Difference between revisions of "Tornado Cash (TORN)"

From CryptoWiki

wiki_crypto>Zeb.dyor
 
 
(9 intermediate revisions by 2 users not shown)
Line 4: Line 4:
* Based in:
* Based in:


* A [[Zk-SNARK's|ZK-snark]] based, non-custodial [[ETH]] [[mixer]].
* A [[Zk-SNARK's|ZK-snark]] based, non-[[custodial]] [[ETH]] [[mixer]].


* From [[Token Economy]]:  
* From [[Token Economy]]:  


"''Another ETH mixer has launched on [[mainnet]] (though yet unaudited). This one is powered by zkSnarks technology, providing non-custodial, trustless, serverless, private transactions on the Ethereum network.''
"''Another ETH mixer has launched on [[mainnet]] (though yet unaudited). This one is powered by zkSnarks technology, providing [[non-custodial]], [[trustless]], serverless, private transactions on the Ethereum network.''


''We've seen a bit of a wave of these mixers lately, with [[Hopper]], [[Heiswap]] and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also [http://sendy.tokeneconomy.co/sendy/l/6jgCuUA3MxEEqgxgl7pNPQ/Fg892qmuQ27638zQsFKymcXjgw/rggXX6ychGRKvq3Ghtdb892w published] a critical vulnerability common to all of them, which allowed [[double-spending]]. It was an easy fix, but still shows how experimental all these tools are."''
''We've seen a bit of a [[wave]] of these [[mixers]] lately, with [[Hopper]], [[Heiswap]] and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also [http://sendy.tokeneconomy.co/sendy/l/6jgCuUA3MxEEqgxgl7pNPQ/Fg892qmuQ27638zQsFKymcXjgw/rggXX6ychGRKvq3Ghtdb892w published] a critical vulnerability common to all of them, which allowed [[double-spending]]. It was an easy fix, but still shows how experimental all these tools are."''
* From this [[Gitcoin]] Grant [https://gitcoin.co/blog/gitcoin-grants-round-4/ Round 4 blog] (30-1-2020) in which it was the top pick for Tech Grants:
* From this [[Gitcoin]] Grant [https://gitcoin.co/blog/gitcoin-grants-round-4/ Round 4 blog] (30-1-2020) in which it was the top pick for Tech Grants:
''"Tornado Cash improves the ability for private [[transactions]] on [[Ethereum]]. Tornado improves transaction privacy by breaking the [[on-chain]] link between recipient and destination addresses. It uses a [[smart contract]] that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.''
''"Tornado Cash improves the ability for private [[transactions]] on [[Ethereum]]. Tornado improves [[transaction]] privacy by breaking the [[on-chain]] [[LINK|link]] between recipient and destination [[addresses]]. It uses a [[smart contract]] that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.''


''During the round, they received 308 contributions — some no doubt affected by the blog post written by former [[Bitcoin Core]] developer [[Gavin Andresen]] [http://gavinandresen.ninja/private-thoughts about the potential] for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."''
''During the round, they received 308 contributions — some no doubt affected by the blog post written by former [[Bitcoin Core]] developer [[Gavin Andresen]] [http://gavinandresen.ninja/private-thoughts about the potential] for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."''
Line 38: Line 38:
=== DAO ===
=== DAO ===


* [https://www.theblock.co/post/232401/tornado-cash-dao-passes-attackers-proposal-to-hand-back-control From] [[The Block]] (27-5-2023):
''"The attacker who took control of the Tornado Cash governance system is handing back control to token holders. Their [https://tornado.ws/governance/21 proposal] to do so has now passed and will be executed in a day’s time. This may be a swift ending to a ruthless governance takeover that didn't affect the protocol — although it could have done — but resulted in the theft of some governance tokens. The attacker stole 483,000 TORN tokens and swapped most of them for 485 ETH ($890,000), leaving 39,000 TORN ($160,000). Some of the ether was then routed through Tornado Cash, to obscure its origin."''
*Got its governance taken over (21-5-2023), [https://twitter.com/samczsun/status/1660012958787973121 as per] [[Samczsun]]:
''"On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control. Through governance control, the attacker can: - withdraw all of the locked votes - drain all of the tokens in the governance [[Smart Contract (SC)|contract]] - brick the router.''
''@CellierLael correctly pointed out that Tornado Cash Nova, deployed to [[Gnosis Chain (GNO)|Gnosis Chain]], is a [[proxy]] that is administered by governance. Therefore, the attacker is also able to drain all of the [[Ethereum (ETH)|ETH]] [~$1M] in that pool by upgrading the contract."''
*[https://defirate.com/tornado-cash-dao/ Will] (1-7-2020) form a [[Moloch DAO]] with [[OpenLaw]] called Tornado Fund.
*[https://defirate.com/tornado-cash-dao/ Will] (1-7-2020) form a [[Moloch DAO]] with [[OpenLaw]] called Tornado Fund.


