SovStack Profile picture
Aug 15 31 tweets 5 min read
nitter.kavin.rocks/FixedFloat/sta…
With this making news, we thought it'd be a good time to discuss the potential issues around swap services. Pros, cons, where you can best manage information leaks, & privacy implications from govt/surveillance firms that may be running a swap service
🧵👇
1/ An instant swap service is a platform that allows users to exchange between cryptocurrencies in a relatively easy and simple way

@FixedFloat
@MajesticBank
are just two examples of instant swap services

DISCLAIMER: Im not accusing either of these services as being glowies
2/ and @OrangeFren 🐸 is a site that compares instant exchanges to find you the best exchange rates between these services
3/ Lets talk about the pros of these services:

- no account/kyc (for most services)
- Easy to use
- Move across blockchains to break on-chain heuristics
- Swap between many different crypto
4/
Pros continued:
- Not flagged by surveillance firms to the degree that dark net mixing services are 🚨
- important tool in your privacy toolbelt
5/
The cons:

- Many are stated to be "non-custodial", but there is a point when funds are completely out of your hands while you wait for the swap to be completed
6/
Normally non-custodial is a good thing, but I can't quite verify how the swaps the sites perform are non-custodial besides the promises on these sites. I may be missing something and if anyone can shed more light on how these are ACTUALLY non-custodial, please let me know.
7/
It seems like some of these services are using a different definition of non-custodial) These swaps are not atomic, and these swaps arent trustless.
8/
cons continued:
- The platforms are a black box. You have no insight into the operation of the platform
- Traceability between incoming and outgoing wallet addresses are known by the platform
- Timing analysis can be performed by the swap service
9/
cons continued:
- Sum total analysis can be performed by the swap service(s)
for example if moving from a transparent chain to #XMR for example, and you receive a specific amount (10.095463 for this example)
10/
and then move to a different swap service with the exact 10.095463 XMR, even if the transactions are private on-chain, if there is someone monitoring the services, they can, with a reasonable degree of certainty, tie the transactions together
11/
How can you verify if the service is a quality service:

There may be testimonials from people that the service works well, but unless you can verify first hand, you cant be sure.
12/
In regards to bad actors, there is no way to know, with 100% certainty, if the service is not a government/surveillance agency but here a few best practices you can take
13/
- Test with small transactions
- Review the instant swap service:
What is their position is on privacy issues. Do they make claims that dont seem legit? Do they support privacy at the protocol level?
- What jurisdiction are they located in? 🌏
14/
- Are they supporting privacy projects 🕵️ (either by donating or running privacy infrastructure) This is one of the most important points, although its not 100% fool proof
15/
🚨🚨
It is very unlikely that a specific government/surveillance agency posing as a swap service would be donating to projects that will make their surveillance tools obsolete 🚨🚨
16/
🚨🚨Donating to a CCS proposal that further enhances a privacy protocol is an example of a good privacy-aligned signal 👌 🚨🚨
17/
How to best mitigate these risks:

- Use private blockchains 🤫
- Use different addresses each time you interact with a service
18/
You should never re-use an address, even if its a private blockchain, the data gathered between swap services IS collected, and any information the swap service obtains, can then be used to further correlate the degraded transaction graph
19/
best practices continued:
- Avoid services that make claims too good to be true
- Avoid combining outputs while using the services 🔀
20/
best practices continued:
- Use many different swap services owned by different entities
21/
This makes it more difficult for a single entity to gather data across ALL of your transactions (unless all of the swap services are owned by a single entity, or the swap service is forced to give up data)
22/
best practices continued
- Dont use referrals
23/
If a comparison website is suggesting to use a specific swap site because it offers the best rates, do not follow a link from the comparison site. Type the site into the address bar and visit it manually (link trackers make the swap a privacy minefield)
24/
best practices continued:
- Interact with the swap services at random times
- Use a VPN or overlay network like Tor or I2P while using the services
25/
If I were a government/surveillance agency, what would some tools/tricks I would use?:

- I would want to draw as much attention to my service and make it as simple as possible. The more people that use the service, the more info I can collect
26/
- I would try and garner trust within the community
- I would run a marketing campaign to build hype about this new service (government/surveillance agencies have a large amount of capital and can deploy it using various strategies)
27/
- I would run a hidden service along with a clearnet hosted webpage (an onion address shouldnt be a 🚩🚩, it would just be a strategy I would use to give the impression that I support privacy preserving tech, while still logging any other aspects)
28/
- I would log everything about the users (IP address, device fingerprint, addresses, amounts, chat logs) I'm recording every piece of data you give to me.
With all of this info, we're not accusing any of these services with being government or surveillance firms, but it wouldnt fit into an adversarial framework if you dont consider this attack vector. Many of these services that appear on the radar are only by online testimonials.
Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SovStack

SovStack Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(