Re: [bitcoin-dev] Full Disclosure: Denial of Service in STONEWALLx2 (p2p coinjoin)

author: alicexbt <alicexbt@protonmail.com> 2022-09-10 10:20:48 +0000
committer: bitcoindev <bitcoindev@gnusha.org> 2022-09-10 10:20:56 +0000
commit: 67975061daf38dd042aaec6d0cb2c18b88f39559 (patch)
tree: 6fb7b1f0c7d267d8d50c4eabfbc1cb18996807f4
parent: 975086ff30a4ab975c0a0b6ebf984f9391bfcc3a (diff)
download: pi-bitcoindev-67975061daf38dd042aaec6d0cb2c18b88f39559.tar.gz
pi-bitcoindev-67975061daf38dd042aaec6d0cb2c18b88f39559.zip
1 files changed, 201 insertions, 0 deletions
diff --git a/21/d27b0d76f3b05e4e89b176d05d0cdaccbe211e b/21/d27b0d76f3b05e4e89b176d05d0cdaccbe211e
new file mode 100644
index 000000000..81d72e5b5
--- /dev/null
+++ b/21/d27b0d76f3b05e4e89b176d05d0cdaccbe211e
@@ -0,0 +1,201 @@
+Return-Path: <alicexbt@protonmail.com>
+Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
+ by lists.linuxfoundation.org (Postfix) with ESMTP id 079CFC002D
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Sat, 10 Sep 2022 10:20:56 +0000 (UTC)
+Received: from localhost (localhost [127.0.0.1])
+ by smtp3.osuosl.org (Postfix) with ESMTP id E03AB60E73
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Sat, 10 Sep 2022 10:20:55 +0000 (UTC)
+DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E03AB60E73
+Authentication-Results: smtp3.osuosl.org;
+ dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
+ header.a=rsa-sha256 header.s=protonmail3 header.b=yrMnJQ8W
+X-Virus-Scanned: amavisd-new at osuosl.org
+X-Spam-Flag: YES
+X-Spam-Score: 6.838
+X-Spam-Level: ******
+X-Spam-Status: Yes, score=6.838 tagged_above=-999 required=5
+ tests=[BAYES_20=-0.001, BITCOIN_IMGUR=2.043, DKIM_SIGNED=0.1,
+ DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
+ FREEMAIL_FROM=0.001, HOSTED_IMG_MULTI_PUB_01=2.999,
+ PDS_OTHER_BAD_TLD=1.999, RCVD_IN_MSPIKE_H2=-0.001,
+ SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
+Received: from smtp3.osuosl.org ([127.0.0.1])
+ by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
+ with ESMTP id 7WuFU9fpsx6N
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Sat, 10 Sep 2022 10:20:55 +0000 (UTC)
+X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
+DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D5CEE60E46
+Received: from mail-4318.protonmail.ch (mail-4318.protonmail.ch [185.70.43.18])
+ by smtp3.osuosl.org (Postfix) with ESMTPS id D5CEE60E46
+ for <bitcoin-dev@lists.linuxfoundation.org>;
+ Sat, 10 Sep 2022 10:20:54 +0000 (UTC)
+Date: Sat, 10 Sep 2022 10:20:48 +0000
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
+ s=protonmail3; t=1662805252; x=1663064452;
+ bh=XG9eDOeINs5BwFKRjRZxYFqo7rCqaCRIIon40NSbQdk=;
+ h=Date:To:From:Reply-To:Subject:Message-ID:In-Reply-To:References:
+ Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
+ Message-ID;
+ b=yrMnJQ8WZiuZAeV55yhffoVNDy2hjE+5NaZB5i+algzBcAGJ0G5aYSsTJtNSRtmG9
+ fkEr29GeUp9T5PzDiDrHZ7BR1fUZy6rD1bLviTEaYYubBX/dDlVRSryPThOqntUdFJ
+ K2HHOLj64XGNBzkCkpvfedELmFr+/cv3fzCAFiaXld8/ubtmjvWqg2MkTwPoThMVvn
+ hxlaDEhmIeoiY/2iGsXlMwQ0a9CDRCmRObBMKHfIHRWlnffFyfziNAefDTRnhUts2V
+ 4FNY7fYPsp6b0kP790CjU9t3h4CD4PB7YygF2OrY9kJcM8BMeyOFCw1yKVYojMPY2Q
+ /t6Sd6YGG8mBw==
+To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
+From: alicexbt <alicexbt@protonmail.com>
+Reply-To: alicexbt <alicexbt@protonmail.com>
+Message-ID: <uQ5LTbHpJKnhgCIXly1Ft5rq_8HCz4_jkLP2sHrqvjXNrYbrWuCm2MOC4KmQCoPLlC_esQNi38Hman6j2zJYM2xJUq4W_p8lt_-BH1GHmcM=@protonmail.com>
+In-Reply-To: <eCSIPVH6QM3r1n0PGBWr39xv4BSyAWx6q0icycfo4mESnQfNg7NJWRu7wwyoxnR6E9Own_CJxGVufqQhqx1H4JyAQil3MUUkdI_kUC5bmVg=@protonmail.com>
+References: <eCSIPVH6QM3r1n0PGBWr39xv4BSyAWx6q0icycfo4mESnQfNg7NJWRu7wwyoxnR6E9Own_CJxGVufqQhqx1H4JyAQil3MUUkdI_kUC5bmVg=@protonmail.com>
+Feedback-ID: 40602938:user:proton
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: quoted-printable
+X-Mailman-Approved-At: Sat, 10 Sep 2022 15:31:15 +0000
+Subject: Re: [bitcoin-dev] Full Disclosure: Denial of Service in STONEWALLx2
+	(p2p coinjoin)
+X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
+X-Mailman-Version: 2.1.15
+Precedence: list
+List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
+List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
+ <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
+List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
+List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
+List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
+List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
+ <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
+X-List-Received-Date: Sat, 10 Sep 2022 10:20:56 -0000
+
+This has been assigned CVE-2022-35913: https://www.cve.org/CVERecord?id=3DC=
+VE-2022-35913
+
+/dev/fd0
+
+Sent with Proton Mail secure email.
