@not_nothingmuch

1.9K 4.83K 24.81K

Listen to this Thread

View original tweet on Twitter
Hide Media

PSA: when your protocol is so broken it's a giant pile of horseshit, it's an effective gish gallop you can pat yourself on the back for shipping fake "fixes" to "vulnerability disclosures" while gaslighting about having known about the issue

p.s. you scammers still owe me a bounty and disclosure for the first vulnerability i found in your shitty wallet @wasabiwallet, the RSA blind sig stockpiling issue

context: https://t.co/hQuJox74QV

my position on this, the "vulnerability" is bulshit, the "fix" is bullshit tagging was *ALWAYS* possible as i have explained at length, before the release in my numerous issues that i opened about this, after the release in my angry tweet threads

this is the "fix": https://t.co/EA1gLJLqem it addresses a regression where the round ID was not computed as a hash from the paramters of the coinjoin session (which is idiosyncratically called a "round")

this now checks that the ownership proofs commit to the round ID, and that that in turn is a commitment to the parameters, variations in the parameters can be used to tag clients

but this is just sleight of hand: the public key against which the ownership proofs are verified is just... given by a potentially malicious coordinator (or by cloudflare, before wasabi's service was shut down)

even if it was addressed, there are many other tagging vectors still open, for example: https://t.co/9C7Hau3MAr

so no, a vulnerability was not "discovered", it was simply made very marginally worse for a limited time, and then went back to being just as bad as it was before

@lontivero, @molnardavid84 you are fucking liars and gaslighters https://t.co/1rrURMdU2g

if you want to dive into just how big of a farce wasabi 2 is, here is a meta thread collecting a large portion of the insanity, documented in other threads. make sure to go through all the subthreads, it just doesn't end: https://t.co/JNj0go5wo2

p.s. shout out to max hillebrand to being the most hypocritical lying gaslighter of the lot, even a bigger fraud than @nopara73

p.p.s. a bit more context about the nuances of this particular issue, containing direct and circumstantial evidence that i had long described these issues and that they were never addressed: https://t.co/yX73Jn5WlE

https://t.co/bxEuPDZPcl

https://t.co/RP8vUeUSh0

p.p.p.s. "haha just use scamurai"? GTFO! whirlpool is also vulnerable to key tagging, the blind signature and the public key are given to the client in the same response, the client doesn't even bother checking it https://t.co/QMlMpILPHq

PSA: when your protocol is so broken it's a giant pile of horseshit, it's an effective gish gallop you can pat yourself on the back for shipping fake "fixes" to "vulnerability disclosures" while gaslighting about having known about the issuep.s. you scammers still owe me a bounty and disclosure for the first vulnerability i found in your shitty wallet @wasabiwallet, the RSA blind sig stockpiling issuecontext: https://t.co/hQuJox74QVmy position on this, the "vulnerability" is bulshit, the "fix" is bullshit tagging was *ALWAYS* possible as i have explained at length, before the release in my numerous issues that i opened about this, after the release in my angry tweet threadsthis is the "fix": https://t.co/EA1gLJLqem it addresses a regression where the round ID was not computed as a hash from the paramters of the coinjoin session (which is idiosyncratically called a "round")this now checks that the ownership proofs commit to the round ID, and that that in turn is a commitment to the parameters, variations in the parameters can be used to tag clientsbut this is just sleight of hand: the public key against which the ownership proofs are verified is just... given by a potentially malicious coordinator (or by cloudflare, before wasabi's service was shut down)even if it was addressed, there are many other tagging vectors still open, for example: https://t.co/9C7Hau3MArso no, a vulnerability was not "discovered", it was simply made very marginally worse for a limited time, and then went back to being just as bad as it was before@lontivero, @molnardavid84 you are fucking liars and gaslighters https://t.co/1rrURMdU2gif you want to dive into just how big of a farce wasabi 2 is, here is a meta thread collecting a large portion of the insanity, documented in other threads. make sure to go through all the subthreads, it just doesn't end: https://t.co/JNj0go5wo2p.s. shout out to max hillebrand to being the most hypocritical lying gaslighter of the lot, even a bigger fraud than @nopara73p.p.s. a bit more context about the nuances of this particular issue, containing direct and circumstantial evidence that i had long described these issues and that they were never addressed: https://t.co/yX73Jn5WlEhttps://t.co/bxEuPDZPclhttps://t.co/RP8vUeUSh0p.p.p.s. "haha just use scamurai"? GTFO! whirlpool is also vulnerable to key tagging, the blind signature and the public key are given to the client in the same response, the client doesn't even bother checking it https://t.co/QMlMpILPHq

Unroll Another Tweet

Use Our Twitter Bot to Unroll a Thread

  1. 1 Give us a follow on Twitter. follow us
  2. 2 Drop a comment, mentioning us @unrollnow on the thread you want to Unroll.
  3. 3Wait For Some Time, We will reply to your comment with Unroll Link.