UTXO probing attack using payjoin
Privacy tradeoffs in payjoin
Sender can find recipient’s UTXO(s) in payjoin without even broadcasting the final transaction. This attack is described in BIP 77 and 78 however often ignored by privacy advocates.
In a normal bitcoin transaction, the recipient shares their address to receive bitcoin although payjoin requires more information. Recipient needs to share their signed UTXO with the sender to finalize the payjoin transaction. Hence, payjoin cannot be used with untrusted senders.
I tested it using bull bitcoin app and 2 android mobile phones, however it can be done using any wallet that supports payjoin.
Enter the amount and generate a payjoin URI for the recipient to scan. The recipient will initiate the payjoin and know the sender’s input(s). The Bull Bitcoin app broadcasts the payjoin transaction automatically; however, I have changed the source code to prevent broadcasting and instead print the PSBT.
cHNidP8BAMMBAAAAA6N1hExtgnI0L99i2oA4YeQADlxUjrvx34+tGMJJe9pvAAAAAAD9////ZY8bEw2Ly1SJD5cwVx2K4bZMqn5U23qaXdMtA1DdXPUAAAAAAP3////Hx77BGFZQPgbG8ICZxIXuTG1NXDLMH8phtA/JXaPXCAAAAAAA/f///wLAJwkAAAAAABYAFBF96Ms+iwU2Sxx/MGAtosNdalDtKwwDAAAAAAAWABR86hI4Z6u1lTp0/+sFegytF0YYBOkvPgAAAQEfIKEHAAAAAAAWABTRvVdJPU/HjzE+jmNwQwI1EahZdwEHAAEIawJHMEQCIEzztFLxF4ENkyI4UhLXy/2hZjsERt+R6OAQY6250w9+AiBDuq+ZGd5b8jZ5a7ezTdN+niCUreefRlUmWjbEcGpmLwEhAgUVTJqRqWZbVf1gTRYaEGRfmhVufV1IpCu6goQfhWD3AAEA3gIAAAAAAQGjdYRMbYJyNC/fYtqAOGHkAA5cVI678d+PrRjCSXvabwEAAAAA/f///wKghgEAAAAAABYAFMNtqNr1yCZF+hpt4bme+5WO5B5mOMOKEAAAAAAWABTT/XD93TH2eZiUfZqYNrmpE2hBWAJHMEQCIGFqWtvk+BTlsZpSTZqqTWFfBxaSQappxATi2+17rLFeAiADpGXzn1WlbYTwRFHcJk/gKlhisBO0spEGzavvvf+2WwEhA6/f6Z+TLvn/5AbKjTFlR59WsFdG31smbHr263ZT21ltqy8+AAEBH6CGAQAAAAAAFgAUw22o2vXIJkX6Gm3huZ77lY7kHmYAAQDeAgAAAAABAWWPGxMNi8tUiQ+XMFcdiuG2TKp+VNt6ml3TLQNQ3Vz1AQAAAAD9////AkANAwAAAAAAFgAUtYB9khDyg0RNWcIjdDZBwJUb6dwcsIcQAAAAABYAFLOjkiKXP/30KME/MPvG6z6G2NMUAkcwRAIgSumyLq0iXmhYGfEMrckjvFd1KDi6m4+R5jd4Qg3eKfUCIAzDLi1vY1L7489Ts6P7fzt+Lg5qaB4mv/2ZcnRPSfMvASEDYphx3y+lvZzxS6InIE94bT626VoKwUJCnKrX+1zAWvyzLz4AAQEfQA0DAAAAAAAWABS1gH2SEPKDRE1ZwiN0NkHAlRvp3AAAAA=={
"tx": {
"txid": "62ef6e6413620f3a509f601f336bbec2f513f1471de10025a8de5b7ab97641b6",
"hash": "62ef6e6413620f3a509f601f336bbec2f513f1471de10025a8de5b7ab97641b6",
"version": 1,
"size": 195,
"vsize": 195,
"weight": 780,
"locktime": 4075497,
"vin": [
{
"txid": "6fda7b49c218ad8fdff1bb8e545c0e00e4613880da62df2f3472826d4c8475a3",
"vout": 0,
"scriptSig": {
"asm": "",
"hex": ""
},
"sequence": 4294967293
},
{
"txid": "f55cdd50032dd35d9a7adb547eaa4cb6e18a1d5730970f8954cb8b0d131b8f65",
"vout": 0,
"scriptSig": {
"asm": "",
