Difference between revisions of "Tornado Cash (TORN)"
m (→Compliance) |
|||
Line 75: | Line 75: | ||
"''Tornado cash is a proof of inclusion in a [[Merkle Tree|merkle tree]], where snarks are used to do the proof without revealing the leaf [[node]] you are and with [[double spend]] protection to stop the proof being used twice.'' | "''Tornado cash is a proof of inclusion in a [[Merkle Tree|merkle tree]], where snarks are used to do the proof without revealing the leaf [[node]] you are and with [[double spend]] protection to stop the proof being used twice.'' | ||
''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the [[LINK|link]] between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then [[hash]] that into a commitment. It is this commitment that is added to the [[Merkle Tree|merkle tree]] [[On Chain|on-chain]]. When you withdraw you want to prove you are within the | ''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the [[LINK|link]] between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then [[hash]] that into a commitment. It is this commitment that is added to the [[Merkle Tree|merkle tree]] [[On Chain|on-chain]]. When you withdraw you want to prove you are within the merkle tree so the [[contract]] allows you to withdraw your funds.'' | ||
''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.'' | ''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.'' | ||
Line 81: | Line 81: | ||
''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a [[SALT|salt]] to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the [[SALT|salt]] together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the [[Smart Contract|smart contract]] so the proof cannot be used again.'' | ''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a [[SALT|salt]] to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the [[SALT|salt]] together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the [[Smart Contract|smart contract]] so the proof cannot be used again.'' | ||
''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any | ''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash [[Smart Contract|smart contract]] on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."'' | ||
=== Fees === | === Fees === | ||
Line 103: | Line 103: | ||
== Compliance == | == Compliance == | ||
* U.S. Treasury [https://home.treasury.gov/news/press-releases/jy0916 sanctions] Tornado Cash (8-8-2022), | * U.S. Treasury [https://home.treasury.gov/news/press-releases/jy0916 sanctions] Tornado Cash (8-8-2022), github accounts of people who contributed to Tornado repos got [https://twitter.com/bantg/status/1556721709931175937?t=Y_FHzviRG26sXEtDdj8a0g&s=19 deleted] (9-8-2022). | ||
*[https://newsletter.blockthreat.io/p/blockthreat-week-15-2022?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJfIjoicTgvVWsiLCJpYXQiOjE2NTMwNDIyMTgsImV4cCI6MTY1MzA0NTgxOCwiaXNzIjoicHViLTgxMDUiLCJzdWIiOiJwb3N0LXJlYWN0aW9uIn0.56cg1J4e0OhdNGLO_OEDQJV_fTDRp0dNdstCnCoN6k8&s=r From] Blockthreat (19-4-2022): | *[https://newsletter.blockthreat.io/p/blockthreat-week-15-2022?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJfIjoicTgvVWsiLCJpYXQiOjE2NTMwNDIyMTgsImV4cCI6MTY1MzA0NTgxOCwiaXNzIjoicHViLTgxMDUiLCJzdWIiOiJwb3N0LXJlYWN0aW9uIn0.56cg1J4e0OhdNGLO_OEDQJV_fTDRp0dNdstCnCoN6k8&s=r From] Blockthreat (19-4-2022): | ||
Line 119: | Line 119: | ||
== Pros and Cons == | == Pros and Cons == | ||
* From this [https://lightco.in/2019/08/07/tornado-review/ review] 7-8-2019: | * From this [https://lightco.in/2019/08/07/tornado-review/ review] 7-8-2019: | ||
''“In theory this is pretty cool but in practise I imagine most people will mix through a [[centralised]] connection to the ETH network like [[Infura]] ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own [[full node]]. Also it claims to be non-custodial yet the [[zk-SNARK]] params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the [[smart contract]] at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a | ''“In theory this is pretty cool but in practise I imagine most people will mix through a [[centralised]] connection to the ETH network like [[Infura]] ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own [[full node]]. Also it claims to be non-custodial yet the [[zk-SNARK]] params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the [[smart contract]] at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison ([[DAO]]/[[ERC-20]] tokens/[[multisig]]) have been repeatedly bodged with major bugs/vulnerabilities in the [[contracts]] that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so [[fees]] will be very high and very sensitive to gas price increases. @light’s article mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for [[Monero]] and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”'' | ||
=== Pros === | === Pros === | ||
=== Cons === | === Cons === |
Revision as of 01:11, 9 August 2022
Basics
- Founded in:
- Mainnet release:
- Based in:
- From Token Economy:
"Another ETH mixer has launched on mainnet (though yet unaudited). This one is powered by zkSnarks technology, providing non-custodial, trustless, serverless, private transactions on the Ethereum network.
We've seen a bit of a wave of these mixers lately, with Hopper, Heiswap and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also published a critical vulnerability common to all of them, which allowed double-spending. It was an easy fix, but still shows how experimental all these tools are."
