nitter.kavin.rocks/FixedFloat/sta…
With this making news, we thought it'd be a good time to discuss the potential issues around swap services. Pros, cons, where you can best manage information leaks, & privacy implications from govt/surveillance firms that may be running a swap service
🧵👇
With this making news, we thought it'd be a good time to discuss the potential issues around swap services. Pros, cons, where you can best manage information leaks, & privacy implications from govt/surveillance firms that may be running a swap service
🧵👇
1/ An instant swap service is a platform that allows users to exchange between cryptocurrencies in a relatively easy and simple way
@FixedFloat
@MajesticBank
are just two examples of instant swap services
DISCLAIMER: Im not accusing either of these services as being glowies
@FixedFloat
@MajesticBank
are just two examples of instant swap services
DISCLAIMER: Im not accusing either of these services as being glowies
2/ and @OrangeFren 🐸 is a site that compares instant exchanges to find you the best exchange rates between these services
3/ Lets talk about the pros of these services:
- no account/kyc (for most services)
- Easy to use
- Move across blockchains to break on-chain heuristics
- Swap between many different crypto
- no account/kyc (for most services)
- Easy to use
- Move across blockchains to break on-chain heuristics
- Swap between many different crypto
4/
Pros continued:
- Not flagged by surveillance firms to the degree that dark net mixing services are 🚨
- important tool in your privacy toolbelt
Pros continued:
- Not flagged by surveillance firms to the degree that dark net mixing services are 🚨
- important tool in your privacy toolbelt
5/
The cons:
- Many are stated to be "non-custodial", but there is a point when funds are completely out of your hands while you wait for the swap to be completed
The cons:
- Many are stated to be "non-custodial", but there is a point when funds are completely out of your hands while you wait for the swap to be completed
6/
Normally non-custodial is a good thing, but I can't quite verify how the swaps the sites perform are non-custodial besides the promises on these sites. I may be missing something and if anyone can shed more light on how these are ACTUALLY non-custodial, please let me know.
Normally non-custodial is a good thing, but I can't quite verify how the swaps the sites perform are non-custodial besides the promises on these sites. I may be missing something and if anyone can shed more light on how these are ACTUALLY non-custodial, please let me know.
7/
It seems like some of these services are using a different definition of non-custodial) These swaps are not atomic, and these swaps arent trustless.
It seems like some of these services are using a different definition of non-custodial) These swaps are not atomic, and these swaps arent trustless.
8/
cons continued:
- The platforms are a black box. You have no insight into the operation of the platform
- Traceability between incoming and outgoing wallet addresses are known by the platform
- Timing analysis can be performed by the swap service
cons continued:
- The platforms are a black box. You have no insight into the operation of the platform
- Traceability between incoming and outgoing wallet addresses are known by the platform
- Timing analysis can be performed by the swap service
9/
cons continued:
- Sum total analysis can be performed by the swap service(s)
for example if moving from a transparent chain to #XMR for example, and you receive a specific amount (10.095463 for this example)
cons continued:
- Sum total analysis can be performed by the swap service(s)
for example if moving from a transparent chain to #XMR for example, and you receive a specific amount (10.095463 for this example)
10/
and then move to a different swap service with the exact 10.095463 XMR, even if the transactions are private on-chain, if there is someone monitoring the services, they can, with a reasonable degree of certainty, tie the transactions together
and then move to a different swap service with the exact 10.095463 XMR, even if the transactions are private on-chain, if there is someone monitoring the services, they can, with a reasonable degree of certainty, tie the transactions together
11/
How can you verify if the service is a quality service:
There may be testimonials from people that the service works well, but unless you can verify first hand, you cant be sure.
How can you verify if the service is a quality service:
There may be testimonials from people that the service works well, but unless you can verify first hand, you cant be sure.
12/
In regards to bad actors, there is no way to know, with 100% certainty, if the service is not a government/surveillance agency but here a few best practices you can take
In regards to bad actors, there is no way to know, with 100% certainty, if the service is not a government/surveillance agency but here a few best practices you can take
13/
- Test with small transactions
- Review the instant swap service:
What is their position is on privacy issues. Do they make claims that dont seem legit? Do they support privacy at the protocol level?
- What jurisdiction are they located in? 🌏
- Test with small transactions
- Review the instant swap service:
What is their position is on privacy issues. Do they make claims that dont seem legit? Do they support privacy at the protocol level?
