This article is the first in a series to be published on Nostr and our blog that aims to explain our decisions and trajectory by clearly presenting technical aspects of our implementation of a Bitcoin privacy preserving wallet and the WabiSabi Coinjoin Protocol.
Being trustless and privacy preserving
As Sjors Provoost notes in the introduction to Bitcoin: A Work in Progress, “keeping open-source software free of money-stealing bugs” is an exceedingly difficult task, especially when such software handles funds. Potential exploits in code are visible to all, as are patches awaiting deployment.
For Wasabi, the challenge extends further, as clients participating in coinjoin must follow a coordinator’s lead—a third party whose code cannot be verified. We rarely break compatibility or force updates, meaning users on vulnerable versions will always exist if an exploit is discovered.
Wasabi has consistently been designed to empower clients against potential bad actors:
- Reproducible builds
- Minimal information transmitted to third parties (backend, coordinator, fee providers, etc.)
- “Smart client, Dumb backend” architecture
The complexity involved in building a trustless system is both underappreciated and staggering. Trustlessness invariably comes at the cost of user experience, and these suboptimal workflows must be carefully refined to remain competitive against privacy-degrading or trust-based alternatives.
A prime example of this trade-off is block filters. While alternative wallets allow users to see their balance instantly by connecting to an Electrum server or similar backend solution, how do you retain users when your software first requires them to download 2.6 GB of filters, then download each relevant (or false-positive) block using the Bitcoin peer-to-peer network? To lighten this problem, significant resources have been invested in refining our synchronization process to optimize and ensure the privacy gain is worthwhile for most users.
Clients still need to receive some information from the coordinator: round start times, phase durations, mining fee rates, etc. This information is used to compute the round ID, which clients then use to build and verify everything happening in the round. Two clients receiving different parameters therefore cannot participate in the same round, ensuring a malicious actor cannot mine information by selectively sending different round parameters.
Why the coordination fee concept is not a fit here
The coordination fee rate is a field provided by the coordinator and included in the round parameters. However, this field is unique, as it involves a non-standard agreement: the client must pay this fee only once (concept of free remixes). This is central to how the wallet functions: the client automatically participates in rounds until reaching a certain privacy threshold. If the rounds don’t provide privacy, the client will continue to coinjoin indefinitely. Therefore a coordinator not offering free-remixes could create fast rounds not providing privacy and drain its users. We identified this problem, but the time it took to deploy a mitigation led to the only occurrence in our project’s history that some users funds have been exploited
Free remixes are not the only “workaround” implemented in our client to improve the coordination fee system. Another crucial case for proper user experience is the “1-hop doesn’t pay” rule. This means that if a payment is made using a coinjoin output and this payment produces change, the change doesn’t incur another coordination fee. This rule is essential because clients don’t control the size of their outputs. For instance, a user might receive only outputs of 1 BTC but need to make a payment of 0.1 BTC. The resulting change would not be private and would need to be remixed. Without the “1-hop doesn’t pay” concept, this would result in paying the coordination fee again. Like free remixes, this rule is not enforced by the WabiSabi protocol. To be protected against coordinators that might not offer this “fee grace,” clients would need to carefully select inputs for payments to minimize change value, sometimes at the cost of privacy.
In summary, the coordination fee relates to the implementation layer, and free remixes are not enforced by the WabiSabi CoinJoin Protocol. The protocol paper mentions it only as part of Wasabi’s implementation. The client must trust the coordinator to allow its inputs into rounds indefinitely after the initial payment. A coordinator could decide against offering free remixes, in which case the client must trust it to produce rounds that provide substantial privacy, at least worth the cost.
In other words, the coordination fee concept involves an element of trust. It creates an incentive for the coordinator to act maliciously and forces the client to be highly discerning in recognizing when the coordinator might be attempting to extract more money than it should.
Resources could have been invested during the zkSNACKs era to build a guaranteed risk-free implementation of the coordination fee rate and free remixes concept. However, because the only coordinator used at the time belonged to the same entity funding client development, this type of development was not prioritized, as we knew this coordinator would not breach trust.
This is no longer the case, and the project’s trajectory has changed significantly: resources are now extremely limited, and we prefer not to allocate precious developer hours to ensuring confidence in the coordination fee rate concept. Instead, we choose to allocate these resources to increasing software resilience, improving maintainability, and delivering impactful updates