Tornado review

Last December I published “The State of the Art in Cryptocurrency Privacy“, based on a lightning talk I gave at an Aragon One offsite providing an overview of the latest and greatest cryptocurrency privacy techniques at the time. I was disappointed to report at the time that the privacy story for Ethereum, the blockchain used by Aragon, was not good:

the state of the art in cryptocurrency privacy(18)

I quoted geth core developer Peter Szilagyi, who said in his Devcon4 talk: “Privacy on ethereum is bad, really, really bad.” And I asked the question: zk-SNARKs when?

Well friends, less than eight months after publishing that blog post, I’m happy to provide a positive update: zk-SNARKs now.

Enter Tornado

A few weeks ago a tweet crossed my feed and grabbed my attention:

I was intrigued. The clean, minimalist interface seemed to have the important elements expected. But as it was a work in progress, I would have to wait to try it out. Then, a few weeks later, the Tornado touched down:

You can now mix ETH with zk-SNARK-based privacy at tornado.cash.

The announcement blog post has some additional information about the app. My own caveats and feedback follows. Tornado also mentions some of the following points in their blog post and in the app itself, but it’s worth mentioning again here to drive the points home. Stay safe and remember this is beta software.

How to protect yourself when using Tornado

  • Don’t use the same IP address to withdraw as you used to deposit*
    • Worst is to use your personal IP address. Better is to use a VPN and switch servers. Best is to use Tor and reset the circuit.
  • Don’t use the same Ethereum address to withdraw as you used to deposit*
    • Use a new, unused address instead.
  • Don’t use Infura or another centralized node provider with your wallet*
    • Always connect your wallet to your own full node, or else your deposit and withdrawal addresses will be trivially tied together by the node provider and anyone who gains access to their data.
  • Don’t make a withdrawal via wallet and pay gas with an account connected to your deposit address.*
    • Save yourself the trouble and potential privacy leak, use the Tornado Relayer.
  • Don’t lose your note or you’ll lose all your money
    • Save the note in your password manager (you are using a password manager, right?)

* Doing things that damage your own privacy also damages the privacy of all other Tornado users by shrinking the anonymity set. Seriously, don’t do these things.

Some feedback/ suggestions for the Tornado devs

  • The app looks great. Seems intuitive enough. The essentials are there. Great job with everything so far. That said I think more can and should be done to prevent users from damaging their privacy and the privacy of others.
  • Consider using aragonPM to beef up security on your dapp deployments. (Read how we use it at Aragon here.)
  • If it must be web-based, consider running exclusively as a Tor hidden service (better for anonymity and security).
  • Ditch Infura. Run your own node (and auto-delete logs). Although Infura shouldn’t be getting any useful data from your users if they’re using Tornado properly, it’s better to not even give them the opportunity.
  • Reject entering the same withdrawal address as a previously used deposit address. Users should know better, but sometimes they need saving from themselves.
  • Open up the higher deposit amounts. At 0.1 ETH deposit amount, total fees to deposit and withdraw added up to 3.734% of the mixed amount when I paid the standard gas price.
  • User privacy is compromised by allowing users to connect with a centralized node provider like Infura on both sides of the mix (e.g. if their wallet uses an Infura backend for both the deposit address and the withdrawal address). I’m not really sure how to solve this. But it makes for an easy foot-gun scenario, so worth thinking about how to fix this, or at least warn users about it. Worth looking at how Wasabi deals with this.
  • Since there are other Ethereum providers than MetaMask (for example I use Frame as my daily driver) I suggest using “Ethereum provider” in place of “MetaMask” in the app copy to keep it generic. Or “Ethereum signer”, or “Ethereum wallet”… whatever more generic term makes the most sense to you. (We use “Ethereum provider” throughout the Aragon client.)

Remaining questions

  • Is there any advantage to using one’s own wallet vs Relayer for withdrawal? Might be easiest / safest to just remove the “wallet” option.
    • Answer: “It is there to make sure that users can withdraw their funds even if relayer is down.” (source)
  • How were the parameters for the zk-SNARK generated?
    • Answer: “For this beta version the setup was done on a single build machine, so you kinda have to trust that we didn’t save toxic waste… Currently there is no way to make a trusted setup for Ethereum BN256 curve, as soon as Gnosis and Matter finish working on it (soon) we will redeploy the mixer with a proper multiparty trusted setup.” (source)
  • When desktop app with local node + Frame support? 😀


Link: r/ethereum discussion

Email is probably the most popular decentralized messaging protocol. Add yourself to my email contacts if you would like to stay in touch!

 

2 thoughts on “Tornado review

  1. Got this smart comment via the Aragon Chat:

    “In theory this is pretty cool but in practise I imagine most people will mix through a centralised connection to the ETH network like Infura ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own full node. Also it claims to be non-custodial yet the zk-SNARK params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the smart contract at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison (DAO/ERC-20 tokens/multisig) have been repeatedly bodged with major bugs/vulnerabilities in the contracts that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so fees will be very high and very sensitive to gas price increases. @light’s article⁩ mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for Monero and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”

    1. My reply:

      > In theory this is pretty cool but in practise I imagine most people will mix through a centralised connection to the ETH network like Infura ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own full node

      This is true and I think the only way to solve this is to force users to deposit to an address that is backed by a more private node solution, as Wasabi does. (wasabiwallet.io)

      > I don’t think it’s really fair to call that non-custodial although I see how you could argue it is.

      Yes it is arguably non-custodial but that’s assuming the toxic waste has been destroyed. The dev has stated that one of the reasons the amount limit is so low is because of how risky it is to use the mixer in its current state. This seems like a reasonable tradeoff for the time being.

      > I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract.

      zk-SNARKs are quite new technology in general. Zcash devs already found a bug in their old Sprout implementation that could enable an attacker to create new coins at-will. A similar bug in Tornado’s implementation would allow an attacker to drain the mixer of all funds — obviously no bueno. That said, the longer it goes without being successfully attacked the more sure I think we can be that there is no bug. I will definitely be waiting a while before putting more than a couple hundred bucks at most worth of ETH in the mixer, for both the software to mature and for it to prove its battle readiness.

      > @lights article⁩ mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up.

      This is true but it should be noted that the fee amount does not scale with the amount mixed. So once the higher amount limits are opened up, it will become more economical to mix even with relatively high gas fees. And this is the kind of smart contract that it might make sense to move to an off-chain solution like a sidechain to bring fees down.

      > Another issue is that anyone who mixes is gonna stand out like a sore thumb.

      This is a good point and can only be solved by getting lots of people to use the mixer (properly).

      > Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.

      One of the suggestions I offered to the devs is to enforce no address re-use, so the software will reject any addresses that have been used before. Let’s hope they implement this. And that users aren’t dumb/ careless enough to re-use addresses after the fact.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s