- What jurisdiction are they located in? 🌏
14/
- Are they supporting privacy projects 🕵️ (either by donating or running privacy infrastructure) This is one of the most important points, although its not 100% fool proof
- Are they supporting privacy projects 🕵️ (either by donating or running privacy infrastructure) This is one of the most important points, although its not 100% fool proof
15/
🚨🚨
It is very unlikely that a specific government/surveillance agency posing as a swap service would be donating to projects that will make their surveillance tools obsolete 🚨🚨
🚨🚨
It is very unlikely that a specific government/surveillance agency posing as a swap service would be donating to projects that will make their surveillance tools obsolete 🚨🚨
16/
🚨🚨Donating to a CCS proposal that further enhances a privacy protocol is an example of a good privacy-aligned signal 👌 🚨🚨
🚨🚨Donating to a CCS proposal that further enhances a privacy protocol is an example of a good privacy-aligned signal 👌 🚨🚨
17/
How to best mitigate these risks:
- Use private blockchains 🤫
- Use different addresses each time you interact with a service
How to best mitigate these risks:
- Use private blockchains 🤫
- Use different addresses each time you interact with a service
18/
You should never re-use an address, even if its a private blockchain, the data gathered between swap services IS collected, and any information the swap service obtains, can then be used to further correlate the degraded transaction graph
You should never re-use an address, even if its a private blockchain, the data gathered between swap services IS collected, and any information the swap service obtains, can then be used to further correlate the degraded transaction graph
19/
best practices continued:
- Avoid services that make claims too good to be true
- Avoid combining outputs while using the services 🔀
best practices continued:
- Avoid services that make claims too good to be true
- Avoid combining outputs while using the services 🔀
20/
best practices continued:
- Use many different swap services owned by different entities
best practices continued:
- Use many different swap services owned by different entities
21/
This makes it more difficult for a single entity to gather data across ALL of your transactions (unless all of the swap services are owned by a single entity, or the swap service is forced to give up data)
This makes it more difficult for a single entity to gather data across ALL of your transactions (unless all of the swap services are owned by a single entity, or the swap service is forced to give up data)
22/
best practices continued
- Dont use referrals
best practices continued
- Dont use referrals
23/
If a comparison website is suggesting to use a specific swap site because it offers the best rates, do not follow a link from the comparison site. Type the site into the address bar and visit it manually (link trackers make the swap a privacy minefield)
If a comparison website is suggesting to use a specific swap site because it offers the best rates, do not follow a link from the comparison site. Type the site into the address bar and visit it manually (link trackers make the swap a privacy minefield)
24/
best practices continued:
- Interact with the swap services at random times
- Use a VPN or overlay network like Tor or I2P while using the services
best practices continued:
- Interact with the swap services at random times
- Use a VPN or overlay network like Tor or I2P while using the services
25/
If I were a government/surveillance agency, what would some tools/tricks I would use?:
- I would want to draw as much attention to my service and make it as simple as possible. The more people that use the service, the more info I can collect
If I were a government/surveillance agency, what would some tools/tricks I would use?:
- I would want to draw as much attention to my service and make it as simple as possible. The more people that use the service, the more info I can collect
26/
- I would try and garner trust within the community
- I would run a marketing campaign to build hype about this new service (government/surveillance agencies have a large amount of capital and can deploy it using various strategies)
- I would try and garner trust within the community
- I would run a marketing campaign to build hype about this new service (government/surveillance agencies have a large amount of capital and can deploy it using various strategies)
27/
- I would run a hidden service along with a clearnet hosted webpage (an onion address shouldnt be a 🚩🚩, it would just be a strategy I would use to give the impression that I support privacy preserving tech, while still logging any other aspects)
- I would run a hidden service along with a clearnet hosted webpage (an onion address shouldnt be a 🚩🚩, it would just be a strategy I would use to give the impression that I support privacy preserving tech, while still logging any other aspects)
28/
- I would log everything about the users (IP address, device fingerprint, addresses, amounts, chat logs) I'm recording every piece of data you give to me.
- I would log everything about the users (IP address, device fingerprint, addresses, amounts, chat logs) I'm recording every piece of data you give to me.
With all of this info, we're not accusing any of these services with being government or surveillance firms, but it wouldnt fit into an adversarial framework if you dont consider this attack vector. Many of these services that appear on the radar are only by online testimonials.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
