Difference between revisions of "Tornado Cash (TORN)"
m (→DAO) |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 38: | Line 38: | ||
=== DAO === | === DAO === | ||
* [https://www.theblock.co/post/232401/tornado-cash-dao-passes-attackers-proposal-to-hand-back-control From] [[The Block]] (27-5-2023): | |||
''"The attacker who took control of the Tornado Cash governance system is handing back control to token holders. Their [https://tornado.ws/governance/21 proposal] to do so has now passed and will be executed in a day’s time. This may be a swift ending to a ruthless governance takeover that didn't affect the protocol — although it could have done — but resulted in the theft of some governance tokens. The attacker stole 483,000 TORN tokens and swapped most of them for 485 ETH ($890,000), leaving 39,000 TORN ($160,000). Some of the ether was then routed through Tornado Cash, to obscure its origin."'' | |||
*Got its governance taken over (21-5-2023), [https://twitter.com/samczsun/status/1660012958787973121 as per] [[Samczsun]]: | |||
''"On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control. Through governance control, the attacker can: - withdraw all of the locked votes - drain all of the tokens in the governance [[Smart Contract (SC)|contract]] - brick the router.'' | |||
''@CellierLael correctly pointed out that Tornado Cash Nova, deployed to [[Gnosis Chain (GNO)|Gnosis Chain]], is a [[proxy]] that is administered by governance. Therefore, the attacker is also able to drain all of the [[Ethereum (ETH)|ETH]] [~$1M] in that pool by upgrading the contract."'' | |||
*[https://defirate.com/tornado-cash-dao/ Will] (1-7-2020) form a [[Moloch DAO]] with [[OpenLaw]] called Tornado Fund. | *[https://defirate.com/tornado-cash-dao/ Will] (1-7-2020) form a [[Moloch DAO]] with [[OpenLaw]] called Tornado Fund. | ||
Line 62: | Line 69: | ||
== Tech == | == Tech == | ||
* [[Whitepaper]] can be found [insert here]. | * [[Whitepaper]] can be found [insert here]. | ||
* Code can be | * Code can be viewed [https://github.com/tornadocash here]. | ||
*Tornado Cash Classic UI [https://tornado-cash.medium.com/tornado-cash-classic-ui-is-now-open-source-4b542b705a97 got] [[Open Source|open sourced]] (7-7-2022). | *Tornado Cash Classic UI [https://tornado-cash.medium.com/tornado-cash-classic-ui-is-now-open-source-4b542b705a97 got] [[Open Source|open sourced]] (7-7-2022). | ||
Line 68: | Line 75: | ||
* Built on: [[Ethereum (ETH)|Ethereum]] [https://tornado-cash.medium.com/tornado-cash-bsc-deployment-proposal-96dfc06055f8 and] [[Binance|BSC]] (11-6-2021). [https://tornado-cash.medium.com/tornado-cash-deployment-proposal-on-arbitrum-fb02e508fe74 Deployed] on [[Polygon (MATIC)|Polygon]], [[XDai (STAKE)|xDai]], [[Avalanche (AVAX)|Avalanche]] and might be deploying on [[Arbitrum]] (1-12-2021). [https://twitter.com/_jefflau/status/1468065493076815872?s=20 Uses] [[Ethereum Name Service (ENS)|ensdomains]] for additional censorship resistance for all their [[relayers]] (8-12-2021). | * Built on: [[Ethereum (ETH)|Ethereum]] [https://tornado-cash.medium.com/tornado-cash-bsc-deployment-proposal-96dfc06055f8 and] [[Binance|BSC]] (11-6-2021). [https://tornado-cash.medium.com/tornado-cash-deployment-proposal-on-arbitrum-fb02e508fe74 Deployed] on [[Polygon (MATIC)|Polygon]], [[XDai (STAKE)|xDai]], [[Avalanche (AVAX)|Avalanche]] and might be deploying on [[Arbitrum]] (1-12-2021). [https://twitter.com/_jefflau/status/1468065493076815872?s=20 Uses] [[Ethereum Name Service (ENS)|ensdomains]] for additional censorship resistance for all their [[relayers]] (8-12-2021). | ||
*Privacy Pools—a [[fork]] of Tornado Cash [https://decrypt.co/122522/tornado-cash-fork-privacy-pools created] by [[Ameen Soleimani|Soleimani]] and one other developer—works by allowing users to show publicly that their withdrawals are not linked to bad actors (3-3-2023): | |||
''"Users can still make anonymous transactions but there is the option to make it clear that the money being moved is not from something criminal—like a hack. The new app works just like Tornado Cash, but when users click the option to withdraw funds, they can generate a [[Zero-Knowledge Proofs|zero-knowledge proof]] which publicly shows they are not using a criminal blockchain address, but without revealing who they are."'' | |||
