Tornado cash. Non-custodial private transactions on Ethereum.
Go to file
2019-07-18 14:29:09 -07:00
circuits remove redundant constraints 2019-07-16 19:34:46 +03:00
contracts add indexed event commitment 2019-07-18 14:29:09 -07:00
lib move ganacheHelper 2019-07-18 21:38:21 +03:00
migrations tidy 2019-07-18 15:45:12 +03:00
test move ganacheHelper 2019-07-18 21:38:21 +03:00
.editorconfig Move contracts to repository root 2019-07-12 12:53:44 +03:00
.env.example mixer deploy WIP 2019-07-12 18:04:45 +03:00
.eslintrc.json styling final 2019-07-16 23:49:45 +03:00
.gitattributes add dummy test 2019-07-10 19:58:21 +03:00
.gitignore add index 2019-07-15 19:19:52 +03:00
cli.js remove utils.js 2019-07-18 21:27:51 +03:00
index.html readme 2019-07-17 14:12:57 +03:00
LICENSE Create LICENSE 2019-07-17 14:14:07 +03:00
mixer.png readme 2019-07-17 14:12:57 +03:00
package-lock.json eslinter WIP 2019-07-16 18:58:42 +03:00
package.json styling final 2019-07-16 23:49:45 +03:00
README.md readme 2019-07-17 14:12:57 +03:00
truffle-config.js code style 2019-07-16 20:27:20 +03:00

Tornado mixer

mixer image

Specs

  • Deposit gas cost: deposit 888054
  • Withdraw gas cost: 692133
  • Circuit constraints: 22617
  • Circuit proving time: 6116ms
  • Serverless

Security risks

  • Cryptographic tools used by mixer (zkSNARKS, Pedersen commitment, MiMC hash) are not yet extensively audited by cryptographic experts and may be vulnerable
    • Note: we use MiMC hash only for merkle tree, so even if a preimage attack on MiMC is discovered, it will not allow to deanonymize users or drain mixer funds
  • Relayer is frontrunnable. When relayer submits a transaction someone can see it in tx pool and frontrun it with higher gas price to get the fee and drain relayer funds.
    • Workaround: we can set high gas price so that (almost) all fee is used on gas. The relayer will not receive profit this way, but this approach is acceptable until we develop more sophisticated system that prevents frontrunning
  • Bugs in contract. Even though we have an extensive experience in smart contract security audits, we can still make mistakes. An external audit is needed to reduce probablility of bugs
  • Nullifier griefing. when you submit a withdraw transaction you reveal the nullifier for your note. If someone manages to make a deposit with the same nullifier and withdraw it while your transaction is still in tx pool, your note will be considered spent since it has the same nullifier and it will prevent you from withdrawing your funds
    • This attack doesnt't provide any profit for the attacker
    • This can be solved by storing block number for merkle root history, and only allowing to withdraw using merkle roots that are older than N ~10-20 blocks. It will slightly reduce anonymity set (by not counting users that deposited in last N blocks), but provide a safe period for mining your withdrawal transactions.

Requirements

  1. node v11.15.0
  2. npm install -g npx

Usage

  1. npm i
  2. cp .env.example .env
  3. npm run build:circuit - may take 10 minutes or more
  4. npm run build:contract
  5. npm run browserify
  6. npm run test - optionally run tests. It may fail for the first time, just run one more time.
  7. npx ganache-cli
  8. npm run migrate:dev
  9. ./cli.js deposit
  10. ./cli.js withdraw <note from previous step> <destination eth address>
  11. ./cli.js balance <destination eth address>
  12. vi .env - add your Kovan private key to deploy contracts
  13. npm run migrate
  14. npx http-server - serve current dir, you can use any other http server
  15. Open localhost:8080

Credits

Special thanks to @barryWhiteHat and @kobigurk for valuable input, and to @jbaylina for awesome Circom & Websnark framework