Privacy Issue - Increase Fee with Custom Change Address grabs new UTXO #20795

1. 
   cointastical commented at 7:31 am on December 29, 2020: none

   I am relaying a privacy issue for Bitcoin Core that was reported on r/Bitcoin (Reddit).

   The message was:

   • Using coin control
   • Custom change address

   When one clicks the increase transaction fee button, it adds another input rather than increasing the fee by reducing the change output. Major privacy leak since you have no control of the input used.

   From that it sounds like the observed behavior is that the replacement transaction includes an additional UTXO that was not chosen by the user, even though the transaction was composed as a Coin Control transaction.

   So I’m assuming the expected behavior would be for Bitcoin Core to remember that this OUTPUT was actually a Custom Change Address and to then lower the amount of that OUTPUT by the amount needed for the fee bump.

   And, now that I am thinking of this, isn’t there the expectation that if my initial transaction was done using Coin Control, and then if my fee bump (RBF) needs another UTXO input to cover the increase in fee, that Coin Selection for that will occur (regardless of whether or not the change address was a Custom Change Address)?

2. cointastical added the label Bug on Dec 29, 2020
3. 
   ghost commented at 8:43 pm on January 11, 2021: none

   Just tried to reproduce this issue and it looks like a bug which might be the reason for lot of transactions overpaying fees, privacy issues and the user might think he just increased the fee for a transaction in which “coin control” was used. Surprised that nobody replied anything yet here.

   And, now that I am thinking of this, isn’t there the expectation that if my initial transaction was done using Coin Control, and then if my fee bump (RBF) needs another UTXO input to cover the increase in fee, that Coin Selection for that will occur (regardless of whether or not the change address was a Custom Change Address)?

   Atleast user should be given warning if inputs are being changed. Let me share the details of my test transaction below:

   

   Initial tx with RBF enabled, selected one input from wallet, a custom change address (new address from same wallet):

   

   Replacement transaction: https://blockstream.info/testnet/tx/ae3975a21c646c1c74c228e388672f652883f4d312cc7a437b9180cc1390515b

   

4. 
   ghost commented at 1:13 am on January 12, 2021: none

   @achow101 @Xekyo Your thoughts on this issue? It happens only when using custom change address for initial transaction which was RBF enabled and coin control features were used.

   Can we include a warning when replacement transaction is being confirmed? Something like “Different inputs might be selected for replacement transaction since custom change address was used earlier”

   Or we need to fix something else related to coin selection algorithm being used for replacement transaction?

5. laanwj added the label GUI on Jan 13, 2021
6. laanwj added the label Wallet on Jan 13, 2021
7. 
   luke-jr commented at 6:36 pm on January 13, 2021: member

   Note: Reducing the change output also could be a privacy problem, since it identifies which output was change.
8. 
   dooglus commented at 4:37 pm on January 21, 2021: contributor

   It happens only when using custom change address

   I don’t think that’s the case. It also happens when you use a regular change address that you have labelled after using it. When a change address is added to the ‘address book’ Core no longer recognizes it as a change address and so doesn’t know that it can be reduced when bumping the fee.

   I made a related issue #20935 recently.

   we need to fix something else related to coin selection algorithm being used for replacement transaction?

   Producing a warning when bumping a fee is about to throw away your privacy is a step in the right direction but it would be nice if there was an option to bump a fee without throwing away your privacy.

9. 
   ghost commented at 4:23 am on January 24, 2021: none

   I don’t think that’s the case. It also happens when you use a regular change address that you have labelled after using it.

   Correct. I tested it and below are the results:

   1. New change address created with getrawchangeaddress: tb1qqt7w0m00xkth4ugsymw93t74ugkdey6c6g57k9

   Used for a RBF transaction and replacement transaction had no extra inputs/outputs: https://tbtc.bitaps.com/f7b6c65165e4f7fbce11c8e3426deb207b55dd5b599c8a3e36b30169060421b6

   No issues. Maybe because change addresses follow m/0'/1'/i' derivation path in bitcoin core wallet.

   2. Labelled the same change address with: setlabel "tb1qqt7w0m00xkth4ugsymw93t74ugkdey6c6g57k9" "label1" and used in a transaction.

   Used for a RBF transaction and replacement transaction had extra inputs/outputs: https://tbtc.bitaps.com/17f3208ecb34c6c14574de53e73b1039215bed9f67bc4606771c5b032e51d0bf

   3. Created a new ‘change address’ and labelled it with: setlabel "tb1qd4ld5clqv0maky0l9fqr38ck4qr605jx0xqezd" "label2"

   Used for a RBF transaction and replacement transaction had extra inputs/outputs: https://tbtc.bitaps.com/9d2d0960d06d09b630ad7e2599d0a608247f548e6f7b91d891bef459229e01af

   When a change address is added to the ‘address book’ Core no longer recognizes it as a change address and so doesn’t know that it can be reduced when bumping the fee.