=== How it works === | === How it works === | ||
Line 75: | Line 84: | ||
"''Tornado cash is a proof of inclusion in a [[Merkle Tree|merkle tree]], where snarks are used to do the proof without revealing the leaf [[node]] you are and with [[double spend]] protection to stop the proof being used twice.'' | "''Tornado cash is a proof of inclusion in a [[Merkle Tree|merkle tree]], where snarks are used to do the proof without revealing the leaf [[node]] you are and with [[double spend]] protection to stop the proof being used twice.'' | ||
''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the [[LINK|link]] between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then [[hash]] that into a commitment. It is this commitment that is added to the [[Merkle Tree|merkle tree]] [[On Chain|on-chain]]. When you withdraw you want to prove you are within the | ''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the [[LINK|link]] between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then [[hash]] that into a commitment. It is this commitment that is added to the [[Merkle Tree|merkle tree]] [[On Chain|on-chain]]. When you withdraw you want to prove you are within the merkle tree so the [[contract]] allows you to withdraw your funds.'' | ||
''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.'' | ''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.'' | ||
Line 81: | Line 90: | ||
''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a [[SALT|salt]] to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the [[SALT|salt]] together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the [[Smart Contract|smart contract]] so the proof cannot be used again.'' | ''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a [[SALT|salt]] to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the [[SALT|salt]] together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the [[Smart Contract|smart contract]] so the proof cannot be used again.'' | ||
''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any | ''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash [[Smart Contract|smart contract]] on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."'' | ||
=== Fees === | === Fees === | ||
Line 103: | Line 112: | ||
== Compliance == | == Compliance == | ||
* U.S. Treasury [https://home.treasury.gov/news/press-releases/jy0916 sanctions] Tornado Cash (8-8-2022), | * U.S. Treasury [https://home.treasury.gov/news/press-releases/jy0916 sanctions] Tornado Cash (8-8-2022), github accounts of people who contributed to Tornado repos got [https://twitter.com/bantg/status/1556721709931175937?t=Y_FHzviRG26sXEtDdj8a0g&s=19 deleted] (9-8-2022). Github got [https://decrypt.co/110336/ethereum-coin-mixer-tornado-cash-github reinstated] (22-9-2022). | ||
*[https://newsletter.blockthreat.io/p/blockthreat-week-15-2022?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJfIjoicTgvVWsiLCJpYXQiOjE2NTMwNDIyMTgsImV4cCI6MTY1MzA0NTgxOCwiaXNzIjoicHViLTgxMDUiLCJzdWIiOiJwb3N0LXJlYWN0aW9uIn0.56cg1J4e0OhdNGLO_OEDQJV_fTDRp0dNdstCnCoN6k8&s=r From] Blockthreat (19-4-2022): | *[https://newsletter.blockthreat.io/p/blockthreat-week-15-2022?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJfIjoicTgvVWsiLCJpYXQiOjE2NTMwNDIyMTgsImV4cCI6MTY1MzA0NTgxOCwiaXNzIjoicHViLTgxMDUiLCJzdWIiOiJwb3N0LXJlYWN0aW9uIn0.56cg1J4e0OhdNGLO_OEDQJV_fTDRp0dNdstCnCoN6k8&s=r From] Blockthreat (19-4-2022): | ||
Line 119: | Line 128: | ||
== Pros and Cons == | == Pros and Cons == | ||
* From this [https://lightco.in/2019/08/07/tornado-review/ review] 7-8-2019: | * From this [https://lightco.in/2019/08/07/tornado-review/ review] 7-8-2019: | ||
