tornado is a smart contract running on Ethereum.
When I say smart, I mean really wicked-smart; it uses “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge” cryptography (ZkSNARK) so the ether (or tokens) deposited into the contract can’t be linked to those that are withdrawn.
But… I won’t be surprised if there is a paper at the Financial Cryptography 2023 conference showing that 85% of tornado usage was not private; not because the cryptography is broken, but because it is really hard for mere mortals to use something like tornado (or CoinJoin or other similar technologies) in a way that doesn’t leak information about their wallet. The tornado developers wrote an article with tips to help maintain privacy, but I think 62% of their users won’t read it and another 25% will read it and then immediately do something the article says you shouldn’t do.
I think the mistake most people will make is to think that they can run a bunch of ETH through tornado into a new wallet and end up with “a private wallet.” So imagine you start with 117 ETH you bought on an exchange and moved to a wallet that you control. On the ethereum blockchain that is a balance of 117 ETH in some address– lets call it 0xabc.
You’d like to be able to donate, spend, exchange or invest those funds privately. For example, if you give your crypto-curious cousin 1 ETH for Christmas it would be nice if she couldn’t see all of your wallet activity just looking at 0xabc in Etherscan.
So you decide to run those 117 ETH through tornado into a brand-new wallet named “SuperSecret” that you create offline in a electromagnetically sealed room on a brand new laptop that has never touched the internet. You make several deposits into tornado over the course of a week or two and end up with a little less than 117 ETH (because of transaction fees) in that new wallet (call it 0xdef).
… and you have almost certainly accomplished nothing. Unless somebody else just happened to use tornado to move 117 ETH from one address to another in the same timeframe, it is easy to see that 0xabc and 0xdef are both owned by you. Your SuperSecret wallet isn’t.
Even if you assume your curious cousin isn’t likely to bother trying to link the two addresses, you’ll lose a little privacy every time you do something with the coins (or tokens) sitting in 0xdef.
The right way
I think people want a private wallet, and I think tornado is a fantastic building block that will let some clever developers build a much more private Ethereum wallet. You can speed that up by funding the tornado developers on gitcoin.
But if your cousin’s birthday is coming up soon and you can’t wait, here is what I would do:
I would deposit just five or ten ETH into tornado and just let them sit there. I would think of those deposits as “my private funds.”
To give my cousin 1 ETH on her birthday, I’d withdraw from tornado and have the ETH go directly to her wallet.
Yay! If she looks at the blockchain, she’ll only see that you had 1 ETH in tornado but will have no idea when you deposited the coins and will have no idea how many ETH you have in total, where you got them, or what else is happening in your wallet.
And I’d try to remember to deposit another 1 ETH into tornado in a day or two, so I’d still have five or ten ETH available to spend or donate or invest privately.
Or you could…
Use a private-by-default blockchain like Monero (or use ZCash with only ‘shielded’ addresses). They are not 100% private, unless you’re an even bigger nerd than I am with Jason Bourne-level OPSEC and knowledge of the latest research into breaking privacy schemes. But they’ll certainly keep your cousin from discovering how many coins are in your wallet, unless she gets a job in the coin-tracking division of the NSA.
Or just send 1 ETH back to your exchange account, then withdraw to your cousin’s address. Etherscan will probably tell her the money came from the BitKrakEnex hot wallet, so she’ll know you have an account there, but you won’t have to worry that she’ll see those SPANK tokens you accidentally acquired when you were showing a friend how Uniswap works.
When I say smart, I mean really wicked-smart; it uses “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge” cryptography (ZkSNARK) so the ether (or […]