UTXO probing attack using payjoin

In a detailed discussion on the Bitcoin Development Mailing List, participants delved into the potential vulnerabilities and mitigation strategies concerning Payjoin transactions as outlined in BIP78. A key point of focus was the attack vector where an aggressor could exploit Payjoin to surveil someone's wallet by observing Unspent Transaction Outputs (UTXOs). The conversation highlighted a specific countermeasure from BIP78, suggesting that recipients should reuse exposed UTXOs for subsequent Payjoin transactions if they detect the original transaction broadcast or its double spending. This strategy aims at blunting the efficacy of probing attacks, though there remains ambiguity regarding its status as a formal part of the protocol.

Further insights were shared about the implementation nuances between sender and receiver roles in these transactions. According to BIP78, it is suggested that the receiver should be responsible for broadcasting the initial non-Payjoin transaction after a brief waiting period. This contrasts with some interpretations and implementations where the sender might preemptively cease sending the transaction. This distinction plays a significant role, especially when contrasting merchant scenarios with peer-to-peer payments. In merchant situations, it's feasible to request multiple "invoices" or Payjoin URLs, thereby enabling certain mitigation techniques against UTXO collection attacks. However, this approach does not translate well to peer-to-peer payments, where such continuous requests are impractical.

The conversation also touched upon the broader implications of Payjoin transactions on privacy and scalability within the Bitcoin network. It underscored the inherent tension between maximizing privacy through non-reuse of addresses and the operational reality that aggregating UTXOs can significantly reduce privacy. A hypothetical scenario involving a merchant receiving thousands of payments and then consolidating them was discussed to illustrate how privacy could be compromised even with Payjoin, though to a lesser extent due to the increased deniability and obscurity provided at each step of the transaction chain.

Lastly, the dialogue reflected on the first blockchain analysis paper by Meiklejohn et al., which examined the feasibility of gathering information on wallet UTXOs through direct transactions with merchants. This brought to light the complex challenges in maintaining privacy within the Bitcoin ecosystem, acknowledging that while strategies like Payjoin offer improvements, they do not completely eliminate privacy risks.