Bitcoin has an accounting model of unspent transaction output [UTXO]. A transaction has inputs: the coins that are being spent, and outputs: the corresponding newly created coins (unspent). The input of a transaction has to be an unspent output of a previous transaction. Each UTXO is the tip of the chain of links between inputs and outputs, all the way back to a coinbase transaction that pays the miner.
# UTXOs are not fungible
Each UTXO is a unique snowflake with a public transaction history. For example, when Alice sends a coin to Bob, then Bob does not just have any random UTXO, but he has specifically the coin that Alice has sent him. When Bob sends this coin to Charlie, then Charlie can check the history of the coin and see the transaction from Alice to Bob. But due to the pseudonymity of Bitcoin, he does not necessarily find out that Alice is involved.
Further, when Alice has one non-private coin and one private coin, and she selects both of them as the inputs of a transaction, the linking of these two coins strongly suggests that the coin that was private also belongs to Alice. This means that coin consolidation can lead to an overall decrease in privacy, especially when using an automatic coin selection algorithm.
# Wasabi's Solution
# Manual coin labeling and selection
Contrary to many other wallets, Wasabi does not show only the total value of bitcoin in the wallet.
Rather, in both the
CoinJoin tabs there is a list of all the individual UTXOs.
Because Wasabi requires users to label every receiving address, the history of each coin is clear for the user at first glance.
In order to spend a specific coin, it must be manually selected, which prevents the wrong coin from being included in the transaction.
# Heuristics identifying change
One prime goal of transaction surveillance companies is to identify the change coin of a Bitcoin transaction, as this is vital information for building a cluster of coins belonging to one entity. There are several heuristics, practical assumptions which are not guaranteed to be accurate or optimal, that are used to deanonymize users:
# Address reuse
When several coins have the same address, then they are owned by the same entity. Thus if a transaction has a reused address in the output, it is very likely to be the payment amount from one entity to another. Thus the other output of this transaction is likely to be the change of the entity providing the inputs of the transaction.
Never reuse addresses!
# Wallet fingerprinting
Different software wallets have different methods of creating Bitcoin transactions. So if it is known that a transaction was created by a specific wallet, then it can be checked how this wallet handles change.
Wasabi tries to build the most common form of transaction structure, thus reducing the likelihood of identifying any given transaction as being from Wasabi. However, Wasabi CoinJoins are very easily fingerprinted, and any coin associated is clearly managed with Wasabi Wallet.
# Round numbers
When making a payment, then often the destination address receives a round number of bitcoin. Because the input is usually a non-round number, the other output will also be a non-round number. This makes it clear that the non-round number output is the change back to the sender.
A [0.1293 0112 btc] --> B [0.0500 0000 btc] C [0.0792 9962 btc] (= change)
In order to protect your privacy, add or remove (when possible) a couple of sats from the payment amount to obfuscate which output is your change and which one is the payment.
A CoinJoin has many unequal value inputs, and creates several equal value anonset outputs, as well as unequal value outputs, making it clear that these are the change outputs.
This is why the CoinJoin change has only 1 anonset .
C [1 btc] A [6 btc] --> D [1 btc] B [3 btc] E [5 btc] (= change A) F [2 btc] (= change B)
# Replace by Fee
BIP 125 allows for one unconfirmed transaction to be double-spent and replaced by a second transaction that pays a higher fee. However, the output that is reduced in the second transaction is likely to be the change output, as the sender pays the fee.
First transaction A [1.3576 1516 btc] --> B [1.0135 6515 btc] C [0.3440 4861 btc] Second transaction (RBF) A [1.3576 1516 btc] --> B [1.0135 6515 btc] C [0.3440 4721 btc] (= change)
Because of this privacy leak, Wasabi does not utilize RBF fee bumping, even though it signals it to mimic other wallets fingerprint.