A crypto investment fund research editor and former Google engineer claims to have broken the privacy model of Mimblewimble, the blockchain named after a spell in the Harry Potter series. In a report that makes for scary reading for investors of coins on the network, Ivan Bogatyy says he was able to “uncover the exact addresses of senders and recipients for 96% Grin transactions in real time”, and all at a cost of “only $60/week of AWS [Amazon Web Services] spend”.
I just published a new attack that breaks Mimblewimble’s privacy model. This attack traces 96% of all sender and recipient addresses in real time. Here’s a summary and what it means for the future of privacy coins:https://t.co/tsIDLyfpzp
— Ivan Bogatyy (@IvanBogatyy) November 18, 2019
Linkability Could be Miblewimble’s Downfall
Bogatty states that his attack allowed him to link payments together and establish a flow of transactions on the network, which, given that Mimblewimble is supposed to be a privacy coin, is something of a major failing. Bogatyy bases his hack on the idea of ‘linkability’ – that is, the ability to link payments to senders and recipients.
The likes of Zcash and Monero, he states, would not be vulnerable to such attacks because they use large ‘anonymity sets’, which he likens to “blending into the crowd: the larger the anonymity set, the larger “crowd” your transaction is mixed into.” Monero has a default setting of 11 decoy transactions to help obfuscate the real one, while Zcash’s anonymity set is the theoretical maximum that could be achieved. Mimblewimble, on the other hand, uses such a small set that Bogatyy was able to determine the exact address that any payment was made to.
The full gory details of the hack make interesting reading for those of a technical persuasion, involving full-block cut-through aggregation, super-transactions, sniffer nodes and the like,
but what Bogatyy is essentially able to do is make himself a super node on the Grin network with $60 worth of AWS per week and applying some know how. Achieving super node status allowed him to instantly see every transaction before it entered the anonymization process, and through this method he was able to link 96% of all transactions that came his way, despite only being connected to 200 peers of Grin’s 3,000. By spending a bit more money, he notes, he “could easily connect to 3000 nodes to disaggregate almost all transactions.”
No Magic Fix
Bogatyy makes no bones about the seriousness of his discoveries:
The problem is inherent to Mimblewimble, and I don’t believe there’s a way to fix it. This means Mimblewimble should no longer be considered a viable alternative to Zcash or Monero when it comes to privacy.
As to a fix, the former Google engineer says that it isn’t simply a case of “ratcheting up” the anonymity factor, as that could be “easily combated by a motivated attacker”. On its own, Bogatyy says, Mimblewimble is “not strong enough to confer robust privacy”, and leaves a cautionary tale for anyone who thinks a fix is inevitable:
But this is how science always advances: we propose new theories, and then repeatedly knock them down, until what’s left standing has stood the test of time.
Less ‘mimblewimble’, more ‘avada kedavra’ perhaps.