''“In theory this is pretty cool but in practise I imagine most people will mix through a [[centralised]] connection to the ETH network like [[Infura]] ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own [[full node]]. Also it claims to be non-custodial yet the [[zk-SNARK]] params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the [[smart contract]] at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a | ''“In theory this is pretty cool but in practise I imagine most people will mix through a [[centralised]] connection to the ETH network like [[Infura]] ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own [[full node]]. Also it claims to be non-custodial yet the [[zk-SNARK]] params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the [[smart contract]] at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison ([[DAO]]/[[ERC-20]] tokens/[[multisig]]) have been repeatedly bodged with major bugs/vulnerabilities in the [[contracts]] that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so [[fees]] will be very high and very sensitive to gas price increases. @light’s article mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for [[Monero]] and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”'' | ||
=== Pros === | === Pros === | ||
=== Cons === | === Cons === |
Latest revision as of 08:35, 31 May 2023
Basics
- Founded in:
- Mainnet release:
- Based in:
- From Token Economy:
"Another ETH mixer has launched on mainnet (though yet unaudited). This one is powered by zkSnarks technology, providing non-custodial, trustless, serverless, private transactions on the Ethereum network.
We've seen a bit of a wave of these mixers lately, with Hopper, Heiswap and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also published a critical vulnerability common to all of them, which allowed double-spending. It was an easy fix, but still shows how experimental all these tools are."
- From this Gitcoin Grant Round 4 blog (30-1-2020) in which it was the top pick for Tech Grants:
"Tornado Cash improves the ability for private transactions on Ethereum. Tornado improves transaction privacy by breaking the on-chain link between recipient and destination addresses. It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.
During the round, they received 308 contributions — some no doubt affected by the blog post written by former Bitcoin Core developer Gavin Andresen about the potential for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."
History
Audits & Exploits
- Bug bounty program can be found [insert here]. None according to Blockchain Security DB (29-6-2020), which does show 4 audit (latest in 11-2019).
- From Crypto Briefing (18-12-2020):
"The code [of TORN] has been published and audited by ABDK, Pessimistic, and Zeropool.network. It can be found on the Tornado.cash Github."
Bugs/Exploits
- Had a vulnerability which was found (2-2-2020) in one of the first pro bono security audits done by The Ethereum Foundation. It got fixed and effected a pool of less then 100 tx.
- They published a disclosure on 14-2-2020.
Governance
Admin Keys
DAO
"The attacker who took control of the Tornado Cash governance system is handing back control to token holders. Their proposal to do so has now passed and will be executed in a day’s time. This may be a swift ending to a ruthless governance takeover that didn't affect the protocol — although it could have done — but resulted in the theft of some governance tokens. The attacker stole 483,000 TORN tokens and swapped most of them for 485 ETH ($890,000), leaving 39,000 TORN ($160,000). Some of the ether was then routed through Tornado Cash, to obscure its origin."
"On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control. Through governance control, the attacker can: - withdraw all of the locked votes - drain all of the tokens in the governance contract - brick the router.
@CellierLael correctly pointed out that Tornado Cash Nova, deployed to Gnosis Chain, is a proxy that is administered by governance. Therefore, the attacker is also able to drain all of the ETH [~$1M] in that pool by upgrading the contract."
- Will (1-7-2020) form a Moloch DAO with OpenLaw called Tornado Fund.
Treasury
- Chris Blec pointed out (8-6-2021) that the treasury is run by a 2-of-3 multisig with no timelock.
Token
Launch
- From Crypto Briefing (18-12-2020):
"Tornado.cash has suggested the launch of a native token in a new governance proposal. The plan involves airdropping tokens to Tornado.cash users to hand over control of the protocol."
