Ravencoin icon indicating copy to clipboard operation
Ravencoin copied to clipboard

Published 20 hours ago verified publisher icon RavenProject

Possible privacy leakage due to ordered transaction inputs

Open yixiao5428 opened this issue 3 years ago • 3 comments

This a security vulnerability.

The wallet uses ordered inputs of transactions (src/wallet/wallet.cpp, line 3657 - 3671), which may incur privacy risks like fingerprinting the wallet to observers.

A possible solution is to clear the original order, shuffle it, and push back the new order before signing the transaction.

Similar fix from Bitcoin: https://github.com/bitcoin/bitcoin/commit/2fb9c1e6681370478e24a19172ed6d78d95d50d3.

Reported by 6004ed5feaa31ae9df36b5dbc60f0fa53255a5fb734334082c6d202405fc738c.

yixiao5428 avatar Jul 17 '21 09:07 yixiao5428

Great catch! Following this issue.

m4r1m0 avatar Jul 17 '21 15:07 m4r1m0

If this is going to be fixed: make sure it doesn’t clash with the new asset transaction order. Or the reissue transactions.

jeroz1 avatar Jul 17 '21 16:07 jeroz1

If i'm understanding correctly, this has to do with VINs not VOUTs; the special asset order should not be affected @jeroz1

kralverde avatar Jul 17 '21 17:07 kralverde