Issue

In Bitcoin Core you cannot spend unconfirmed UTXO (except using createrawtransaction or createpsbt in CLI) and if avoidpartialspends=1 UTXOs will grouped by addresses. So an attacker can send small amounts in Tx1(100sat/vByte) and Tx2(1sat/vByte) to address A. If only one of the UTXO (Tx1) associated with address A is spent then it can be assumed the victim is using Bitcoin Core wallet.

If avoidpartialspends=0 (default) then its easier to identify, get more information about victim's addresses because other wallets do the grouping by default.

Expected behavior

avoidpartialspends=1 should be default IMO

1. If 'reused address' group has an unconfirmed UTXO, then the whole group is unconfirmed.
2. Users should be able to spend unconfirmed UTXO

If we only fix 1, attacker can do more than just fingerprinting because users will be unable to spend from addresses used in attack except if they are good with Bitcoin Core RPCs like createrawtransaction or createpsbt. Or we can consider it same as Joinmarket in which any deposit to an already-used address is freezed by default.

If we only fix 2, it may help but not sure if enough people will agree to such change based on bitcoin-core/gui#242 (comment)

Actual behavior

Examples of few transactions in different wallets (PoC):

Bitcoin Core:
e710968190ce5ee3d4a23c5c2773ae227baddbe8b2221a6677f46d030cba6741 (using GUI)
82d3180b7f6bd29acf8c21c2b6cfdc2f9afa4660b5abd53f2536e2741b5e221e (using CLI)

Samourai: 60b80ecace4d1357f797b1d62eb0f514a57779fc5d37256f8256e5be229f9190
Electrum: 35ce2d882eaf870011002958351aef7ef882720116c8abbb9d5b68d97d490d28
Wasabi: 35ce2d882eaf870011002958351aef7ef882720116c8abbb9d5b68d97d490d28

To reproduce

1. Create a new wallet
2. Create new receiving address
3. Send 0.01 to address returned in (2) and wait for 1 confirmation
4. Send 0.01 to address returned in (2)
5. Send 0.008 to a random address

System information

Bitcoin Core v0.21.1

Other information

There are other things which may help in wallet fingerprinting: version, locktime, rbf, fee estimation, change address, address type etc. but I wanted to focus on avoidpartialspends in this issue.

Sending small amounts in more than 10 transactions to same address can also help in fingerprinting as there are no such max limits in lot of other wallets. OUTPUT_GROUP_MAX_ENTRIES will be increased to 100 if PR: #18418 is merged which makes the attack costly but still worth trying depending on the victim, attacker's goal and money. IMO there should not be any limit like other wallets or let the users decide. Bitcoin Core with default settings is even easier to attack because other wallets that I mentioned above use the groups/buckets by default.