Line 47: Line 54:
=== Launch ===
=== Launch ===
* [https://cryptobriefing.com/tornado-cash-token-release-airdrop/ From] [[Crypto Briefing]] (18-12-2020):
* [https://cryptobriefing.com/tornado-cash-token-release-airdrop/ From] [[Crypto Briefing]] (18-12-2020):
''"Tornado.cash has suggested the launch of a [[native token]] in a new governance proposal. The plan involves [[airdrop|airdropping]] tokens to Tornado.cash users to hand over control of the protocol."''
''"[[Tornado.Cash|Tornado.cash]] has suggested the launch of a [[native token]] in a new [[governance]] proposal. The plan involves [[airdrop|airdropping]] [[tokens]] to [[Tornado.Cash|Tornado.cash]] users to hand over control of the protocol."''


=== Token allocation ===
=== Token allocation ===
* [https://cryptobriefing.com/tornado-cash-token-release-airdrop/ From] Crypto Briefing (18-12-2020):
* [https://cryptobriefing.com/tornado-cash-token-release-airdrop/ From] Crypto Briefing (18-12-2020):
''"The airdrop would only be 5% of TORN’s total supply; the rest would be unlocked in the years following. 55% of the total 10 million supply would go to a [[DAO]] treasury, to be unlocked over the next 5 years.''
''"The [[airdrop]] would only be 5% of TORN’s total supply; the rest would be unlocked in the years following. 55% of the total 10 million supply would go to a [[DAO]] treasury, to be unlocked over the next 5 years.''


''Founding developers and early supporters would earn 30%, unlocked over 3 years."''
''Founding developers and early supporters would [[earn]] 30%, unlocked over 3 years."''


=== Utility ===
=== Utility ===
* Governance token
* Governance [[token]]


=== Token Details ===
=== Token Details ===
Line 62: Line 69:
== Tech ==
== Tech ==
* [[Whitepaper]] can be found [insert here].
* [[Whitepaper]] can be found [insert here].
* Code can be viewed [insert here].
* Code can be viewed [https://github.com/tornadocash here].
*Tornado Cash Classic UI [https://tornado-cash.medium.com/tornado-cash-classic-ui-is-now-open-source-4b542b705a97 got] [[Open Source|open sourced]] (7-7-2022).


=== Implementations ===
=== Implementations ===


* Built on: [[Ethereum (ETH)|Ethereum]] [https://tornado-cash.medium.com/tornado-cash-bsc-deployment-proposal-96dfc06055f8 and] [[Binance|BSC]] (11-6-2021). [https://tornado-cash.medium.com/tornado-cash-deployment-proposal-on-arbitrum-fb02e508fe74 Deployed] on [[Polygon (MATIC)|Polygon]], [[XDai (STAKE)|xDai]], [[Avalanche (AVAX)|Avalanche]] and might be deploying on [[Arbitrum]] (1-12-2021). [https://twitter.com/_jefflau/status/1468065493076815872?s=20 Uses] [[Ethereum Name Service (ENS)|ensdomains]] for additional censorship resistance for all their relayers (8-12-2021).
* Built on: [[Ethereum (ETH)|Ethereum]] [https://tornado-cash.medium.com/tornado-cash-bsc-deployment-proposal-96dfc06055f8 and] [[Binance|BSC]] (11-6-2021). [https://tornado-cash.medium.com/tornado-cash-deployment-proposal-on-arbitrum-fb02e508fe74 Deployed] on [[Polygon (MATIC)|Polygon]], [[XDai (STAKE)|xDai]], [[Avalanche (AVAX)|Avalanche]] and might be deploying on [[Arbitrum]] (1-12-2021). [https://twitter.com/_jefflau/status/1468065493076815872?s=20 Uses] [[Ethereum Name Service (ENS)|ensdomains]] for additional censorship resistance for all their [[relayers]] (8-12-2021).
*Privacy Pools—a [[fork]] of Tornado Cash [https://decrypt.co/122522/tornado-cash-fork-privacy-pools created] by [[Ameen Soleimani|Soleimani]] and one other developer—works by allowing users to show publicly that their withdrawals are not linked to bad actors (3-3-2023):
''"Users can still make anonymous transactions but there is the option to make it clear that the money being moved is not from something criminal—like a hack. The new app works just like Tornado Cash, but when users click the option to withdraw funds, they can generate a [[Zero-Knowledge Proofs|zero-knowledge proof]] which publicly shows they are not using a criminal blockchain address, but without revealing who they are."''


