Wasabi Wallet

11 Dec 2024 17:35

> "The problem affects all implementations, but doesn't affect the LN protocol, as it's perfectly stated by the article."
"All versions of all LN implementations, even today, are vulnerable to a theoretical version of the attack that depends on natural variations in estimated onchain transaction fees; however, current-generation LN implementations have tightened their bounds to limit the maximum vulnerable amount per channel. Eliminating all variants of the vulnerability depends on changes to both the LN protocol and the Bitcoin P2P transaction relay protocol."
I might misunderstand here something, but this is really offtopic.

Wasabi Wallet

11 Dec 2024 16:39

What I sent is the code for the protocol. No vulnerability was found there, it would be a very big deal.

You can see an article here that does things correctly: https://delvingbitcoin.org/t/disclosure-irrevocable-fees-stealing-from-ln-using-revoked-commitment-transactions/1314
The problem affects all implementations, but doesn't affect the LN protocol, as it's perfectly stated by the article.

Anyway as you mentioned the case is closed, you made communication in a way that I felt unfair (especially considering who was the code owner at the time the vulnerability was introduced) and harming Wasabi using fake headlines and false sensationalism just to sell your product. As a result I do not wish to provide free advertisement for an entity like yours.

Note how I made no statement using Wasabi's account.

Wasabi Wallet

11 Dec 2024 16:13

https://github.com/WalletWasabi/NWabiSabi

Wasabi Wallet

11 Dec 2024 15:38

Your accusations are unacceptable.

A copy of a website is really easy to do, especially for a static website like our landing page and..... especially when the code is open source!!!!!!! Phishing is a societal problem, and it is delusional to think that we can fix it. It is also ridiculous to suggest to domain-squat every TLD to avoid scammers, there are thousands of TLD and we are not even a business.

However, we are doing everything we can to improve this problem by lowering the reputation of the phishing websites. Our actions, even if limited, reduced drastically the amount of reports we receive from basically 1 per week to 0.

You can see an example of such action here: https://github.com/phantom/blocklist/pull/883

Wasabi Wallet

11 Dec 2024 14:15

Hello, I want to solve import a wallet issue. It said “Invalid has of the base 58 String”

Wasabi Wallet

11 Dec 2024 13:28

@Carl_Lundstrom feel free to help to improve it yourself tho. We just don't spend much time on it as it's a game of whac-a-mole

Wasabi Wallet

11 Dec 2024 13:23

I suppose it's the same argument I have against securing all the variations of spellings for every other platform. For example, I could have taken the name "@Kruvved" on Telegram to reserve it and keep it out of the hands of imposters. But, no matter how much effort honest actors put in to try to reserve and renew credentials for all the possible combinations of phishing and imposter sites, it will never actually stop scammers from taking money from gullible people.

Wasabi Wallet

11 Dec 2024 13:16

Much of this would be better if the .com were available, but apparently it's not.

Wasabi Wallet

11 Dec 2024 13:02

Well, that is out of scope of the previous discussion.
Such scam websites have been around since forever.
Unfortunately there is not much we can do about that. We've reported them many times, sometimes they get removed.

About it looking the exact same, anyone can copy our website. So it's not something done "from the inside".
All bitcoin wallets have scam websites.

Wasabi Wallet

11 Dec 2024 12:35

Exactly, that's why it's a good combo:)

Wasabi Wallet

11 Dec 2024 12:30

It did. That went well. What I meant was that usually a vulnerability gets disclosed, then a journalist might read it and decide to go write about it.
Now the "journalists" were clearly informed beforehand as they published the articles at the exact same time as the vulnerability disclosure. Not that it really matters, but it shows the incentives.

Wasabi Wallet

11 Dec 2024 12:23

Uppercase letters for QR codes is the standard. The wallets who are unable to recognize addresses formatted in uppercase are the ones who need to update, unfortunately.

Wasabi Wallet

11 Dec 2024 12:07

Brother, I have a small suggestion. The address of the wasa wallet is all uppercase letters when scanned, which makes some wallets unable to recognize it. Can it be changed to lowercase letters?

Wasabi Wallet

11 Dec 2024 11:57

Yes, I have been using it for 5 hours today. All the previous ones were good, but I can't see this coin recently.

Wasabi Wallet

11 Dec 2024 11:56

Is your wallet synchronized?

Wasabi Wallet

11 Dec 2024 16:58

Again, nobody takes away the fact that you _tried_ to make a serious protocol, but you left that road long ago.
Nobody would be able to implement the current "WabiSabi protocol" without either by forking from Wasabi OR a very heavy reverse engineering of the current working coinjoins.
The best you can say, that Wasabi is _based_ on that paper you mentioned.

