[DNM] Change default coin selection algo to 'smallest' #2186
Conversation
|
Not convinced this is the right approach. The I think the real issue here is the wallet currently silently interacts to receive coins in a tx. |
|
Agreed this needs more thought, and the root of the problem is the non-interactivity on the recipient end. Note this is also the root cause of https://github.com/mimblewimble/grin/issues/638, where an unknown can spam unconfirmed outputs into a wallet listener at will. This is only an issue with listener scenarios, file or other async exchanges don't suffer from this. We could ensure a recipient must always confirm somehow, but that makes things even more cumbersome in a process that already has enough friction. Thought required. |
|
Perhaps we could provide some kind of hook for when you receive a transaction so the user can add their own logic. For example:
It would also be useful for other kind of things like keeping your own records if you are an online shop. |
I think this might make a lot of sense for the keybase plugin. |
|
Agree with @yeastplume and @antiochp about not jumping to a quick fix too fast. For people doing file-based exchanges this won't be an issue. For others we have the self-sending functionality that @yeastplume added recently. Perhaps on every interactive receive we should trigger a self-send right after? |
|
Agree on no quick fixes.
Can you help me understand how this helps? If it's automatic (and therefore predictable and detectable), wouldn't it be just as easy to monitor the next output that is being created? |
|
The attacker can just wait to see when any triggering stops. Grin users with any public id (keybase, IP:port, email file transfers, etc), to not be tracked, must use some kind of coin join with a serious amount of other users, and coin control. (*) dandelionize: make a tx look like is mixed with someone else's transaction |
You could create multiple outputs and use multiple inputs like a coinjoin with yourself, something like
This probably solves the problem with keybase (although slightly annoying) but the http listener has the same weakness. |
|
@lehnberg as @mcdallas mentioned, you'd coinjoin with yourself. The dust sender knows when the dust is spent because she's involved in the transaction. If that's been coinjoined, even within your own wallet, it's not true anymore and then the only way to learn about the new output is to listen to all transactions. Still doable for now, but definitely makes it less trivial. |
It would be nice to provide the ability to do self-coinjoin at least manually. Though I guess I can already construct such a transaction manually (?) and potentially tunnel it directly to a mining pool that I trust wouldn't propagate over the network for increased privacy (feature request to all prospective mining pools operators watching:)). |
Possible defences?
For more inspiration: cypherpunk remailers, onion routing, ZeroLink. |
antiochp
changed the title
|
Closing this - keeping |
Using
allas default seems to be a major privacy risk, especially coupled with the Keybase wallet option.An attacker can send dust coins to any known Keybase username (I did the experiment with https://keybase.io/mcdallas who was running a Keybase wallet) and subsequently predict with 100% accuracy whenever the target recipient made a payment.
Here is me sending dust coins to
mcdallas: https://grinscan.net/block/82584Output
0800d1de2...is what came back to me so the other output08552d3e...has to be his.Now I look at block https://grinscan.net/block/82601 and know he did another transaction since that output is spent. I can keep doing this forever by sending him another dust marker after the previous known output is spent. Notably a user with a running Keybase wallet would not even notice this attack (unless they check their outputs manually).