=== How it works ===
=== How it works ===
Line 72: Line 82:
* [https://twitter.com/_jefflau/status/1468065457190350850 From] [[Twitter]] (7-12-2021):
* [https://twitter.com/_jefflau/status/1468065457190350850 From] [[Twitter]] (7-12-2021):


"''Tornado cash is a proof of inclusion in a merkle tree, where snarks are used to do the proof without revealing the leaf node you are and with double spend protection to stop the proof being used twice.''
"''Tornado cash is a proof of inclusion in a [[Merkle Tree|merkle tree]], where snarks are used to do the proof without revealing the leaf [[node]] you are and with [[double spend]] protection to stop the proof being used twice.''


''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the link between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then hash that into a commitment. It is this commitment that is added to the merkle tree [[On Chain|on-chain]]. When you withdraw you want to prove you are within the merkle tree so the contract allows you to withdraw your funds.''
''Tornado cash is a [[Coin Mixer|mixer]] that allows you to take some [[Ethereum (ETH)|ETH]] and hide the [[LINK|link]] between the account you deposit in and the account you withdraw in. Tornado cash is a [[Smart Contract (SC)|smart contract]] that holds the funds as well as a [[Merkle Tree|merkle tree]] of all participants. When you deposit you create a secret offline and then [[hash]] that into a commitment. It is this commitment that is added to the [[Merkle Tree|merkle tree]] [[On Chain|on-chain]]. When you withdraw you want to prove you are within the merkle tree so the [[contract]] allows you to withdraw your funds.''


''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.''
''To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a [[Zero-Knowledge Proofs|zk proof]] of inclusion. This proof is created using a secret you generated on deposit.''


''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a salt to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the salt together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the smart contract so the proof cannot be used again.''
''However if you create a proof of inclusion using a [[Zk-SNARK's|zkSNARK]], there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a [[Double Spend|double spend problem]] that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a [[SALT|salt]] to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the [[SALT|salt]] together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the [[Smart Contract|smart contract]] so the proof cannot be used again.''


''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash smart contract on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."''
''The last piece of the puzzle are [[Relays|relayers]]. Relayers allow the actual withdrawal to happen without any ETH in the new [[address]]. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash [[Smart Contract|smart contract]] on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."''


=== Fees ===
=== Fees ===
Line 87: Line 97:
* From their [https://tornado-cash.medium.com/tornado-cash-introduces-arbitrary-amounts-shielded-transfers-8df92d93c37c blog] (16-12-2021):
* From their [https://tornado-cash.medium.com/tornado-cash-introduces-arbitrary-amounts-shielded-transfers-8df92d93c37c blog] (16-12-2021):


''"Tornado Cash Nova. This pool will allow users to deposit & withdraw arbitrary amounts of ETH.''"
''"Tornado Cash [[Nova]]. This pool will allow users to deposit & withdraw arbitrary amounts of ETH.''"


