CashShuffle is a plugin for the ElectronCash Bitcoin wallet software. CashShuffle implements a superset of the CoinShuffle protocol, whose aim is to anonymize cryptocurrency ownership by pooling a number of users together and performing a randomized shuffle of their transactions to new addresses.

Kudelski Security was hired to perform a security assessment of the CoinShuffle component of the ElectronCash wallet. We focused on the cryptographic functionalities of the code and implementation of security good practices. We specifically audited commit 71c0d3b.

We analysed the provided code, in particular the codebase of the shuffle plugin. And we checked the Python code for things such as:

General code safety and susceptibility to known vulnerabilities

Bad coding practices and unsafe behaviour

Leakage of secrets or other sensitive data through memory mismanagement, although Python is arguably making this difficult

Susceptibility to misuse and system errors

Error management and logging

Safety against malformed or malicious input from other network participant

We reported the following:

2 security issues of medium severity

1 security issue of low severity

4 observations related to general code safety

We also reviewed the specification and implementation of the CoinShuffle protocol as done in CashShuffle. We reviewed in particular (in no specific order):

The cryptographic primitives

The relevance and correctness of security assumptions (IND-CCA security, length-regularity, and so on)

The possible threat scenarios

The trust assumptions between involved parties

The trust assumptions between parties and server

Its resistance to deanonimization attacks

Its resilience to double-spending attacks

Its resilience to funds stealing

Its resistance to DoS attacks

Its blame phase and cheater unmasking mechanisms

Edge cases and resistance to protocol misuse

We then reviewed the matching between the code and the protocol, and looked specifically for:

Proper implementation of the different protocol phases

Proper error handling

Correct implementation of the blame phase

Correct interaction with the blockchain network

Adherence to the protocol logical description.

We did not find any critical shortcoming in these components. However, we did not perform a rigorous security analysis of the protocol and did not assess its provable security properties. For example, we reviewed the consistency of security levels across primitives and cryptographic constructions, but did not verify theoretical secure composition results.

The main caveat we highlighted in our report is the need for a server that handles the bootstrapping process of the CoinShuffle protocol.

This notably means that some servers might decide to ask a fee to let a participant join a pool, just like a mixnet server. The free nature of CashShuffle servers is therefore not an intrinsic property offered by the protocol.

Furthermore, the server has to be trusted: a malicious server might match a given client in a “fake pool” with freshly created fake identities in order to be able to later deanonymize that client. This means that the need to trust a central authority remains. However, thanks to the CoinShuffle protocol, it is true that the server is not able to steal funds, which is an improvement over mixnet servers. It should also be noted that we did not review the server code.

Overall, we believe that the analysis from the CoinShuffle paper is correct, but that in practice such a protocol has some limitations. Although, it seems that the CoinShuffle protocol and the CashShuffle implementation provide a practical solution to the problem of mixing transactions without the risk of funds being stolen in the process.

We further believe that the CashShuffle codebase that we reviewed is implementing the CoinShuffle protocol with no significant deviations, and we did not find any evidence of malicious intent, flawed logic or potential backdoor in the codebase.

Our audit of CashShuffle is publicly available here, and we would like to thank CashShuffle for trusting us!

To find out more about our crypto services relating to blockchain technologies, visit kudelski-blockchain.com