"hex": ""
},
"sequence": 4294967293
},
{
"txid": "08d7a35dc90fb461ca1fcc325c4d6d4cee85c49980f0c6063e505618c1bec7c7",
"vout": 0,
"scriptSig": {
"asm": "",
"hex": ""
},
"sequence": 4294967293
}
],
"vout": [
{
"value": 0.00600000,
"n": 0,
"scriptPubKey": {
"asm": "0 117de8cb3e8b05364b1c7f30602da2c35d6a50ed",
"desc": "addr(tb1qz9773je73vznvjcu0ucxqtdzcdwk558dt3qv6w)#ytex7j2d",
"hex": "0014117de8cb3e8b05364b1c7f30602da2c35d6a50ed",
"address": "tb1qz9773je73vznvjcu0ucxqtdzcdwk558dt3qv6w",
"type": "witness_v0_keyhash"
}
},
{
"value": 0.00199723,
"n": 1,
"scriptPubKey": {
"asm": "0 7cea123867abb5953a74ffeb057a0cad17461804",
"desc": "addr(tb1q0n4pywr84w6e2wn5ll4s27sv45t5vxqyztrql7)#26729z68",
"hex": "00147cea123867abb5953a74ffeb057a0cad17461804",
"address": "tb1q0n4pywr84w6e2wn5ll4s27sv45t5vxqyztrql7",
"type": "witness_v0_keyhash"
}
}
]
},
"global_xpubs": [
],
"psbt_version": 0,
"proprietary": [
],
"unknown": {
},
"inputs": [
{
"witness_utxo": {
"amount": 0.00500000,
"scriptPubKey": {
"asm": "0 d1bd57493d4fc78f313e8e637043023511a85977",
"desc": "addr(tb1q6x74wjfaflrc7vf73e3hqsczx5g6skthh6e2xs)#m7afyfpd",
"hex": "0014d1bd57493d4fc78f313e8e637043023511a85977",
"address": "tb1q6x74wjfaflrc7vf73e3hqsczx5g6skthh6e2xs",
"type": "witness_v0_keyhash"
}
},
"final_scriptwitness": [
"304402204cf3b452f117810d9322385212d7cbfda1663b0446df91e8e01063adb9d30f7e022043baaf9919de5bf236796bb7b34dd37e9e2094ade79f4655265a36c4706a662f01",
"0205154c9a91a9665b55fd604d161a10645f9a156e7d5d48a42bba82841f8560f7"
]
},
{
"witness_utxo": {
"amount": 0.00100000,
"scriptPubKey": {
"asm": "0 c36da8daf5c82645fa1a6de1b99efb958ee41e66",
"desc": "addr(tb1qcdk63kh4eqnyt7s6dhsmn8hmjk8wg8nx2u8uk9)#y95a2ddr",
"hex": "0014c36da8daf5c82645fa1a6de1b99efb958ee41e66",
"address": "tb1qcdk63kh4eqnyt7s6dhsmn8hmjk8wg8nx2u8uk9",
"type": "witness_v0_keyhash"
}
},
"non_witness_utxo": {
"txid": "f55cdd50032dd35d9a7adb547eaa4cb6e18a1d5730970f8954cb8b0d131b8f65",
"hash": "e74f48883f7b2c3f2c19bbf42bc5180fc2e4de3bdc2690b8321b59645d215db3",
"version": 2,
"size": 222,
"vsize": 141,
"weight": 561,
"locktime": 4075435,
"vin": [
{
"txid": "6fda7b49c218ad8fdff1bb8e545c0e00e4613880da62df2f3472826d4c8475a3",
"vout": 1,
"scriptSig": {
"asm": "",
"hex": ""
},
"txinwitness": [
"30440220616a5adbe4f814e5b19a524d9aaa4d615f07169241aa69c404e2dbed7bacb15e022003a465f39f55a56d84f04451dc264fe02a5862b013b4b29106cdabefbdffb65b01",
"03afdfe99f932ef9ffe406ca8d3165479f56b05746df5b266c7af6eb7653db596d"
],
"sequence": 4294967293
}
],
"vout": [
{
"value": 0.00100000,
"n": 0,
"scriptPubKey": {
"asm": "0 c36da8daf5c82645fa1a6de1b99efb958ee41e66",
"desc": "addr(tb1qcdk63kh4eqnyt7s6dhsmn8hmjk8wg8nx2u8uk9)#y95a2ddr",