=== Staking ===
=== Staking ===
Line 94: Line 104:
* From their [https://tornado-cash.medium.com/tornado-cash-introduces-arbitrary-amounts-shielded-transfers-8df92d93c37c blog] (16-12-2021):
* From their [https://tornado-cash.medium.com/tornado-cash-introduces-arbitrary-amounts-shielded-transfers-8df92d93c37c blog] (16-12-2021):


''"Speed & cost being the cornerstone of user experience, Tornado Cash Nova uses the Gnosis Chain as a [[Layer Two|Layer 2]].  This [[sidechain]] was specifically chosen as an L2 for being the only one that supports fast withdrawals to [[Mainnet]] (a few minutes vs. ~3hours on [[Polygon (MATIC)|Polygon]] &~7 days on [[Optimism]] or [[Arbitrum]])."''
''"Speed & cost being the cornerstone of user experience, Tornado Cash Nova uses the [[Gnosis]] Chain as a [[Layer Two|Layer 2]].  This [[sidechain]] was specifically chosen as an L2 for being the only one that supports fast withdrawals to [[Mainnet]] (a few minutes vs. ~3hours on [[Polygon (MATIC)|Polygon]] &~7 days on [[Optimism]] or [[Arbitrum]])."''


=== Interoperability ===
=== Interoperability ===
Line 100: Line 110:
== Oracle Method ==
== Oracle Method ==
== Privacy Method ==
== Privacy Method ==
== Compliance ==
* U.S. Treasury [https://home.treasury.gov/news/press-releases/jy0916 sanctions] Tornado Cash (8-8-2022), github accounts of people who contributed to Tornado repos got [https://twitter.com/bantg/status/1556721709931175937?t=Y_FHzviRG26sXEtDdj8a0g&s=19 deleted] (9-8-2022). Github got [https://decrypt.co/110336/ethereum-coin-mixer-tornado-cash-github reinstated] (22-9-2022).
*[https://newsletter.blockthreat.io/p/blockthreat-week-15-2022?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJfIjoicTgvVWsiLCJpYXQiOjE2NTMwNDIyMTgsImV4cCI6MTY1MzA0NTgxOCwiaXNzIjoicHViLTgxMDUiLCJzdWIiOiJwb3N0LXJlYWN0aW9uIn0.56cg1J4e0OhdNGLO_OEDQJV_fTDRp0dNdstCnCoN6k8&s=r From] Blockthreat (19-4-2022):
''"Tornado Cash started [https://twitter.com/tornadocash/status/1514904975037669386 banning] OFAC sanctioned [[Address|addresses]] on their [[Decentralized Applications (DApps)|Dapp]]. The ban does not apply to anyone using [[Smart Contract (SC)|smart contracts]] [https://www.coindesk.com/tech/2022/04/13/ronin-exploiter-moved-21000-ether-to-tornado-cash-in-past-week/ directly]."''
== Their Other Projects ==
== Their Other Projects ==
== Roadmap ==
== Roadmap ==
Line 111: Line 128:
== Pros and Cons ==
== Pros and Cons ==
* From this [https://lightco.in/2019/08/07/tornado-review/ review] 7-8-2019:
* From this [https://lightco.in/2019/08/07/tornado-review/ review] 7-8-2019:
''“In theory this is pretty cool but in practise I imagine most people will mix through a [[centralised]] connection to the ETH network like [[Infura]] ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own full node. Also it claims to be non-custodial yet the [[zk-SNARK]] params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the [[smart contract]] at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison ([[DAO]]/[[ERC-20]] tokens/[[multisig]]) have been repeatedly bodged with major bugs/vulnerabilities in the contracts that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so fees will be very high and very sensitive to gas price increases. @light’s article⁩ mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for [[Monero]] and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”''
''“In theory this is pretty cool but in practise I imagine most people will mix through a [[centralised]] connection to the ETH network like [[Infura]] ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own [[full node]]. Also it claims to be non-custodial yet the [[zk-SNARK]] params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the [[smart contract]] at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison ([[DAO]]/[[ERC-20]] tokens/[[multisig]]) have been repeatedly bodged with major bugs/vulnerabilities in the [[contracts]] that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so [[fees]] will be very high and very sensitive to gas price increases. @light’s article⁩ mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for [[Monero]] and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”''
=== Pros ===
=== Pros ===
=== Cons ===
=== Cons ===
There have been researchers who have been [https://medium.com/coinmonks/analyzing-tornado-cash-transactions-3d8d6b9731fb able to identify] certain [[wallets]] and actors who used Tornado Cash (22-3-2022).
== Team, Funding, Partnerships, etc. ==
== Team, Funding, Partnerships, etc. ==
=== Team ===
=== Team ===

Latest revision as of 08:35, 31 May 2023

Basics

  • Founded in:
  • Mainnet release:
  • Based in:

"Another ETH mixer has launched on mainnet (though yet unaudited). This one is powered by zkSnarks technology, providing non-custodial, trustless, serverless, private transactions on the Ethereum network.

