Audit of CashShuffle

blockchain, Crypto, cryptocurrency, Data privacy Leave a comment

CashShuffle is a plugin for the ElectronCash Bitcoin wallet software. CashShuffle implements a superset of the CoinShuffle protocol, whose aim is to anonymize cryptocurrency ownership by pooling a number of users together and performing a randomized shuffle of their transactions to new addresses.

Kudelski Security was hired to perform a security assessment of the CoinShuffle component of the ElectronCash wallet. We focused on the cryptographic functionalities of the code and implementation of security good practices. We specifically audited commit 71c0d3b.

We analysed the provided code, in particular the codebase of the shuffle plugin. And we checked the Python code for things such as:

  • General code safety and susceptibility to known vulnerabilities
  • Bad coding practices and unsafe behaviour
  • Leakage of secrets or other sensitive data through memory mismanagement, although Python is arguably making this difficult
  • Susceptibility to misuse and system errors
  • Error management and logging
  • Safety against malformed or malicious input from other network participant

We reported the following:

  • 2 security issues of medium severity
  • 1 security issue of low severity
  • 4 observations related to general code safety

We also reviewed the specification and implementation of the CoinShuffle protocol as done in CashShuffle. We reviewed in particular (in no specific order):

  • The cryptographic primitives
  • The relevance and correctness of security assumptions (IND-CCA security, length-regularity, and so on)
  • The possible threat scenarios
  • The trust assumptions between involved parties
  • The trust assumptions between parties and server
  • Its resistance to deanonimization attacks
  • Its resilience to double-spending attacks
  • Its resilience to funds stealing
  • Its resistance to DoS attacks
  • Its blame phase and cheater unmasking mechanisms
  • Edge cases and resistance to protocol misuse

We then reviewed the matching between the code and the protocol, and looked specifically for:

  • Proper implementation of the different protocol phases
  • Proper error handling
  • Correct implementation of the blame phase
  • Correct interaction with the blockchain network
  • Adherence to the protocol logical description.

We did not find any critical shortcoming in these components. However, we did not perform a rigorous security analysis of the protocol and did not assess its provable security properties. For example, we reviewed the consistency of security levels across primitives and cryptographic constructions, but did not verify theoretical secure composition results.

The main caveat we highlighted in our report is the need for a server that handles the bootstrapping process of the CoinShuffle protocol.
This notably means that some servers might decide to ask a fee to let a participant join a pool, just like a mixnet server. The free nature of CashShuffle servers is therefore not an intrinsic property offered by the protocol.

Furthermore, the server has to be trusted: a malicious server might match a given client in a “fake pool” with freshly created fake identities in order to be able to later deanonymize that client. This means that the need to trust a central authority remains. However, thanks to the CoinShuffle protocol, it is true that the server is not able to steal funds, which is an improvement over mixnet servers. It should also be noted that we did not review the server code.

Overall, we believe that the analysis from the CoinShuffle paper is correct, but that in practice such a protocol has some limitations. Although, it seems that the CoinShuffle protocol and the CashShuffle implementation provide a practical solution to the problem of mixing transactions without the risk of funds being stolen in the process.

We further believe that the CashShuffle codebase that we reviewed is implementing the CoinShuffle protocol with no significant deviations, and we did not find any evidence of malicious intent, flawed logic or potential backdoor in the codebase.

Our audit of CashShuffle is publicly available here, and we would like to thank CashShuffle for trusting us!

To find out more about our crypto services relating to blockchain technologies, visit kudelski-blockchain.com

Leave a Reply