Difference between revisions of "Tornado Cash (TORN)"

From CryptoWiki

Line 12: Line 12:
''We've seen a bit of a [[wave]] of these [[mixers]] lately, with [[Hopper]], [[Heiswap]] and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also [http://sendy.tokeneconomy.co/sendy/l/6jgCuUA3MxEEqgxgl7pNPQ/Fg892qmuQ27638zQsFKymcXjgw/rggXX6ychGRKvq3Ghtdb892w published] a critical vulnerability common to all of them, which allowed [[double-spending]]. It was an easy fix, but still shows how experimental all these tools are."''
''We've seen a bit of a [[wave]] of these [[mixers]] lately, with [[Hopper]], [[Heiswap]] and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also [http://sendy.tokeneconomy.co/sendy/l/6jgCuUA3MxEEqgxgl7pNPQ/Fg892qmuQ27638zQsFKymcXjgw/rggXX6ychGRKvq3Ghtdb892w published] a critical vulnerability common to all of them, which allowed [[double-spending]]. It was an easy fix, but still shows how experimental all these tools are."''
* From this [[Gitcoin]] Grant [https://gitcoin.co/blog/gitcoin-grants-round-4/ Round 4 blog] (30-1-2020) in which it was the top pick for Tech Grants:
* From this [[Gitcoin]] Grant [https://gitcoin.co/blog/gitcoin-grants-round-4/ Round 4 blog] (30-1-2020) in which it was the top pick for Tech Grants:
''"Tornado Cash improves the ability for private [[transactions]] on [[Ethereum]]. Tornado improves [[transaction]] privacy by breaking the [[on-chain]] link between recipient and destination [[addresses]]. It uses a [[smart contract]] that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.''
''"Tornado Cash improves the ability for private [[transactions]] on [[Ethereum]]. Tornado improves [[transaction]] privacy by breaking the [[on-chain]] [[LINK|link]] between recipient and destination [[addresses]]. It uses a [[smart contract]] that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.''


''During the round, they received 308 contributions — some no doubt affected by the blog post written by former [[Bitcoin Core]] developer [[Gavin Andresen]] [http://gavinandresen.ninja/private-thoughts about the potential] for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."''
''During the round, they received 308 contributions — some no doubt affected by the blog post written by former [[Bitcoin Core]] developer [[Gavin Andresen]] [http://gavinandresen.ninja/private-thoughts about the potential] for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."''
Line 47: Line 47:
=== Launch ===
=== Launch ===
* [https://cryptobriefing.com/tornado-cash-token-release-airdrop/ From] [[Crypto Briefing]] (18-12-2020):
* [https://cryptobriefing.com/tornado-cash-token-release-airdrop/ From] [[Crypto Briefing]] (18-12-2020):
''"Tornado.cash has suggested the launch of a [[native token]] in a new [[governance]] proposal. The plan involves [[airdrop|airdropping]] [[tokens]] to Tornado.cash users to hand over control of the protocol."''
''"[[Tornado.Cash|Tornado.cash]] has suggested the launch of a [[native token]] in a new [[governance]] proposal. The plan involves [[airdrop|airdropping]] [[tokens]] to Tornado.cash users to hand over control of the protocol."''


=== Token allocation ===
=== Token allocation ===
Line 72: Line 72:
* [https://twitter.com/_jefflau/status/1468065457190350850 From] [[Twitter]] (7-12-2021):
* [https://twitter.com/_jefflau/status/1468065457190350850 From] [[Twitter]] (7-12-2021):


"''Tornado cash is a proof of inclusion in a merkle tree, where snarks are used to do the proof without revealing the leaf [[node]] you are and with [[double spend]] protection to stop the proof being used twice.''
"''Tornado cash is a proof of inclusion in a [[Merkle Tree|merkle tree]], where snarks are used to do the proof without revealing the leaf [[node]] you are and with [[double spend]] protection to stop the proof being used twice.''


''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the link between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then [[hash]] that into a commitment. It is this commitment that is added to the merkle tree [[On Chain|on-chain]]. When you withdraw you want to prove you are within the merkle tree so the [[contract]] allows you to withdraw your funds.''
''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the link between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then [[hash]] that into a commitment. It is this commitment that is added to the merkle tree [[On Chain|on-chain]]. When you withdraw you want to prove you are within the merkle tree so the [[contract]] allows you to withdraw your funds.''
Line 78: Line 78:
''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.''
''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.''


''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a salt to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the salt together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the smart contract so the proof cannot be used again.''
''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a [[SALT|salt]] to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the salt together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the [[Smart Contract|smart contract]] so the proof cannot be used again.''