We've seen a bit of a wave of these mixers lately, with Hopper, Heiswap and a bunch of others. Clearly privacy is coming to Ethereum as a feature, fast. Interestingly the founder of Tornado also published a critical vulnerability common to all of them, which allowed double-spending. It was an easy fix, but still shows how experimental all these tools are."

"Tornado Cash improves the ability for private transactions on Ethereum. Tornado improves transaction privacy by breaking the on-chain link between recipient and destination addresses. It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.

During the round, they received 308 contributions — some no doubt affected by the blog post written by former Bitcoin Core developer Gavin Andresen about the potential for Tornado. While it’s still early days for the privacy community on Ethereum, Tornado has helped the community take a huge leap forward into concretely considering what private transactions might look like on the network."

History

Audits & Exploits

"The code [of TORN] has been published and audited by ABDK, Pessimistic, and Zeropool.network. It can be found on the Tornado.cash Github."

Bugs/Exploits

  • Had a vulnerability which was found (2-2-2020) in one of the first pro bono security audits done by The Ethereum Foundation. It got fixed and effected a pool of less then 100 tx.
  • They published a disclosure on 14-2-2020.

Governance

Admin Keys

  • The mixer is now (25-5-2020) trustless, with the admin function burned.

DAO

"The attacker who took control of the Tornado Cash governance system is handing back control to token holders. Their proposal to do so has now passed and will be executed in a day’s time. This may be a swift ending to a ruthless governance takeover that didn't affect the protocol — although it could have done — but resulted in the theft of some governance tokens. The attacker stole 483,000 TORN tokens and swapped most of them for 485 ETH ($890,000), leaving 39,000 TORN ($160,000). Some of the ether was then routed through Tornado Cash, to obscure its origin."

"On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control. Through governance control, the attacker can: - withdraw all of the locked votes - drain all of the tokens in the governance contract - brick the router.

@CellierLael correctly pointed out that Tornado Cash Nova, deployed to Gnosis Chain, is a proxy that is administered by governance. Therefore, the attacker is also able to drain all of the ETH [~$1M] in that pool by upgrading the contract."

Treasury

Token

Launch

"Tornado.cash has suggested the launch of a native token in a new governance proposal. The plan involves airdropping tokens to Tornado.cash users to hand over control of the protocol."

Token allocation

  • From Crypto Briefing (18-12-2020):

"The airdrop would only be 5% of TORN’s total supply; the rest would be unlocked in the years following. 55% of the total 10 million supply would go to a DAO treasury, to be unlocked over the next 5 years.

Founding developers and early supporters would earn 30%, unlocked over 3 years."

Utility

Token Details

Stablecoin

Tech

Implementations

"Users can still make anonymous transactions but there is the option to make it clear that the money being moved is not from something criminal—like a hack. The new app works just like Tornado Cash, but when users click the option to withdraw funds, they can generate a zero-knowledge proof which publicly shows they are not using a criminal blockchain address, but without revealing who they are."

How it works

"Tornado cash is a proof of inclusion in a merkle tree, where snarks are used to do the proof without revealing the leaf node you are and with double spend protection to stop the proof being used twice.

Tornado cash is a mixer that allows you to take some ETH and hide the link between the account you deposit in and the account you withdraw in. Tornado cash is a smart contract that holds the funds as well as a merkle tree of all participants. When you deposit you create a secret offline and then hash that into a commitment. It is this commitment that is added to the merkle tree on-chain. When you withdraw you want to prove you are within the merkle tree so the contract allows you to withdraw your funds.

To prove inclusion in a merkle tree, you normally have to provide the data itself, the sibling hash, plus all the sibling hashes going up until you get to the root hash However if you provided this, you would reveal which leaf you are and when that deposit was made. So on withdrawal instead of providing the actual data, you only provide a zk proof of inclusion. This proof is created using a secret you generated on deposit.

