zingolabs / zingolib

An API and test-app that exposes zcash functionality for app consumption
MIT License
15 stars 23 forks source link

Privacy Issue: Shielded Pools are not being respected and metadata leaks #1137

Open AlwaysCompile opened 6 months ago

AlwaysCompile commented 6 months ago

Shielded pools should always be respected when possible because violating shielded pool boundaries results in the leakage of amounts (de-anonymization). Currently, zingo does NOT respect shielded pool boundaries and puts users at risk as a result.

Reproduction:

  1. 1 ZEC in Orchard pool. 1 Zec in Sapling pool
  2. Send 0.5 ZEC to a Sapling address
  3. Zingo will leak the 0.5 ZEC by sending from the wrong pool (Orchard)

Zingo should always be privacy-preserving as much as possible. That means that it should always use as many inputs from the shielded pool corresponding to the receiving address. In this case, the receiving address is a Sapling address. As a result as many inputs as possible should be selected from the Sapling pool so that user privacy is not violated.

Selecting from the Orchard pool violated user privacy and it simply just does not make sense.

AlwaysCompile commented 6 months ago

In addition to the above, it will also violate user privacy via improper handling of "Change Notes".

Reproduction:

  1. 1 ZEC Sapling balance as a single note
  2. Send 0.1 ZEC to someone like a transparent address
  3. 0.9 ZEC Orchard note will be created as change and thus the change balance metadata has been leaked violating user privacy and the pool-preference was violated at the same time.

This is a pretty nefarious privacy bug because it is very non-intuitive to the user. Not only was their privacy not respected via the leakage of the change amount, but the Shielded Pool was again not respected so the wallet changed the privacy properties of the users stored funds without asking them.

The fix is the same as above. Always reduce metadata leakages. That means do not automatically convert between shielded pools because that will leak metadata.