Tornado review

Last December I published “The State of the Art in Cryptocurrency Privacy“, based on a lightning talk I gave at an Aragon One offsite providing an overview of the latest and greatest cryptocurrency privacy techniques at the time. I was disappointed to report at the time that the privacy story for Ethereum, the blockchain used by Aragon, was not good:

the state of the art in cryptocurrency privacy(18)

I quoted geth core developer Peter Szilagyi, who said in his Devcon4 talk: “Privacy on ethereum is bad, really, really bad.” And I asked the question: zk-SNARKs when?

Well friends, less than eight months after publishing that blog post, I’m happy to provide a positive update: zk-SNARKs now.

Enter Tornado

A few weeks ago a tweet crossed my feed and grabbed my attention:

I was intrigued. The clean, minimalist interface seemed to have the important elements expected. But as it was a work in progress, I would have to wait to try it out. Then, a few weeks later, the Tornado touched down:

You can now mix ETH with zk-SNARK-based privacy at tornado.cash.

The announcement blog post has some additional information about the app. My own caveats and feedback follows. Tornado also mentions some of the following points in their blog post and in the app itself, but it’s worth mentioning again here to drive the points home. Stay safe and remember this is beta software.

How to protect yourself when using Tornado

  • Don’t use the same IP address to withdraw as you used to deposit*
    • Worst is to use your personal IP address. Better is to use a VPN and switch servers. Best is to use Tor and reset the circuit.
  • Don’t use the same Ethereum address to withdraw as you used to deposit*
    • Use a new, unused address instead.
  • Don’t use Infura or another centralized node provider with your wallet*
    • Always connect your wallet to your own full node, or else your deposit and withdrawal addresses will be trivially tied together by the node provider and anyone who gains access to their data.
  • Don’t make a withdrawal via wallet and pay gas with an account connected to your deposit address.*
    • Save yourself the trouble and potential privacy leak, use the Tornado Relayer.
  • Don’t lose your note or you’ll lose all your money
    • Save the note in your password manager (you are using a password manager, right?)

* Doing things that damage your own privacy also damages the privacy of all other Tornado users by shrinking the anonymity set. Seriously, don’t do these things.

Some feedback/ suggestions for the Tornado devs

  • The app looks great. Seems intuitive enough. The essentials are there. Great job with everything so far. That said I think more can and should be done to prevent users from damaging their privacy and the privacy of others.
  • Consider using aragonPM to beef up security on your dapp deployments. (Read how we use it at Aragon here.)
  • If it must be web-based, consider running exclusively as a Tor hidden service (better for anonymity and security).
  • Ditch Infura. Run your own node (and auto-delete logs). Although Infura shouldn’t be getting any useful data from your users if they’re using Tornado properly, it’s better to not even give them the opportunity.
  • Reject entering the same withdrawal address as a previously used deposit address. Users should know better, but sometimes they need saving from themselves.
  • Open up the higher deposit amounts. At 0.1 ETH deposit amount, total fees to deposit and withdraw added up to 3.734% of the mixed amount when I paid the standard gas price.
  • User privacy is compromised by allowing users to connect with a centralized node provider like Infura on both sides of the mix (e.g. if their wallet uses an Infura backend for both the deposit address and the withdrawal address). I’m not really sure how to solve this. But it makes for an easy foot-gun scenario, so worth thinking about how to fix this, or at least warn users about it. Worth looking at how Wasabi deals with this.
  • Since there are other Ethereum providers than MetaMask (for example I use Frame as my daily driver) I suggest using “Ethereum provider” in place of “MetaMask” in the app copy to keep it generic. Or “Ethereum signer”, or “Ethereum wallet”… whatever more generic term makes the most sense to you. (We use “Ethereum provider” throughout the Aragon client.)

Remaining questions

  • Is there any advantage to using one’s own wallet vs Relayer for withdrawal? Might be easiest / safest to just remove the “wallet” option.
    • Answer: “It is there to make sure that users can withdraw their funds even if relayer is down.” (source)
  • How were the parameters for the zk-SNARK generated?
    • Answer: “For this beta version the setup was done on a single build machine, so you kinda have to trust that we didn’t save toxic waste… Currently there is no way to make a trusted setup for Ethereum BN256 curve, as soon as Gnosis and Matter finish working on it (soon) we will redeploy the mixer with a proper multiparty trusted setup.” (source)
  • When desktop app with local node + Frame support? 😀


Link: r/ethereum discussion

Email is probably the most popular decentralized messaging protocol. Add yourself to my email contacts if you would like to stay in touch!