However if you create a proof of inclusion using a zkSNARK, there is one issue. How does the contract know if you have withdrawn before? It doesn’t actually know who you are so it does not know if you have withdrawn in the past. This means there is a double spend problem that needs to be solved as a proof could be used multiple times to drain the contract of funds. The proof proves you are in the tree, but there is no way to know if the proof has been used before. This is solved by adding a salt to the commitment in addition to your secret. When you create your commitment on deposit, you are hashing both the secret and the salt together. They call this a nullifier in Tornado cash, which is a unique identifier of your commitment. When you generate your proof, this is also provided with your secret. And when you withdraw, your nullifier is also provided and is recorded in the smart contract so the proof cannot be used again.

The last piece of the puzzle are relayers. Relayers allow the actual withdrawal to happen without any ETH in the new address. And additionally it doesn't allow any link to be created between the deposit address and withdrawal address (other than they both used Tornado). Relayers take the proof and submit them to the Tornado cash smart contract on your behalf. They cannot steal the ETH as the proof has been created with the recipient as an input. If the recipient is changed, this will invalidate the proof itself and the withdrawal will fail. Relayers are pivotal to keeping anonymity in Tornado Cash. They stop any link from connecting the deposit and withdrawal address. If you use the same address (or an address that links to it) you break all the anonymity the zk proof has helped you provide."

Fees

Upgrades

  • From their blog (16-12-2021):

"Tornado Cash Nova. This pool will allow users to deposit & withdraw arbitrary amounts of ETH."

Staking

Scaling

  • From their blog (16-12-2021):

"Speed & cost being the cornerstone of user experience, Tornado Cash Nova uses the Gnosis Chain as a Layer 2. This sidechain was specifically chosen as an L2 for being the only one that supports fast withdrawals to Mainnet (a few minutes vs. ~3hours on Polygon &~7 days on Optimism or Arbitrum)."

Interoperability

Other Details

Oracle Method

Privacy Method

Compliance

  • U.S. Treasury sanctions Tornado Cash (8-8-2022), github accounts of people who contributed to Tornado repos got deleted (9-8-2022). Github got reinstated (22-9-2022).
  • From Blockthreat (19-4-2022):

"Tornado Cash started banning OFAC sanctioned addresses on their Dapp. The ban does not apply to anyone using smart contracts directly."

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

  • Reached (6-10-2020) $7 million (in ETH) locked in their privacy pools. 3x growth in the past month.

Projects that use or built on it

Competition

Pros and Cons

“In theory this is pretty cool but in practise I imagine most people will mix through a centralised connection to the ETH network like Infura ruining not only their own privacy but also massively reducing the anonymity set for people who connect through their own full node. Also it claims to be non-custodial yet the zk-SNARK params were generated on a single build server. This means if anyone has a copy of those params they can empty all the funds in the smart contract at any moment. I don’t think it’s really fair to call that non-custodial although I see how you could argue it is. Also something of this complexity implemented as a smart contract is slightly terrifying. Given that relatively simple applications in comparison (DAO/ERC-20 tokens/multisig) have been repeatedly bodged with major bugs/vulnerabilities in the contracts that lead to theft or permanent loss of funds, I’d be worried about trusting a zero knowledge mixing protocol to be implemented as a bug free smart contract. Not to mention, the fact that this is all implemented as a smart contract, so fees will be very high and very sensitive to gas price increases. @light’s article⁩ mentions the gas fee was 3.734% of the total mixed amount. That’s a lot and would increase rapidly of gas fees go up. At those prices it would be much cheaper to just trade on an exchange for Monero and back. Another issue is that anyone who mixes is gonna stand out like a sore thumb. The number of people who are interested in mixing, willing to pay those fees, and actually understand how to do this properly without breaking anonymity will likely be pretty small. Add to that the fact that address re-use is encouraged in Ethereum, it will be trivial to track all the funds that have been mixed through this contract.”

Pros

Cons

There have been researchers who have been able to identify certain wallets and actors who used Tornado Cash (22-3-2022).

Team, Funding, Partnerships, etc.

Team

  • Full team can be found [here].

Funding

Partners