The Risks of Using Wasabi Wallet
Digging into WabiSabi has revealed some core issues that should prevent users from considering using it. This list includes data risk, funding, and chain surveillance companies. Read on to learn more about the risks of using Wasabi Wallet.
Seth For Privacy
Freedom maximalist || Privacy advocate || Head of Content for @FOUNDATIONdvcs || Host of @optoutpod, a privacy-focused podcast.
-
A thread on Wasabi Wallet after more digging/research:
— Seth For Privacy (@sethforprivacy) April 3, 2023
First off, please do not connect my joining their Space last week or researching their protocol as lending *any* credence or support for their approach or wallet. I still do not recommend using it in any way. -
Digging into WabiSabi has revealed some core issues that should prevent you from considering using it. Note this list is not in any particular order.
— Seth For Privacy (@sethforprivacy) April 3, 2023
1) Wasabi's funding and willing usage of chain surveillance companies puts your on-chain data at risk when you use them. -
This usage of CA could not only lead to harming your privacy directly, but could also easily be turned into a honeypot where "bad inputs" automatically get sent to mix with only Sybil inputs, providing 0 privacy but not showing that in your client.
— Seth For Privacy (@sethforprivacy) April 3, 2023
Easy surveillance. -
2) WabiSabi as a protocol is only a tool for aggregating inputs where each input/output is blinded from the coordinator, and is not in any way a Coinjoin protocol - it is merely the input aggregation portion of one.
— Seth For Privacy (@sethforprivacy) April 3, 2023
As such, the specifics of the WW2 protocol are unclear. -
3) There is currently *zero* way to verify the privacy provided by a given mixing round in WW2, and even Wasabi themselves don't seem to understand how their "anon score" metric works.
— Seth For Privacy (@sethforprivacy) April 3, 2023
If you can't verify the privacy you get, you *should not trust it*. -
4) "Lonely whales" (i.e. those with larger amounts of Bitcoin) can often gain *zero* privacy in mixes and have 100% deterministic links between their inputs and outputs.
— Seth For Privacy (@sethforprivacy) April 3, 2023
Have seen as little as 6 BTC gaining no privacy from mixing rounds. -
5) Due to the client + coordinator not learning amounts chosen by participants in rounds, you can never be sure that a mixing round provides you with any privacy, as it's always possible no one selects the same amounts as you, providing an anon set of 1 (your input/output).
— Seth For Privacy (@sethforprivacy) April 3, 2023 -
6) The usage "big TX = good privacy" in Wasabi marketing is BS, as the only thing that matters for privacy in a transaction is the potential outputs to match your inputs.
— Seth For Privacy (@sethforprivacy) April 3, 2023
That is really only the outputs that share a denomination with your output, not all outputs in a TX. -
7) If the creators of this purported privacy tool don't know how to measure the privacy provided by their protocol, it should raise red flags for you.
— Seth For Privacy (@sethforprivacy) April 3, 2023
Not knowing how your own protocol actually provides privacy opens up so many potential implementation flaws. -
8) There is a *long* history of tracing of Wasabi's previous implementation due to flaws in protocol and flaws in implementation, so we should be incredibly wary of trusting privacy claims until 100% proven over time.
— Seth For Privacy (@sethforprivacy) April 3, 2023 -
9) There remain *zero* post-mix spending tools in Wasabi, something that is absolutely vital to actually gaining privacy from Coinjoin's when spending Bitcoin. Even if the protocol was perfect this would lead to many privacy issues and "foot guns".
— Seth For Privacy (@sethforprivacy) April 3, 2023 -
This thread comes after spending many hours digging into the WabiSabi protocol, their documentation, and speaking with them at length.
— Seth For Privacy (@sethforprivacy) April 3, 2023
I have no personal beef with Wasabi but try to remain open to learning from new approaches and wanted to give WabiSabi a fair shake. -
As a note to Thibaud and others I spoke with on the Space last week, that was not merely recon or similar, I genuinely wanted to learn and thought that would be a good place.
— Seth For Privacy (@sethforprivacy) April 3, 2023
Unfortunately I didn't really get much mic time or many questions answered and it felt like marketing. -
I don't write this thread to incite more hateful rhetoric between "camps," but because I care about *your* privacy above all and do not want to accidentally push people to use a tool I don't deem sufficient for privacy in Bitcoin.
— Seth For Privacy (@sethforprivacy) April 3, 2023 -
Just as I love and recommend Monero widely while working on Bitcoin, I love and recommend @SamouraiWallet as a proven tool for privacy that I have used successfully over the years and seen proven time and again to work and provide solid privacy on-chain.
— Seth For Privacy (@sethforprivacy) April 3, 2023 -
If I saw Wasabi Wallet as a workable and useful privacy tool today without core issues I wouldn't hesitate to recommend it, as I'm not an anything maximalist or tied to any camps.
— Seth For Privacy (@sethforprivacy) April 3, 2023
But that is not the case today, and I can't recommend anyone use Wasabi Wallet (still). -
I'm sure this will piss a lot of people off (I seem good at that recently 🙃) I want to always be sure that people know where I stand in relation to privacy tools, and that stance hasn't changed despite spending a good amount of time digging into Wasabi.
— Seth For Privacy (@sethforprivacy) April 3, 2023 -
tl;dr: Keep using @SamouraiWallet or @SparrowWallet for Bitcoin privacy, the holistic toolkit they've built is beyond compare and has a proven track record of efficacy.
— Seth For Privacy (@sethforprivacy) April 3, 2023