''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash smart contract on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."''
''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash smart contract on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."''
Line 100: Line 100:
== Oracle Method ==
== Oracle Method ==
== Privacy Method ==
== Privacy Method ==
== Compliance ==
* [https://newsletter.blockthreat.io/p/blockthreat-week-15-2022?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJfIjoicTgvVWsiLCJpYXQiOjE2NTMwNDIyMTgsImV4cCI6MTY1MzA0NTgxOCwiaXNzIjoicHViLTgxMDUiLCJzdWIiOiJwb3N0LXJlYWN0aW9uIn0.56cg1J4e0OhdNGLO_OEDQJV_fTDRp0dNdstCnCoN6k8&s=r From] Blockthreat (19-4-2022):
''"Tornado Cash started [https://twitter.com/tornadocash/status/1514904975037669386 banning] OFAC sanctioned [[Address|addresses]] on their [[Decentralized Applications (DApps)|Dapp]]. The ban does not apply to anyone using [[Smart Contract (SC)|smart contracts]] [https://www.coindesk.com/tech/2022/04/13/ronin-exploiter-moved-21000-ether-to-tornado-cash-in-past-week/ directly]."''
== Their Other Projects ==
== Their Other Projects ==
== Roadmap ==
== Roadmap ==

Revision as of 02:41, 30 May 2022

Basics

  • Founded in:
  • Mainnet release:
  • Based in:

"Another ETH mixer has launched on mainnet (though yet unaudited). This one is powered by zkSnarks technology, providing non-custodial, trustless, serverless, private transactions on the Ethereum network.

We've seen a bit of a wave of these mixers lately, with Hopper, Heiswap and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also published a critical vulnerability common to all of them, which allowed double-spending. It was an easy fix, but still shows how experimental all these tools are."

"Tornado Cash improves the ability for private transactions on Ethereum. Tornado improves transaction privacy by breaking the on-chain link between recipient and destination addresses. It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.

During the round, they received 308 contributions — some no doubt affected by the blog post written by former Bitcoin Core developer Gavin Andresen about the potential for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."

History

Audits & Exploits

"The code [of TORN] has been published and audited by ABDK, Pessimistic, and Zeropool.network. It can be found on the Tornado.cash Github."

Bugs/Exploits

  • Had a vulnerability which was found (2-2-2020) in one of the first pro bono security audits done by The Ethereum Foundation. It got fixed and effected a pool of less then 100 tx.
  • They published a disclosure on 14-2-2020.

Governance

Admin Keys

  • The mixer is now (25-5-2020) trustless, with the admin function burned.

DAO

Treasury

Token

Launch

"Tornado.cash has suggested the launch of a native token in a new governance proposal. The plan involves airdropping tokens to Tornado.cash users to hand over control of the protocol."

Token allocation

  • From Crypto Briefing (18-12-2020):

"The airdrop would only be 5% of TORN’s total supply; the rest would be unlocked in the years following. 55% of the total 10 million supply would go to a DAO treasury, to be unlocked over the next 5 years.

Founding developers and early supporters would earn 30%, unlocked over 3 years."

Utility

Token Details

Stablecoin

Tech

  • Whitepaper can be found [insert here].
  • Code can be viewed [insert here].

Implementations

How it works

"Tornado cash is a proof of inclusion in a merkle tree, where snarks are used to do the proof without revealing the leaf node you are and with double spend protection to stop the proof being used twice.

Tornado cash is a mixer that allows you to take some ETH and hide the link between the account you deposit in and the account you withdraw in. Tornado cash is a smart contract that holds the funds as well as a merkle tree of all participants. When you deposit you create a secret offline and then hash that into a commitment. It is this commitment that is added to the merkle tree on-chain. When you withdraw you want to prove you are within the merkle tree so the contract allows you to withdraw your funds.

To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a zk proof of inclusion. This proof is created using a secret you generated on deposit.

However if you create a proof of inclusion using a zkSNARK, there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a double spend problem that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a salt to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the salt together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the smart contract so the proof cannot be used again.

The last piece of the puzzle are relayers. Relayers allow the actual withdrawal to happen without any ETH in the new address. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash smart contract on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."

Fees

Upgrades

  • From their blog (16-12-2021):

"Tornado Cash Nova. This pool will allow users to deposit & withdraw arbitrary amounts of ETH."

Staking

Scaling

  • From their blog (16-12-2021):

"Speed & cost being the cornerstone of user experience, Tornado Cash Nova uses the Gnosis Chain as a Layer 2. This sidechain was specifically chosen as an L2 for being the only one that supports fast withdrawals to Mainnet (a few minutes vs. ~3hours on Polygon &~7 days on Optimism or Arbitrum)."

Interoperability

Other Details

Oracle Method

Privacy Method

Compliance

  • From Blockthreat (19-4-2022):

"Tornado Cash started banning OFAC sanctioned addresses on their Dapp. The ban does not apply to anyone using smart contracts directly."

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

  • Reached (6-10-2020) $7 million (in ETH) locked in their privacy pools. 3x growth in the past month.

Projects that use or built on it

Competition

Pros and Cons

“In theory this is pretty cool but in practise I imagine most people will mix through a centralised connection to the ETH network like Infura ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own full node. Also it claims to be non-custodial yet the zk-SNARK params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the smart contract at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison (DAO/ERC-20 tokens/multisig) have been repeatedly bodged with major bugs/vulnerabilities in the contracts that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so fees will be very high and very sensitive to gas price increases. @light’s article⁩ mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for Monero and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”

Pros

Cons

There have been researchers who have been able to identify certain wallets and actors who used Tornado Cash (22-3-2022).

Team, Funding, Partnerships, etc.

Team

  • Full team can be found [here].

Funding

Partners