, 15 tweets, 6 min read
My Authors
Read all threads
I just published a new attack that breaks Mimblewimble's privacy model. This attack traces 96% of all sender and recipient addresses in real time. Here's a summary and what it means for the future of privacy coins:
medium.com/dragonfly-rese…
To understand this attack, you have to understand anonymity sets. Every privacy coin works by "hiding" your transaction within an anonymity set. Think of this like the crowd that your transaction is indistinguishable from.
So far there have been 3 approaches to privacy in cryptocurrencies: Zcash, Monero and Mimblewimble/Grin. In Zcash, your anonymity set is all the shielded transactions (theoretical maximum)
In Monero, you get to pick your own anonymity set of size 10-25 from any existing on-chain UTXOs. The UTXOs you hide behind are called "decoys".
In Mimblewimble, all the transactions in a block are aggregated into one big CoinJoin. So it was believed that your anonymity set is all the transactions that ended up in the same block.
My attack catches 96% transactions before they can be aggregated with others for anonymity. So in reality, there is no one in their anonymity set!
How does it work? By running a rogue node tweaked to save all intermediary transaction gossiping data. That's it! ~96% transactions can be caught in the raw that way.
Of the remaining transactions, some can be traced by subtracting other transactions we traced before. If we have seen the merge of TX(A+B) and also TX(A), we can trace TX(B) too.
So why can't we trace 100%? The reason is nuanced and technical: Dandelion. A small minority of transactions get merged while traveling on stem-paths, before most nodes could see them.
Still, it is likely possible to trace more than 96% by running a network of nodes, or a single supernode. That way, the attacker inserts themselves into most stem-paths.
Importantly, I have great respect for the Grin community and core developers, who have all been tremendously helpful in answering my questions.

But we also need to be realistic about how much privacy Mimblewimble grants.
The devs were aware that such an attack was theoretically possible (e.g. this Reddit thread I started a year ago). But now it is proven viable and efficient.
reddit.com/r/Mimblewimble…
To dig further, check out the technical deep-dive, complete with open-source code to reproduce the attack, data collected, and a technical FAQ:
github.com/bogatyy/grin-l…
Thanks to @hosseeb for major help in putting together this write-up and for the anonymity set illustrations. Additional thanks to @OlegOstroumov @leanthebean @MohamedFFouda @LucasRyan @nadertheory for reviewing drafts of this post.
And a huge thanks to @JStutzman from @NEARProtocol for the Dandelion and block aggregation illustrations – he's the reason @NEARProtocol posts have the nicest figures 😃
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Ivan Bogatyy

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!