+
+------- Original Message -------
+On Thursday, July 14th, 2022 at 9:25 AM, alicexbt via bitcoin-dev <bitcoin-=
+dev@lists.linuxfoundation.org> wrote:
+
+
+> Hi bitcoin-dev list members,
+>=20
+>=20
+> STONEWALLx2[1] is a p2p coinjoin transaction in Samourai wallet. The mine=
+r fee is split between both participants of the transaction.
+>=20
+>=20
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+> Problem
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+>=20
+> Antoine Riard shared the details of DoS attack in an [email][2] on 21 Jun=
+e 2022.
+>=20
+> Proof of Concept:
+>=20
+> 1) Download Samourai APK, create testnet wallet, get some coins from fauc=
+et and claim a paynym in 2 android devices. Consider Bob and Carol are usin=
+g these devices.
+>=20
+> 2) Bob and Carol follow each other's paynyms. Carol is the attacker in th=
+is case and she could make several paynyms.
+>=20
+> 3) Bob initiates a Stonewallx2 transaction that requires collaboration wi=
+th Carol.
+>=20
+> 4) Carol confirms this request in the app.
+>=20
+> 5) Carol spends the UTXO from wallet configured in electrum with same see=
+d before Bob could complete the last step and broadcast STONEWALLx2 transac=
+tion. It was non RBF [transaction][3] with 1 sat/vbyte fee rate and was unc=
+onfirmed during testing.
+>=20
+> 6) Bob receives an [error][4] in the app when trying to broadcast Stonewa=
+llx2 transaction which disappears in a few seconds. The [progress bar][5] a=
+ppears as if wallet is still trying to broadcast the transaction until Bob =
+manually go back or close the app.
+>=20
+>=20
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+> Solution
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+>=20
+> Suggestions:
+>=20
+> a) Error message that states collaborator spent her UTXO used in STONEWAL=
+Lx2, end the p2p coinjoin process, unfollow collaborator's paynym and sugge=
+st user to do such transactions with trusted users only for a while.
+>=20
+> b) Once full RBF is used by some nodes and miners, attacker's transaction=
+ could be replaced with a higher fee rate.
+>=20
+> Conclusions by Samourai:
+>=20
+> a) As the threat involves the collaborator attacking the spender. We stro=
+ngly advise that collab spends be done w/ counterparties with which some me=
+asure of trust is shared. As such, this does not seem to have an important =
+threat surface.
+>=20
+> b) Bumping fee won't be simple as fees are shared 50/50 for STONEWALLx2 s=
+pends. Change would have to be recalculated for both spender and collaborat=
+or. Collab would either have had already authorized a possible fee bump bef=
+orehand or would have to be prompted before broadcast.
+>=20
+>=20
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+> Timeline
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+>=20
+> 22 June 2022: I emailed Antoine after testing STONEWALLx2
+>=20
+> 23 June 2022: I shared the details of attack in a confidential issue in S=
+amourai wallet [repository][6]
+>=20
+> 07 July 2022: TDevD (Samourai) acknowledged the issue and wanted to discu=
+ss it internally with team
+>=20
+> 14 July 2022: TDevD shared the conclusions
+>=20
+>=20
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+> Credits
+> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
+=3D=3D
+>=20
+> Antoine Riard discovered DoS vector in p2p coinjoin transactions and help=
+ed by responding to emails during testing.
+>=20
+>=20
+> [1]: https://docs.samourai.io/spend-tools
+> [2]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/02=
+0595.html
+> [3]: https://mempool.space/testnet/tx/42db696460a46f196f457779d60acbf46b3=
+1accc5414b9eac54b2e785d4c1cbb
+> [4]: https://i.imgur.com/6uf3VJn.png
+> [5]: https://i.imgur.com/W6ITl4G.gif
+> [6]: https://code.samourai.io/wallet/samourai-wallet-android
+>=20
+>=20
+> /dev/fd0
+>=20
+>=20
+> Sent with Proton Mail secure email.
+>=20
+> _______________________________________________
+> bitcoin-dev mailing list
+> bitcoin-dev@lists.linuxfoundation.org
+> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
+
author	alicexbt <alicexbt@protonmail.com>	2022-09-10 10:20:48 +0000
committer	bitcoindev <bitcoindev@gnusha.org>	2022-09-10 10:20:56 +0000
commit	67975061daf38dd042aaec6d0cb2c18b88f39559 (patch)
tree	6fb7b1f0c7d267d8d50c4eabfbc1cb18996807f4
parent	975086ff30a4ab975c0a0b6ebf984f9391bfcc3a (diff)
download	pi-bitcoindev-67975061daf38dd042aaec6d0cb2c18b88f39559.tar.gz pi-bitcoindev-67975061daf38dd042aaec6d0cb2c18b88f39559.zip