Wasabi Wallet versions 2.2.1.0 and below
are vulnerable to a
deanonymization vulnerability in the WabiSabi coinjoin protocol. This vulnerability allows malicious coordinators to deanonymize users and link inputs and outputs.
The vulnerability may or may not have been fixed. Kruw will always tell you how Wasabi is open-source and how you can always inspect the code yourself. He will also say that there is no way that a coordinator operator can recover any private information about their users. As usual, it's a load of crap. Whether or not you consider a person like Kruw who wished death on others and defended zkSNACKs' choice to partner with blockchain analysis companies with a passion to be malicious is up to you. I have recommended you stay away from his honeypot service.
Here is an interesting part worth remembering:
To my knowledge drkgry discovered this independently and disclosed it in good faith, but the members of the team who were present at zkSNACKs during the design phase of Wabisabi were absolutely aware of this issue.
According to this, the team behind Wabisabi and zkSNACKs (the company Kruw worked for and defended until the bitter end) knew about the deanonymization vulnerability. Perhaps it came about by chance or maybe it was left their on purpose...
Sources:
https://www.therage.co/vulnerability-wabisabi-coinjoin/https://bitcoinmagazine.com/technical/wabisabi-deanonymization-vulnerability-disclosed