AP->TORN conversion may leak privacy?

Hi everyone, I am a Ph.D. student at Imperial College, working on blockchain security.

I have got a question about Tornado’s AP -> TORN conversion after reading the Medium article. Because the formula:

TORN = T_{virt} * (1-(e^{-AP/w}))

is fixed, and the parameters TORN, T_{virt}, w should all be public parameters, doesn’t that mean anyone can calculate the amount of AP a user inputs into this AMM based on the output amount of TORN, and therefore infer the duration of the deposits (and break the purpose of shielding AP)?

Also, it would be great if someone can point me to the AMM implementation contract. Is there any detailed documentation about this AMM?



Yeah you can calculate how much AP was swapped. But it’s not 1 swap = 1 note.

Miners have a secret AP account from which the proceeds of several notes can be credited. So you can’t know if TORN claimed is from single deposit or several and also you can’t know which pool it was (10ETH, 100ETH, etc…).

These are the relevant contracts:


Yep! And you can also withdraw at any address. Including those that are unrelated to your mix that you got the points from!

However most people will withdraw on their new exit address which actually might reduce privacy in a vague sense.

Kinda like in zcash when you go from t-addr 1 zec -> z-addr.
And then exit z-addr -> t-addr later that day with 0.99 zec.
It’s not 1 in 1 out obvious but it is suspicious.

  • Account that receives TORN is not linked to deposit/withdrawal accounts for notes
  • TORN output and relayer fee is visible on swap operation, so you can see exactly how much AP they converted into TORN
  • Users can withdraw any fraction of their AP account
  • AP is accumulated on a single shielded account with hidden address and balance, it’s possible to split between multiple AP accounts but there is no point to do it
  • Claiming AP to a new account costs exactly the same as adding it to an existing account, it’s a cost of a single snark verification

In addition I’ll explicitly mention that a user can use different ETH addresses to withdraw AP from a single shielded account.

Would be really interesting to see some research on that topic.

Also worth mentioning that if someone claims a reward for a single note and then fully withdraws it to his tornado deposit/withdrawal address it will completely blow his anonymity - observer will be able calculate exact time his note spent in a pool based on note size and reward amount and will know other end of users transaction.


Not completely completely right? If rewards are claimed at the withdraw address you would only know the minimum age of the note. Because you cant know if the users swapped all AP for torn or just a portion of it right?
Even then the minimum age isn’t quite clear because a user might have withdrawn another note somewhere else and combined the AP points at the “main” withdraw address.
So the cover blown is still probabilistic right?

Probably missing something here im just trying to understand it better.

1 Like

This was for the case when a user fully withdraws a reward. In this case if an observer calculates a supposed deposit block and finds a deposit with an exact block number match, there is a reason to believe that it is from the same user (unless a user intentionally tried to set this up).

1 Like

Ah thanks for the explanation.

That does sound like something a lot of users might have messed up. Maybe the ui should suggest leaving a random amount of change when you press “max”.


Good point. Probably it could be considered to issue some sort of warning alerting users that doing a withdrawal and shortly thereafter converting APs would decrease anonimity.

1 Like

Why would this reduce privacy? Seems like maybe someone can calculate how long your deposit was in tornado? If you withdraw into a new address with no eth you will have to send eth to it privately somehow…

1 Like

Yup you can make a educated guesses on how long eth was deposited based on the torn earned. But you will have to make some assumptions like that the eth withdrawn are the only source of earned torn.
But this can help narrow things down when you analyse behavior like: the time txs are made, type off dapps used, assets held, etc

However if you withdraw 1 note and claim all of it’s torn on one address. Then you can basically know with 100% certainty what the deposit address was.

would be good to have that added as a heuristic to the tool that is being developed … I’m sure a ton of people screw themselves with this