Tornado cash. Non-custodial private transactions on Ethereum.
Go to file
2019-12-14 12:56:12 +07:00
circuits new circomlib update 2019-12-13 13:18:16 -08:00
contracts new circomlib update 2019-12-13 13:18:16 -08:00
lib change zero value constant 2019-11-15 11:44:07 +03:00
migrations rename variables 2019-12-13 20:49:19 +07:00
test rename variables 2019-12-13 20:49:19 +07:00
.editorconfig Move contracts to repository root 2019-07-12 12:53:44 +03:00
.env.example change tree depth to 20 2019-12-11 19:29:03 +07:00
.eslintrc.json styling final 2019-07-16 23:49:45 +03:00
.gitattributes add dummy test 2019-07-10 19:58:21 +03:00
.gitignore rename variables 2019-12-13 20:49:19 +07:00
.nvmrc fix tests 2019-07-23 13:00:45 -07:00
.solhint.json add pauseDeposits 2019-08-01 01:41:22 -07:00
.travis.yml add erc20 to integration test 2019-10-04 19:27:19 +03:00
cli.js fix cli 2019-12-13 23:36:32 +03:00
diagram.png rename variables 2019-12-13 20:49:19 +07:00
index.html rename variables 2019-12-13 20:49:19 +07:00
LICENSE Create LICENSE 2019-07-17 14:14:07 +03:00
migrationDeposits.js done 2019-12-11 23:04:38 +03:00
package-lock.json new circomlib update 2019-12-13 13:18:16 -08:00
package.json new circomlib update 2019-12-13 13:18:16 -08:00
README.md rename variables 2019-12-13 20:49:19 +07:00
truffle-config.js update dependencies 2019-11-08 04:11:29 +03:00

Tornado Privacy Solution Build Status

Tornado is a non-custodial Ethereum and ERC20 privacy solution based on zkSNARKs. It improves transaction privacy by breaking the on-chain link between recipient and destination addresses. It uses a smart contract that accepts ETH deposits that can be withdrawn by a different address. Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy.

To make a deposit user generates a secret and sends its hash (called a commitment) along with the deposit amount to the Tornado smart contract. The contract accepts the deposit and adds the commitment to its list of deposits.

Later, the user decides to make a withdrawal. In order to do that, the user should provide a proof that he or she possesses a secret to an unspent commitment from the smart contracts list of deposits. zkSnark technology allows that to happen without revealing which exact deposit corresponds to this secret. The smart contract will check the proof, and transfer deposited funds to the address specified for withdrawal. An external observer will be unable to determine which deposit this withdrawal came from.

You can read more about it in this medium article

Specs

  • Deposit gas const: 888054 (43381 + 50859 * tree_depth)
  • Withdraw gas cost: 692133
  • Circuit Constraints = 22617 (1869 + 1325 * tree_depth)
  • Circuit Proof time = 6116ms (1071 + 347 * tree_depth)
  • Serverless

image

Security risks

  • Cryptographic tools used by Tornado (zkSNARKS, Pedersen commitment, MiMC hash) are yet NOT extensively audited by cryptographic experts and may be vulnerable
  • Note: we use MiMC hash only for merkle tree, so even if a preimage attack on MiMC is discovered, it will not allow to deanonymize users. To drain funds attacker needs to be able to generate arbitrary hash collisions, which is a pretty strong assumption.
  • Bugs in contract. Even though we have an extensive experience in smart contract security audits, we can still make mistakes. An external audit is needed to reduce probablility of bugs. Our code is currently being audited, stay tuned.
  • Relayer is frontrunnable. When relayer submits a transaction someone can see it in tx pool and frontrun it with higher gas price to get the fee and drain relayer funds.
    • Workaround: we can set high gas price so that (almost) all fee is used on gas
    • Second workaround: allow only single hardcoded relayer, we use this approach for now
  • Nullifier griefing. when you submit a withdraw transaction you reveal the nullifier for your note. If someone manages to make a deposit with the same nullifier and withdraw it while your transaction is still in tx pool, your note will be considered spent since it has the same nullifier and it will prevent you from withdrawing your funds
    • Fixed by sending nullifier hash instead of plain nullifier

Requirements

  1. node v11.15.0
  2. npm install -g npx

Usage

You can see example usage in cli.js, it works both in console and in browser.

  1. npm install
  2. cp .env.example .env
  3. npm run build - this may take 10 minutes or more
  4. npx ganache-cli
  5. npm run test - optionally runs tests. It may fail on the first try, just run it again.

Use browser version on Kovan:

  1. vi .env - add your Kovan private key to deploy contracts
  2. npm run migrate
  3. npx http-server - serve current dir, you can use any other static http server
  4. Open localhost:8080

Use with command line version with Ganache:

ETHTornado

  1. npm run migrate:dev
  2. ./cli.js deposit
  3. ./cli.js withdraw <note from previous step> <destination eth address>
  4. ./cli.js balance <destination eth address>

ERC20Tornado

  1. npm run migrate:dev
  2. ./cli.js depositErc20
  3. ./cli.js withdrawErc20 <note from previous step> <destination eth address> <relayer eth address>
  4. ./cli.js balanceErc20 <destination eth address> <relayer eth address>

If you want, you can point the app to existing tornado contracts on Mainnet or Kovan. It should work without any problems

Deploy ETH Tornado Cash

  1. cp .env.example .env
  2. Tune all necessary params
  3. npx truffle migrate --network kovan --reset --f 2 --to 4

Deploy ERC20 Tornado Cash

  1. cp .env.example .env
  2. Tune all necessary params
  3. npx truffle migrate --network kovan --reset --f 2 --to 3
  4. npx truffle migrate --network kovan --reset --f 5

Note. If you want to reuse the same verifier for all the instances, then after you deployed one of the instances you should only run 4th or 5th migration for ETH or ERC20 contracts respectively (--f 4 --to 4 or --f 5).

Credits

Special thanks to @barryWhiteHat and @kobigurk for valuable input, and to @jbaylina for awesome Circom & Websnark framework