Oddbean

last week an audit of the samourai wallet whirlpool code revealed that the coordinator could match a coinjoin’s inputs and outputs – thus providing zero privacy against samourai. @1440000bytes reported it, didn’t see too many reactions. why aren’t more people talking about this?

They had a practice of collecting user data. Via in-wallet links to their proprietary analytics for users to review transactions. Also their practice of requesting xpubs whenever helping users, it is very safe to assume they kept all user data they could collect because it enhanced their private analytics. They made themselves an irresistible target for the feds, and fucked their users over in the process.

https://primal.net/e/note1wgjud5u2p7s5gm4723q3q7apx9r0jqvw3437sc8kj8y64r4re2esd5ns8x https://primal.net/e/note190khca9m94r5wruu0tgaddz92c9levkddx4jkggqlv0egjvfx58s8dyu09 https://primal.net/e/note1s8g546a7j2de3ez2x27z8x4gh6qq20qmtfskr930f8wx2t0vysdssc97w9 https://primal.net/e/note1x4gmu82e08pln6h47skck7eg08fyqw4zp0punn00n9l840w0ntvqq2drsz https://github.com/sparrowwallet/sparrow/issues/1328 I have talked a lot about it, look in my comments.

Because it is even worse than that, or at least that's how I understand it. The Whirlpool client uses a session ID for all requests and the server attachs that session ID to all websockets in order to identify them. The server even logs all that info. ``` > grep log **/*.java | grep username main/java/com/samourai/whirlpool/server/controllers/websocket/SubscribePoolController.java: log.trace("(<) [" + username + "] " + headers.getDestination()); main/java/com/samourai/whirlpool/server/services/WebSocketService.java: log.warn("(>) " + username + " sendPrivateError: " + message); main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java: log.trace("(<) " + username + " connect"); main/java/com/samourai/whirlpool/server/services/WebSocketSessionService.java: log.trace("(<) " + username + ": disconnect"); main/java/com/samourai/whirlpool/server/services/MixService.java: log.warn("Rejecting already revealed username: " + username); main/java/com/samourai/whirlpool/server/services/MixService.java: log.info("[" + mixId + "] " + username + " revealed output"); main/java/com/samourai/whirlpool/server/services/MixService.java: log.info("[" + mixId + "] " + username + " registered signature"); main/java/com/samourai/whirlpool/server/services/PoolService.java: log.info("[" + pool.getPoolId() + "] " + username + " removed 1 liquidity from pool"); main/java/com/samourai/whirlpool/server/services/PoolService.java: log.info("[" + pool.getPoolId() + "] " + username + " removed 1 mustMix from pool"); main/java/com/samourai/whirlpool/server/controllers/websocket/ConfirmInputController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination()); main/java/com/samourai/whirlpool/server/beans/Mix.java: log.info("[" + mixId + "] " + username + " unregistered from confirming inputs"); main/java/com/samourai/whirlpool/server/controllers/websocket/RevealOutputController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination()); main/java/com/samourai/whirlpool/server/controllers/websocket/SigningController.java: log.debug("(<) [" + payload.mixId + "] " + username + " " + headers.getDestination()); main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " subscribe"); main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " connect"); main/java/com/samourai/whirlpool/server/config/websocket/WebSocketConfig.java: log.debug("(<) " + username + " disconnect"); ``` ``` > grep log **/*.java | grep "ip=" main/java/com/samourai/whirlpool/server/services/RegisterInputService.java: log.warn("Rejecting banned UTXO: [" + banTO.get() + "], ip=" + ip); ```

Unfortunately it is safe to assume anything that was ever whirlpooled is fully deanonymized and in the hands of feds. nostr:nevent1qqspkewj3x853qsmc73sd0y0quxgwp4f549qz9spdg64wh2tmd4v57cpr9mhxue69uhhyetvv9ujumt0d4hhxarj9ecxjmnt9upzq5q9f5r79n0n9vgr2ammm88h8xf2ft3zlywpffmzald2t0mp7364qvzqqqqqqy6hhds3