The Wasabi and Ginger Bitcoin wallets, which implement the WabiSabi protocol, are vulnerable to tagging attacks due to lack of inadequate checks of ownership proofs.
In the protocol clients register their Bitcoin UTXOs independently. A valid input registration request includes a BIP-322 ownership proof, which commits to the so called Round ID. This in turn is a hash commitment to the parameters of the round, including the server's anonymous credential issuance parameters (analogous to a public key).
The parameters are obtained by polling the server for information about active rounds. If inconsistent round IDs are given to clients, this effectively partitions them, allowing deanonymization.
Although clients obtain the ownership proofs of other clients and seemingly verify them, BIP-322 proofs verification requires knowledge of the spent outputs scriptPubKey which light clients cannot obtain on their own. This public key is included alongside the ownership proofs, which makes their verification non-binding, the server can generate unrelated public keys, and create ownership proofs with those keys that commit to the per-client round IDs, which the client will accept as valid.
This issue was described before the initial release but never addressed. Although subsequently ownership proofs were given to clients, this change only addressed the use of ownership proofs to identify a wallet's own inputs in a stateless signing device, without addressing the consistency issues. Because the server provides the public key against which unknown inputs ownership proofs must be verified, that places them under adversarial control.
Related issues: