I just published a new attack that breaks Mimblewimble's privacy model. This attack traces 96% of all sender and recipient addresses in real time. Here's a summary and what it means for the future of privacy coins:
medium.com/dragonfly-rese…
medium.com/dragonfly-rese…
To understand this attack, you have to understand anonymity sets. Every privacy coin works by "hiding" your transaction within an anonymity set. Think of this like the crowd that your transaction is indistinguishable from.
So far there have been 3 approaches to privacy in cryptocurrencies: Zcash, Monero and Mimblewimble/Grin. In Zcash, your anonymity set is all the shielded transactions (theoretical maximum) 
In Monero, you get to pick your own anonymity set of size 10-25 from any existing on-chain UTXOs. The UTXOs you hide behind are called "decoys".
In Mimblewimble, all the transactions in a block are aggregated into one big CoinJoin. So it was believed that your anonymity set is all the transactions that ended up in the same block.
My attack catches 96% transactions before they can be aggregated with others for anonymity. So in reality, there is no one in their anonymity set!
How does it work? By running a rogue node tweaked to save all intermediary transaction gossiping data. That's it! ~96% transactions can be caught in the raw that way.
Of the remaining transactions, some can be traced by subtracting other transactions we traced before. If we have seen the merge of TX(A+B) and also TX(A), we can trace TX(B) too.
So why can't we trace 100%? The reason is nuanced and technical: Dandelion. A small minority of transactions get merged while traveling on stem-paths, before most nodes could see them.
Still, it is likely possible to trace more than 96% by running a network of nodes, or a single supernode. That way, the attacker inserts themselves into most stem-paths.
Importantly, I have great respect for the Grin community and core developers, who have all been tremendously helpful in answering my questions.
But we also need to be realistic about how much privacy Mimblewimble grants.
But we also need to be realistic about how much privacy Mimblewimble grants.
The devs were aware that such an attack was theoretically possible (e.g. this Reddit thread I started a year ago). But now it is proven viable and efficient.
reddit.com/r/Mimblewimble…
reddit.com/r/Mimblewimble…
To dig further, check out the technical deep-dive, complete with open-source code to reproduce the attack, data collected, and a technical FAQ:
github.com/bogatyy/grin-l…
github.com/bogatyy/grin-l…
Thanks to @hosseeb for major help in putting together this write-up and for the anonymity set illustrations. Additional thanks to @OlegOstroumov @leanthebean @MohamedFFouda @LucasRyan @nadertheory for reviewing drafts of this post.
And a huge thanks to @JStutzman from @NEARProtocol for the Dandelion and block aggregation illustrations – he's the reason @NEARProtocol posts have the nicest figures 😃