Token allocation
- From Crypto Briefing (18-12-2020):
"The airdrop would only be 5% of TORN’s total supply; the rest would be unlocked in the years following. 55% of the total 10 million supply would go to a DAO treasury, to be unlocked over the next 5 years.
Founding developers and early supporters would earn 30%, unlocked over 3 years."
Utility
- Governance token
Token Details
Stablecoin
Tech
- Whitepaper can be found [insert here].
- Code can be viewed here.
- Tornado Cash Classic UI got open sourced (7-7-2022).
Implementations
- Built on: Ethereum and BSC (11-6-2021). Deployed on Polygon, xDai, Avalanche and might be deploying on Arbitrum (1-12-2021). Uses ensdomains for additional censorship resistance for all their relayers (8-12-2021).
- Privacy Pools—a fork of Tornado Cash created by Soleimani and one other developer—works by allowing users to show publicly that their withdrawals are not linked to bad actors (3-3-2023):
"Users can still make anonymous transactions but there is the option to make it clear that the money being moved is not from something criminal—like a hack. The new app works just like Tornado Cash, but when users click the option to withdraw funds, they can generate a zero-knowledge proof which publicly shows they are not using a criminal blockchain address, but without revealing who they are."
How it works
"Tornado cash is a proof of inclusion in a merkle tree, where snarks are used to do the proof without revealing the leaf node you are and with double spend protection to stop the proof being used twice.
Tornado cash is a mixer that allows you to take some ETH and hide the link between the account you deposit in and the account you withdraw in. Tornado cash is a smart contract that holds the funds as well as a merkle tree of all participants. When you deposit you create a secret offline and then hash that into a commitment. It is this commitment that is added to the merkle tree on-chain. When you withdraw you want to prove you are within the merkle tree so the contract allows you to withdraw your funds.
To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a zk proof of inclusion. This proof is created using a secret you generated on deposit.
However if you create a proof of inclusion using a zkSNARK, there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a double spend problem that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a salt to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the salt together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the smart contract so the proof cannot be used again.
The last piece of the puzzle are relayers. Relayers allow the actual withdrawal to happen without any ETH in the new address. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash smart contract on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."
Fees
Upgrades
- From their blog (16-12-2021):
"Tornado Cash Nova. This pool will allow users to deposit & withdraw arbitrary amounts of ETH."
Staking
Scaling
- From their blog (16-12-2021):
"Speed & cost being the cornerstone of user experience, Tornado Cash Nova uses the Gnosis Chain as a Layer 2. This sidechain was specifically chosen as an L2 for being the only one that supports fast withdrawals to Mainnet (a few minutes vs. ~3hours on Polygon &~7 days on Optimism or Arbitrum)."
Interoperability
Other Details
Oracle Method
Privacy Method
Compliance
- U.S. Treasury sanctions Tornado Cash (8-8-2022), github accounts of people who contributed to Tornado repos got deleted (9-8-2022). Github got reinstated (22-9-2022).
- From Blockthreat (19-4-2022):
"Tornado Cash started banning OFAC sanctioned addresses on their Dapp. The ban does not apply to anyone using smart contracts directly."
Their Other Projects
Roadmap
- Can be found [Insert link here].
Usage
Projects that use or built on it
Competition
Pros and Cons
- From this review 7-8-2019:
“In theory this is pretty cool but in practise I imagine most people will mix through a centralised connection to the ETH network like Infura ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own full node. Also it claims to be non-custodial yet the zk-SNARK params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the smart contract at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison (DAO/ERC-20 tokens/multisig) have been repeatedly bodged with major bugs/vulnerabilities in the contracts that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so fees will be very high and very sensitive to gas price increases. @light’s article mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for Monero and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”
Pros
Cons
There have been researchers who have been able to identify certain wallets and actors who used Tornado Cash (22-3-2022).
Team, Funding, Partnerships, etc.
Team
- Full team can be found [here].