Defeating Anonymous Attackers

Coinjoins are privacy-preserving transactions that contain funds from many users. This operation requires unanimous teamwork: Unless every user signs the transaction, Bitcoin nodes will reject it as invalid, and no privacy progress will be made. This poses a challenge to honest users since there is no cost to an attacker who continuously causes coinjoins to fail, resulting in a denial of service (DoS).

This is where the role of the centralized coinjoin coordinator comes into play. The coordinator acts as a bouncer to exclude known troublemakers, ensuring that honest users are not left waiting indefinitely. ZkSNACKs, which runs the default coordinator for Wasabi Wallet, uses a handful of methods to identify and defeat DoS attacks to improve coinjoin success rates.

First, the economics of DoS attacks are considered. The minimum value allowed to participate in a Wasabi coinjoin is 5000 sats (0.00005000 BTC). When disrupting a coinjoin round, the attack is equally effective whether the missing signature belongs to a low-value input or a high-value input. Due to this threat of an attacker splitting his coins into small pieces, low-value coins are subject to longer bans than high-value coins.

Second, DoS penalty evasion is considered. If a particular address is banned for causing a coinjoin to fail, the attacker can move the coins from the banned address to a fresh address and attempt to register again. To combat this circumvention, bans from previously offending addresses are inherited by the coins they send. This prevents attackers from reusing the same funds for multiple disruptions.

Third, the nature of the offense is considered. There are 3 ways to cause trouble with a coinjoin transaction:

  • Register inputs and fail to sign the final transaction
  • Double spend a registered input before signing
  • Double spend a registered input after signing

Failure to sign may not be intentionally malicious since it can occasionally occur due to limitations of the Tor network’s stability, or because a careless user closes his laptop after the input registration phase. Double spending is prevented by clients and is a clearer indicator of deliberate disruptive activity. The type of offense and the history of previous offenses affect how long a coin is banned.

Stability Improvements

When Wasabi 2.0 was first released, Tor was under a network-wide attack that severely degraded its connection reliability. As a result, the coordinator cannot be too strict with bans to prevent DoS since honest users may inadvertently disconnect without signing.

In November 2022, benchmark statistics were measured showing coinjoins would succeed only 10% of the time on the first attempt, and slightly less than 50% of the time on subsequent attempts (known as “blame rounds”). With the release of v2.0.2.1 in December, these metrics improved to 15% success on the first attempt.

As a result of months of hard work by the Wasabi and Tor developers, updated statistics from October 2023 show that the overall success rate has more than doubled since the previous year, with over 50% of new rounds and over 80% of blame rounds succeeding. This consistency makes privacy convenient for patience minimalists who quickly tire of the soothing glow of the countdown timer.

Entering the Fee Market

The fee rate of the coinjoin transaction is another variable to account for while waiting for full privacy. The coordinator chooses the mining fee for the coinjoin round before users join, however, fee estimation is not a simple task. On average, a new Bitcoin block is mined every 10 minutes, but there is no way to predict exactly when one will be found or how many new transactions will outbid you until then. 

There are special considerations when choosing the fee rate for coinjoin transactions. Participants often pay several times more in mining fees for a coinjoin transaction compared to a regular payment since they can register multiple inputs and outputs. This increases the marginal advantage for sniping the lowest possible fee rate. In addition, coinjoins are not considered urgent because users are often sending coins to themselves and not to others, so whether or not the transaction is confirmed quickly is not as important because there is no risk that incoming funds will be double spent and lost.

Allowing coinjoin transactions to wait in the mempool also has an unintended privacy benefit. Since unconfirmed coins cannot be registered for new rounds, users who remix their outputs must wait additional time for their first coinjoin to be mined. By increasing the time period in between consecutive rounds, users are less likely to participate with the same users from their previous round.

Despite these advantages for choosing a low fee, there are also unique reasons for coinjoin transactions that would justify choosing a high fee as a precaution. Users who send a regular payment that gets stuck can easily use Replace By Fee (RBF) to increase its confirmation priority. However, since coinjoins require the cooperation of many users, the first fee is final. There is no way to replicate a higher fee replacement if even a single participant goes offline.

Another reason to prefer a higher fee for coinjoins is because they are disproportionately affected by transaction size limitations in Bitcoin Core’s mempool and block construction logic. Once a chain of transactions spending unconfirmed coins grows too large, nodes will ignore new transactions attempting to build on top of it.

Unfortunately, mining pools have not yet optimized to collect fees from coinjoin transactions. Miners only calculate the single highest paying descendant transaction package, which may cause them to overlook the confirmation of an extra profitable coinjoin with many spent child outputs.

Patience Preferences

Since it’s impossible to choose a fee that satisfies both the impatient and the thrifty at the same time, Wasabi has a feature called “Coinjoin time preference” to ensure that you don’t get hit with higher than expected mining fees.

If a coinjoin round requires a higher fee than the median of the previous day, week, or month, your client can be configured to skip that round and wait until fees drop or stabilize. This customization gives both spenders and savers flexibility without compromising their preferences or splitting the liquidity pool.

Setting a long coinjoin time preference makes it easy to handle the small coins that accumulate in your wallet as you send and receive transactions. Whenever the best deal on fees becomes available, your wallet will privately consolidate your UTXOs so you can readily spend them when fees increase again.

In conclusion, the combined speed provided by DoS fortification and smart savings from the coinjoin time preference feature has significantly improved Wasabi’s user experience. These advancements and tools have made privacy not only more convenient but also more cost-effective. Coinjoins have never been spicier, try Wasabi Wallet today and join the crowd.