Wallet, and however improper usage of the bundle tin pb to a “demixing” of the alleged hacker’s funds. 

Critical mistakes were made

As for the bid of operations, the hacker’s archetypal determination was to person immoderate of their stolen funds from Ethereum Classic into Bitcoin. The hacker utilized the Shapeshift to speech execute the swap, which astatine the clip provided a afloat nationalist grounds of each trades connected the platform. From Shapeshift, immoderate of the funds moved into Wasabi Wallet. From here, things spell downhill.  

For those unfamiliar, CoinJoin is the moniker for a peculiar transaction operation protocol that allows aggregate parties to aggregate their funds into a ample transaction with the extremity of breaking the nexus betwixt the funds flowing into the CoinJoin and the funds flowing retired of the CoinJoin.

Instead of a transaction having a azygous payor and payee, a CoinJoin transaction has aggregate payors and payees. Say for illustration you person a CoinJoin with 10 participants — if the CoinJoin is decently constructed and each rules of enactment are correctly followed, funds that travel retired of the CoinJoin volition person an anonymity acceptable of 10. i.e. immoderate 1 of the 10 “mixed outputs” from the transaction could beryllium to immoderate 1 of the 10 (or more) “unmixed inputs” to the transaction. 

While CoinJoins tin beryllium a precise almighty tool, determination are galore opportunities for participants to marque captious mistakes that importantly degrade oregon wholly undermine immoderate privateness they mightiness person gained from the CoinJoin. In the lawsuit of the alleged DAO hacker, specified a mistake was made. As you’ll work next, determination is simply a anticipation this bug was a idiosyncratic error, however, it is besides imaginable determination was a (since fixed) bug successful Wasabi Wallet that pb to this privateness failure. 

Wasabi Wallet uses the ZeroLink protocol, which constructs CoinJoins with mixed outputs of adjacent value. What this means, is that each users are required to premix lone a specified, predetermined magnitude of Bitcoin. Any worth supra that magnitude that goes into the CoinJoin indispensable beryllium returned arsenic unmixed Bitcoin to the respective users.

If for illustration Alice has a azygous .15 Bitcoin output, and the CoinJoin lone accepts outputs of worth .1 Bitcoin, connected completion of the CoinJoin, Alice would person a .1 mixed Bitcoin output and a .05 unmixed Bitcoin output. The .05 Bitcoin is considered “unmixed” due to the fact that it tin beryllium linked to Alice’s archetypal output of .15. The mixed output cannot beryllium straight linked to the input anymore, and volition person an anonymity acceptable that is composed of each the different participants successful the CoinJoin. 

To sphere the privateness of CoinJoin, it is imperative that mixed and unmixed outputs are ne'er associated with 1 another. In the lawsuit they are accidentally aggregated connected the bitcoin blockchain successful a azygous oregon acceptable of transactions, an perceiver tin usage that accusation to hint mixed outputs backmost to their source. 

In the lawsuit of the DAO hacker, it appears that successful the process of utilizing Wasabi Wallet, they utilized a azygous code successful aggregate CoinJoins; successful 1 lawsuit the address was utilized arsenic an unmixed alteration output, successful the 2nd lawsuit it was utilized arsenic a mixed output.

This is simply a comparatively antithetic mistake successful the discourse of a CoinJoin due to the fact that this guilt-by-association method requires a transaction downstream of the CoinJoins to “merge” the unmixed and mixed outputs, linking them together. But successful this case, nary transactions beyond the 2 CoinJoins were required to beryllium analyzed due to the fact that the aforesaid code was utilized successful conflicting ways crossed 2 abstracted CoinJoins. 

Fundamentally, this anticipation exists due to the fact that of a plan determination successful the Wasabi Wallet software: Wasabi Wallet uses a azygous derivation way for some mixed and unmixed outputs. This is considered bad practice. It was stated by a Wasabi worker that this was to marque wallet restoration compatible with different wallets, however, BIP84 (which is the derivation scheme Wasabi Wallet uses) does person a modular mode for recognizing a derivation pathway assigned to alteration outputs.

Failures resulting from this plan prime are astir prominently seen erstwhile a idiosyncratic has 2 instances of Wasabi Wallet moving astatine the aforesaid clip portion utilizing the aforesaid seed. In this scenario, it would beryllium imaginable for the 2 instances to prime the aforesaid code successful this conflicting mode erstwhile simultaneously attempting to tally a premix from each instance. This is warned against successful official documentation. It is besides imaginable that known bugs successful the Wasabi Wallet were the culprit.

Takeaways and conclusions

So what bash we larn from this? While this bug with Wasabi is not rather the extremity of the story, it acted arsenic a important constituent successful tracking down the alleged hacker. Once again, our content that privateness is hard is reaffirmed. But practically, we person different illustration of the value of preventing output contamination erstwhile utilizing privateness tools, and however cautious “coin control” is required by users and bundle alike. The question becomes, what benignant of privateness protocols are designed to minimize this people of attack? 

One absorbing solution is simply a CoinSwap, wherever alternatively of merging outputs into a large transaction, you swap outputs with different user. In this mode you are swapping coin histories, not joining coin histories. More powerfully,  if a CoinSwap is done successful the off-chain discourse (as is implemented by Mercury Wallet), determination are nary unmixed alteration outputs to woody with astatine all. 

While determination are imaginable idiosyncratic errors that tin origin a CoinSwap to beryllium “de-swapped,” these errors are arguably overmuch much evident to the end-user due to the fact that immoderate merge of outputs successful a privacy-violating mode could lone beryllium done by explicitly mixing a swapped output with 1 that has not yet been swapped, arsenic opposed to merging 2 outputs that person already gone done CoinJoin, lone 1 of which is really mixed.

Mercury Wallet is presently the lone off-chain CoinSwap installation disposable to end-users. It lets users fastener up their coins into a furniture 2 protocol (known arsenic a statechain) and past blindly swap their outputs with different users of the statechain. It’s a precise absorbing method and worthy experimenting with for those funny successful exploring caller privateness tools with breathtaking functionality and acceptable trade-offs.