"hex": "0014c36da8daf5c82645fa1a6de1b99efb958ee41e66",
"address": "tb1qcdk63kh4eqnyt7s6dhsmn8hmjk8wg8nx2u8uk9",
"type": "witness_v0_keyhash"
}
},
{
"value": 2.77529400,
"n": 1,
"scriptPubKey": {
"asm": "0 d3fd70fddd31f67998947d9a9836b9a913684158",
"desc": "addr(tb1q607hplwax8m8nxy50kdfsd4e4yfkss2cg2l6m7)#f3nj3ku9",
"hex": "0014d3fd70fddd31f67998947d9a9836b9a913684158",
"address": "tb1q607hplwax8m8nxy50kdfsd4e4yfkss2cg2l6m7",
"type": "witness_v0_keyhash"
}
}
]
}
},
{
"witness_utxo": {
"amount": 0.00200000,
"scriptPubKey": {
"asm": "0 b5807d9210f283444d59c223743641c0951be9dc",
"desc": "addr(tb1qkkq8myss72p5gn2ecg3hgdjpcz23h6wuanz7xf)#4lu6rzpq",
"hex": "0014b5807d9210f283444d59c223743641c0951be9dc",
"address": "tb1qkkq8myss72p5gn2ecg3hgdjpcz23h6wuanz7xf",
"type": "witness_v0_keyhash"
}
},
"non_witness_utxo": {
"txid": "08d7a35dc90fb461ca1fcc325c4d6d4cee85c49980f0c6063e505618c1bec7c7",
"hash": "58e01eff2908869abf0e5a3834a638228da7bc54d0f1e4e64a06c3b87d602162",
"version": 2,
"size": 222,
"vsize": 141,
"weight": 561,
"locktime": 4075443,
"vin": [
{
"txid": "f55cdd50032dd35d9a7adb547eaa4cb6e18a1d5730970f8954cb8b0d131b8f65",
"vout": 1,
"scriptSig": {
"asm": "",
"hex": ""
},
"txinwitness": [
"304402204ae9b22ead225e685819f10cadc923bc57752838ba9b8f91e63778420dde29f502200cc32e2d6f6352fbe3cf53b3a3fb7f3b7e2e0e6a681e26bffd9972744f49f32f01",
"03629871df2fa5bd9cf14ba227204f786d3eb6e95a0ac142429caad7fb5cc05afc"
],
"sequence": 4294967293
}
],
"vout": [
{
"value": 0.00200000,
"n": 0,
"scriptPubKey": {
"asm": "0 b5807d9210f283444d59c223743641c0951be9dc",
"desc": "addr(tb1qkkq8myss72p5gn2ecg3hgdjpcz23h6wuanz7xf)#4lu6rzpq",
"hex": "0014b5807d9210f283444d59c223743641c0951be9dc",
"address": "tb1qkkq8myss72p5gn2ecg3hgdjpcz23h6wuanz7xf",
"type": "witness_v0_keyhash"
}
},
{
"value": 2.77327900,
"n": 1,
"scriptPubKey": {
"asm": "0 b3a39222973ffdf428c13f30fbc6eb3e86d8d314",
"desc": "addr(tb1qkw3eyg5h8l7lg2xp8uc0h3ht86rd35c584kxyn)#4gnrwmef",
"hex": "0014b3a39222973ffdf428c13f30fbc6eb3e86d8d314",
"address": "tb1qkw3eyg5h8l7lg2xp8uc0h3ht86rd35c584kxyn",
"type": "witness_v0_keyhash"
}
}
]
}
}
],
"outputs": [
{
},
{
}
],
"fee": 0.00000277
}In the above PSBT, first input belongs to the recipient which is unnecessarily shared with the sender even if the payjoin transaction was never completed.
HRF accepts bitcoin donations and payjoin can be used by attackers to probe their UTXOs which affects the privacy of HRF and their donors. Hopefully this post will help users to be aware of the trade-offs involved in using payjoin.
Let me know if there are any errors in this post or if you have any feedback.