   Interesting. It should still be a ‘change address’ maybe not recognized as change address to improve privacy (address re-use).

   Producing a warning when bumping a fee is about to throw away your privacy is a step in the right direction but it would be nice if there was an option to bump a fee without throwing away your privacy.

   Agree. I need to do more tests and this issue is interesting for two reasons: 1. Privacy and Fees can be improved while using Bitcoin Core Wallet 2. I will learn a lot during the research

10. laanwj removed the label Bug on Jan 24, 2021
11. laanwj added the label Privacy on Jan 24, 2021
12. jonasschnelli referenced this in commit d38e2d9a19 on Jan 26, 2021
13. remyers referenced this in commit dd1912a86c on Jan 26, 2021
14. sidhujag referenced this in commit 37894802aa on Jan 26, 2021
15. 
    dooglus commented at 3:46 pm on January 27, 2021: contributor

    Interesting. It should still be a ‘change address’ maybe not recognized as change address to improve privacy

    It’s simpler than that. The implementation of IsChange() simply checks the address book and declares that labelled addresses aren’t change:

    bool CWallet::IsChange(const CScript& script) const
    {
        // TODO: fix handling of 'change' outputs. The assumption is that any
        // payment to a script that is ours, but is not in the address book
        // is change. That assumption is likely to break when we implement multisignature
        // wallets that return change back into a multi-signature-protected address;
        // a better way of identifying which outputs are 'the send' and which are
        // 'the change' will need to be implemented (maybe extend CWalletTx to remember
        // which output, if any, was change).
        AssertLockHeld(cs_wallet);
        if (IsMine(script))
        {
            CTxDestination address;
            if (!ExtractDestination(script, address))
                return true;
            if (!FindAddressBookEntry(address)) {
                return true;
            }
        }
        return false;
    }
    

16. luke-jr referenced this in commit 3765febe61 on Jan 29, 2021
17. 
    ghost commented at 8:49 pm on January 29, 2021: none

    When a change address is added to the ‘address book’ Core no longer recognizes it as a change address and so doesn’t know that it can be reduced when bumping the fee.

    This is not true

    Tx 1: https://tbtc.bitaps.com/4d4cdd5b237882ae77ef3fac5c71b5639e59b3a888e88a1190f443c194211ec9

    New change address automatically added by wallet (I just selected input): tb1qpc8wx9sec3s7sm3j949eeg2pj3e6n3df9c5w2u

    This is a “change address” in address book which is already used with below result for getaddressinfo:

    I used the same address as “custom change address” in another transaction Tx2: https://tbtc.bitaps.com/6f7fa9bb497cc0c07cf541ec4667881abe18def7c6732c1c1309e1d2706658d2

    Replacment transaction Tx3 for Tx2 after increasing fee: https://tbtc.bitaps.com/19c31ec81f301a6b83ab849e0ce64cdb925d5b3a7d30f618c487f393da8b7788 (Fee increased by decreasing the change amount)

    

    

18. 
    dooglus commented at 3:23 pm on January 30, 2021: contributor

    I thought being in the address book was the same as being labelled. Your output has no labels, so is it in the address book?

    I’m talking about labeling the change address so that it doesn’t show up with an empty list of labels like yours did:

    "labels": [
    ]

19. 
    dooglus commented at 7:20 pm on January 30, 2021: contributor

    @prayank23 Specifically this is what I mean about adding a change address to the address book making bitcoin think it is no longer change. I started with a regular change address, verified that it is known to be a change address then labelled it and verified that it is no longer seen as a change address:

    $ bitcoin-cli -testnet getaddressinfo tb1qh6lk6exzxtgsqsrjc6cf9nc6wm8ru9xn67uh9t | jq .ischange
    true
    $ bitcoin-cli -testnet setlabel tb1qh6lk6exzxtgsqsrjc6cf9nc6wm8ru9xn67uh9t change1
    $ bitcoin-cli -testnet getaddressinfo tb1qh6lk6exzxtgsqsrjc6cf9nc6wm8ru9xn67uh9t | jq .ischange
    false
    $ 
    

20. fanquake closed this on Jul 20, 2023

    ---

21. BlackcoinDev referenced this in commit 04afe55e29 on Feb 5, 2024
22. bitcoin locked this on Jul 19, 2024

Contributors
cointastical ghost luke-jr dooglus

Labels
GUI Wallet Privacy