Tornado.Cash - How to Make Your Transactions Untraceable?
Crypto is anonymous in a sense. It is difficult to link a wallet address to a real-world identity. However, crypto is fully transparent at the same time. All transactions are stored on-chain, every transaction from any wallet can be tracked. If you have some $ETH on your account, you cannot transfer it anonymously, since anybody can follow your transaction history on the blockchain. Through some social engineering techniques, it is also possible to identify your true identity, and every dollar you owned on-chain will be fully exposed.
A mixer is a service that mixes different streams of potentially identifiable cryptocurrency. One could transfer his $ETH to the mixing service, which mixes it with that of other users and transfers the mixed money to another address. This breaks the link between the source wallet address and the destination address.
Tornado.Cash - A Mixer Using Zero-Knowledge
Tornado.cash is a crypto mixer. It is a smart contract that accepts token deposits from one address and enables their withdrawal from a different address. Those smart contracts work as pools that mix all deposited assets. For example, if hundreds of accounts deposit 1 $ETH on one side and the other hundreds of accounts withdraw 1 $ETH on the other side, then no one will be able to follow the path where the money moves.
When a user puts funds into a pool, a private note will be generated. This private note serves as a proof that you have this amount of crypto in the pool, and you can redeem your crypto later using the private note to a different address.
Wait a moment, does it mean the protocol can link the inward & outward transactions through the private note?
The answer is no, thanks to zero-knowledge-proof technology. ZK Proof allows someone to prove he knows something without revealing it, and it is widely used in many areas of crypto, such as the Ethereum ZK rollup. The theory behind it is extremely complicated. I have found some nice illustrations to help understand. (A article and a video)
Tornado.Cash currently supports Ethereum, BNB Chain, Polygon, Gnosis, Avalanche, as well as layer 2 solutions on Ethereum, Arbitrum and Optimism. Tokens supported in Ethereum include $ETH, $DAI, $cDAI, $USDC, $USDT, and $WBTC, together with the native tokens of other supported networks.
The basic service is under the principle of fixed-amount deposits & withdrawals. It means you can only deposit or withdraw according to a predefined amount. For $ETH, it is 0.1, 1, 10 & 100.
The four different amounts of $ETH are separated into four different pools. When a user wants to deposit 100 $ETH, he can either deposit it in the 100-ETH pool at once, or deposit it in the 1-ETH pool in 100 installments. As we can see from the above deposit screen, the 100-ETH pool has 24,686 equal deposits, thus your deposits are mixed with the other 24,686 deposits.
When a hacker deposits their hacked money into Tornado, he needs to deposit it into a number of 100-ETH as shown in the case of recent Ronin network exploits.
From the technological perspective, yes. The protocol design and ZK-proof disconnect the source address and destination address. However, it is still possible to deduce from the transaction pattern and to have a reasonable guess.
As a simple example, let's say a user deposits $1,080 ETH and there are no other recent large deposit transactions. A day later, a user takes $1,080 ETH out of the pool and transfers it to a new wallet. For an analyst who is constantly tracking Tornado transactions, then, these two transactions would be very suspicious and highly correlated.
This is why the protocol recommends waiting for a longer time after the deposit, as the level of anonymity depends on the number of transactions made after your deposit. The longer you wait, the greater your anonymity will be.
The native token of Tornado.Cash is $TORN. The total supply is 10M.
The treasury and team hold the majority of the token. The project originally designed the token not as a fundraising device or investment opportunity, but a pure governance token without any value capturing mechanism. It changed this February.
$TORN Staking Reward
At end of February, Tornado.Cash introduced the decentralized relayer register, and a staking reward was implemented for all holders with locked $TORN in the governance contract. Since then, $TORN's price increase has significantly outperformed $ETH.
Decentralized Relayer Register
When users withdraw funds from Tornado to a new wallet address, they face a gas fee problem. They need to pay a gas fee when withdrawing, but there's no money in the new wallet. And they will compromise their anonymity if transferring some $ETH from an existing wallet into this new wallet.
Relayers act as third parties to help pay for gas fees by deducting them directly from the transferred amount. They charge a service fee for their services by directly deducting from the transferred amount.
The relayer was selected from the community previously. With the introduction of decentralized relayer registry, anyone could become a relayer following a registration process, and it is required to stake a given amount of $TORN to be a relayer, and now it's 300 $TORN.
For each withdrawal through the relayer method, the user needs to pay the relayer by deducted from the transferred amount, and the chosen relayer has to pay a fee to the protocol by deducting their staked balance. This essentially means the user needs to pay both the relayer and the protocol.
According to the data above from Dune, we can find that most of the withdrawals are through relayers, and relayers' profit is on an upward trend.
Tornado.Cash is a controversial service. It protects privacy for crypto users as the blockchain reveals everything for all to see, but on the flip side, it indeed facilitates many money laundering activities from hacking.
Putting moral consideration aside, Tornado.Cash is quite unique in today's market. A mixing service can only achieve anonymity if many other people use it. The pool needs to be large enough so that newly deposited crypto can be mixed with others. With its size today, I just can't see any other protocols that can compete with it.