Full Disclosure: Denial of Service in STONEWALLx2 (p2p coinjoin) [combined summary]

Individual post summaries:

Full Disclosure: Denial of Service in STONEWALLx2 (p2p coinjoin) alicexbt 2022-09-10 10:20:48+00:00
Full Disclosure: Denial of Service in STONEWALLx2 (p2p coinjoin) alicexbt 2022-07-14 09:25:56+00:00

Click here to read the original discussion on the bitcoin-dev mailing list

Published on: 2022-09-10T10:20:48+00:00

Summary:

A vulnerability has been identified in the Samourai wallet's p2p coinjoin transaction STONEWALLx2, which has been assigned CVE-2022-35913. The issue was reported on July 14th, 2022, to the bitcoin-dev mailing list. The vulnerability involves a denial-of-service (DoS) attack where one participant spends the UTXO used in STONEWALLx2 before the transaction is completed, resulting in an error message for the other participant.Antoine Riard discovered and shared the details of this DoS attack in an email on June 21, 2022. To demonstrate the attack, he created a testnet wallet and used two Android devices to simulate Bob and Carol, who were following each other's paynyms. Carol initiated several paynyms, and when Bob initiated a STONEWALLx2 transaction that required collaboration with Carol, she spent the UTXO from her wallet before Bob could complete the final step. This action caused an error message to appear on Bob's app when trying to broadcast the transaction.In response to this vulnerability, the Samourai Wallet team proposed two suggestions to mitigate the issue. First, they recommended displaying an error message that informs the user that the collaborator has spent their UTXO used in STONEWALLx2, ending the p2p coinjoin process. The message would also suggest unfollowing the collaborator's paynym and recommend doing such transactions only with trusted users for the time being. Secondly, they suggested that once full Replace-by-Fee (RBF) is used by some nodes and miners, the attacker's transaction could be replaced with a higher fee rate. However, implementing this solution won't be straightforward as fees for STONEWALLx2 are shared equally between the participants.The timeline of events shows that Samourai acknowledged the issue on July 7, 2022, and shared their conclusions on July 14, 2022. Antoine Riard played a significant role in the discovery of the DoS vector in p2p coinjoin transactions and assisted during the testing phase by responding to emails.

Updated on: 2023-08-02T07:01:14.301183+00:00