- From this Gitcoin Grant Round 4 blog (30-1-2020) in which it was the top pick for Tech Grants:
"Tornado Cash improves the ability for private transactions on Ethereum. Tornado improves transaction privacy by breaking the on-chain link between recipient and destination addresses. It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.
During the round, they received 308 contributions — some no doubt affected by the blog post written by former Bitcoin Core developer Gavin Andresen about the potential for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."
History
Audits & Exploits
- Bug bounty program can be found [insert here]. None according to Blockchain Security DB (29-6-2020), which does show 4 audit (latest in 11-2019).
- From Crypto Briefing (18-12-2020):
"The code [of TORN] has been published and audited by ABDK, Pessimistic, and Zeropool.network. It can be found on the Tornado.cash Github."
Bugs/Exploits
- Had a vulnerability which was found (2-2-2020) in one of the first pro bono security audits done by The Ethereum Foundation. It got fixed and effected a pool of less then 100 tx.
- They published a disclosure on 14-2-2020.
Governance
Admin Keys
DAO
- Will (1-7-2020) form a Moloch DAO with OpenLaw called Tornado Fund.
Treasury
- Chris Blec pointed out (8-6-2021) that the treasury is run by a 2-of-3 multisig with no timelock.
Token
Launch
- From Crypto Briefing (18-12-2020):
"Tornado.cash has suggested the launch of a native token in a new governance proposal. The plan involves airdropping tokens to Tornado.cash users to hand over control of the protocol."
Token allocation
- From Crypto Briefing (18-12-2020):
"The airdrop would only be 5% of TORN’s total supply; the rest would be unlocked in the years following. 55% of the total 10 million supply would go to a DAO treasury, to be unlocked over the next 5 years.
Founding developers and early supporters would earn 30%, unlocked over 3 years."
Utility
- Governance token
Token Details
Stablecoin
Tech
- Whitepaper can be found [insert here].
- Code can be viewed [insert here].
- Tornado Cash Classic UI got open sourced (7-7-2022).
Implementations
- Built on: Ethereum and BSC (11-6-2021). Deployed on Polygon, xDai, Avalanche and might be deploying on Arbitrum (1-12-2021). Uses ensdomains for additional censorship resistance for all their relayers (8-12-2021).
How it works
"Tornado cash is a proof of inclusion in a merkle tree, where snarks are used to do the proof without revealing the leaf node you are and with double spend protection to stop the proof being used twice.
Tornado cash is a mixer that allows you to take some ETH and hide the link between the account you deposit in and the account you withdraw in. Tornado cash is a smart contract that holds the funds as well as a merkle tree of all participants. When you deposit you create a secret offline and then hash that into a commitment. It is this commitment that is added to the merkle tree on-chain. When you withdraw you want to prove you are within the merkle tree so the contract allows you to withdraw your funds.
To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a zk proof of inclusion. This proof is created using a secret you generated on deposit.
However if you create a proof of inclusion using a zkSNARK, there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a double spend problem that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a salt to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the salt together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the smart contract so the proof cannot be used again.
The last piece of the puzzle are relayers. Relayers allow the actual withdrawal to happen without any ETH in the new address. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash smart contract on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."
Fees
Upgrades
- From their blog (16-12-2021):
"Tornado Cash Nova. This pool will allow users to deposit & withdraw arbitrary amounts of ETH."
Staking
Scaling
- From their blog (16-12-2021):
"Speed & cost being the cornerstone of user experience, Tornado Cash Nova uses the Gnosis Chain as a Layer 2. This sidechain was specifically chosen as an L2 for being the only one that supports fast withdrawals to Mainnet (a few minutes vs. ~3hours on Polygon &~7 days on Optimism or Arbitrum)."
Interoperability
Other Details
Oracle Method
Privacy Method
Compliance
- U.S. Treasury sanctions Tornado Cash (8-8-2022), github accounts of people who contributed to Tornado repos got deleted (9-8-2022).
- From Blockthreat (19-4-2022):
"Tornado Cash started banning OFAC sanctioned addresses on their Dapp. The ban does not apply to anyone using smart contracts directly."
Their Other Projects
Roadmap
- Can be found [Insert link here].
Usage
Projects that use or built on it
Competition
Pros and Cons
- From this review 7-8-2019:
“In theory this is pretty cool but in practise I imagine most people will mix through a centralised connection to the ETH network like Infura ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own full node. Also it claims to be non-custodial yet the zk-SNARK params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the smart contract at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison (DAO/ERC-20 tokens/multisig) have been repeatedly bodged with major bugs/vulnerabilities in the contracts that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so fees will be very high and very sensitive to gas price increases. @light’s article mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for Monero and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”
Pros
Cons
There have been researchers who have been able to identify certain wallets and actors who used Tornado Cash (22-3-2022).
Team, Funding, Partnerships, etc.
Team
- Full team can be found [here].