Wasabi Wallet

11 Dec 2024 16:22

And? Will it work? No.

Wasabi Wallet

11 Dec 2024 16:11

I write the following here only once, everyone can think about it.
Yes, you are right this was a software vulnerability, not a protocol issue, BECAUSE there is no such thing as "WabiSabi protocol".
If there was such thing then there would be a big documentation on what to implement and what to check/test like an USB protocol, if you do that, it needs to work. And there would be no possibility to instantaneously close out numerous coordinators with a single decision like minimum input, free/not free and so on ... since that's part of the protocol, doesn't it?
But it happened, since there is _exactly_ one implementation and that can be faulty, not the protocol of course...
When a game network code leaks out and turns out it has vulnerability issues, they just fix it, and never ever seen the excuse "well it was a coding issue, the protocol was right". It's just awkward.
Was the vulnerability there? Yes, it was. Fixed? Yes, it's fixed. Case closed, nobody really interested in "protocol" excuses when there is a single implementation without exhaustive description.

Wasabi Wallet

11 Dec 2024 15:29

For the record, I removed GW from LiquiSabi because this entity is spreading FUD (lies basically) in the goal to harm Wasabi's reputation. Basically what SW was doing.

Specifically: A Vulnerability in "WabiSabi"

I read this everywhere, including in litterature written in-house by GW, but it's extremely incorrect and misleading: GW hasn't found a vulnerability in WabiSabi. Semantic is extremely important here, a vulnerability in the protocol would require an immediate hard fork and be an extremely big deal. A vulnerability in the client (what it really was), is not a big deal, requires a progressive update as it was done and that's it.

As a result, I don't want to provide free advertising on my personal project to an entity acting like this. Personal project that is BTW open source, you are free to run the code, so I really don't see the problem

I don't see how the fact that I cherry pick MIT code that you write is relevant here.

Feel free to contact me privately if you need further information, this will be my only public statement

Wasabi Wallet

11 Dec 2024 13:38

Ok will check what I can do

Wasabi Wallet

11 Dec 2024 13:24

One member of the team successfully got the .is phishing site blocked automatically for users of the metamask browser extension. This proactive move probably saved some BTC from falling into thief hands.

Wasabi Wallet

11 Dec 2024 13:18

That's no reason to be passive while people get robbed. What's your argument against securing the .is name?

Wasabi Wallet

11 Dec 2024 13:15

How about securing the situation by buying all similar domains? If someone refuses to sell or requires extra $$ there is a dispute mechanism where you will get the domains for just the cost that the squatter had actually had, plus of course a fee for the paperwork

Wasabi Wallet

11 Dec 2024 12:47

Those who worry about the reputation of Wasabi Wallet should start by weeding out the events around the scam site wasabiallet.is
It went up and down during a long time and was (or is) such a perfect copy of the real site that probably many suspect it to have been the work of someone on the inside. At least I would have treated that event as a major emergency

Wasabi Wallet

11 Dec 2024 12:33

Meh. Journalists are incentivized to write hit piece clickbait no matter what. And the two journalists in particular who wrote about it have their own personal battles with Wasabi.

Wasabi Wallet

11 Dec 2024 12:24

Ginger Wallet has never intended, nor does it currently intend, to tarnish the reputation of Wasabi Wallet, and this will remain the case in the future. Beyond the technical aspects, we have no influence over the article in question.

I must agree that every project is free to do as it wishes. However, I find it contradictory and puzzling that @Turbolay , on the one hand, integrates code from Ginger into Wasabi, and on the other hand, labels us as adversaries and removes us from Liquisabi.

Wasabi Wallet

11 Dec 2024 12:22

Wasn't the vulnerability responsibly disclosed with enough notice? This is what allowed the bugfix to already be 2 versions deep by the time the journalists published their pieces. I didn't compare all the pieces closely, but the main problem with the writing is that it describes the issue as a protocol vulnerability rather than a client bug. This doesn't specifically make Wasabi look worse compared to other clients who inherited the same bug.

Anyways, as you mentioned, Liquisabi is a personal project so it's entirely up to the decision of its maintainer.

Wasabi Wallet

11 Dec 2024 11:59

You are sure the confirmed tx is to the right address? Is the address still displayed at Receive -> Addresses awaiting payment?

Or did you send to an already used address and amount of 5k sats or lower?

Wasabi Wallet

11 Dec 2024 11:56

Where did you download Wasabi from?

Wasabi Wallet

11 Dec 2024 11:55

The problem is that there is no such address in the address bar, but when transferring money, this address popped up automatically.