DustDevil: A protocol to anonymize dust

Dust devils are usually harmless, but can on rare occasions grow large enough to pose a threat to both people and property. They are comparable to tornadoes.


Users end up with “stuck” token dust in their old wallets when they deposit funds into tornado pools.


You have 100.1 ETH in your wallet. You spend 0.05 ETH on gas to deposit 100 ETH into the 100 ETH tornado pool. You now have 0.05 ETH token dust left in your old wallet that you cannot move “safely.”

0.05 ETH = 200 DAI (at today’s ~$4k ETH prices)


DustDevil: a protocol to anonymize dust


  • You have dust in your wallet
  • You deposit your dust into a dust devil (pool)
  • You are returned DUST - DUST is anonymously generated, like AP
  • You have dust in another wallet
  • You deposit your dust into a dust devil exchange for more DUST
  • Eventually, you build up enough DUST that you can exchange it for a normal tornado pool deposit/withdraw (call this a dust bunny), such as 1k DAI

Technical Summary

Dust Devil

  • When dust is deposited into a dust devil, it is exchanged via Uniswap for an existing tornado pool asset, such as DAI
  • DAI pools up in the dust devil from all users’ deposits


  • Users accrue DUST in their shielded account (imagine 1 DUST = 1 DAI)
  • When a user has enough DUST to exchange it for, say, a 1k DAI deposit/withdraw, they generates a private note for the 1k DAI pool

Dust Bunny

  • The user creates a hash of the private note and sends it to a relayer
  • The relayer submits a tx to the dust devil contract with the private note hash
  • Atomically, the following actions then take place:
    • The relayer calls the dust devil contract
    • The user’s DUST is debited from their shielded account for the correct amount (-1k DUST for a 1k DAI deposit)
    • The relayer provides the private note hash to the dust devil
    • The dust devil deposits 1k DAI into the 1k DAI tornado pool (along with the private note hash)
    • The user pays a relayer fee (potentially debited from the user in DUST; the relayer would be able to withdraw DAI from the dust devil for the corresponding amount of DUST debited)
  • The user now has a successfully deposited 1k DAI dust bunny, mixed into tornado like any other user deposit

Other Considerations

  1. I don’t believe there’s any way for a relayer to act maliciously here (just as there is no way for them to act maliciously when redeeming AP for users or swapping AP for TORN). However, I must admit I’m not as intimately familiar with shielded account functionality and may be missing something. Please let me know if you see a flaw in the design above
  2. While there could be multiple types of dust bunnies (eg, ETH dust bunnies, DAI dust bunnies, USDC dust bunnies, etc), starting out, it may be wise to force all liquidity through a single dust devil (so for example, only DAI dust bunnies are possible to start). Similarly, it may be wise to only begin with a single denomination dust bunny (ex: 1k DAI dust bunnies only)
  3. It may be possible to track initial dust devil deposits in order to link multiple dust-bearing addresses to a single owner when liquidity (anonymity set) is low. For example, if 5 different addresses all deposit 200 DAI into a dust devil, no other deposits take place, and then a 1k DAI dust bunny deposit is created; then it will be clear all 5 addresses were owned by the same user with their collectively accumulated DUST. This is another reason why Consideration #2 is worth, well… considering: to increase the anonymity set of dust bunnies
  4. This opens up a new revenue stream for tornado relayers

Closing Thoughts

I’ve been trying to solve this problem for myself for a while. Fear of losing dust forever actually prevents me from using tornado more actively. But if I could just perpetually accrue DUST between each and every tornado transaction, it would be a total game changer

Bonus: Whale Application

It’s also a great way for whales to, for example, mix together a bunch of 1+ ETH dust on their multiple 100+ ETH accounts to collectively save them up for a single 10 ETH dust bunny (cheaper in gas costs and relayer fees than mixing a bunch of 1 ETH deposits)

If you want to support this post and others like it, please consider using the torn.eth relayer


Great proposal @ethdev you never disappoint!

I have only recently found out how some of my old tornado addresses have 0.3 or more ETH in them that have just been sitting there for months.

Dust attacks are a great way to anonymize smaller amounts, it was a common practice with bitcoin in the early days.

I am with you on starting out with 1 pool and 1 pool only to test this out first and then expand to as many pool and assets as possible.


Thanks @gewitet!

Nice to hear this is a problem you’re facing, as well. Provides confidence that this is a real issue for active users

The trick now would be to figure out which users this is most common for and then based on that pick an asset + denomination for a single pool to test with

For example, are most active users with dust mixing ETH? Are their denominations all <1 ETH. If so, does that make 1 ETH the most attractive denomination-asset?

Alternatively, maybe it’s all 100 ETH whales ending up with >1 ETH, who don’t want to waste gas mixing a bunch of 1 ETH + 0.1 ETH pools. In which case, their dust could easily form a bunch of 10 ETH pools quickly

The downside to picking ETH, however, is that it’s an appreciating asset. By today’s prices users would have to accumulate $4,000 worth of dust to form a single 1 ETH dust bunny. That’s a lot of dust! And in the maybe-not-so-distant future this could easily be $5k… or even $10k

On the flip side, we could pick a more stable asset, like DAI - so that the necessary value of the dust is never a moving (appreciating) target. The biggest downside to this is, however, is that if most active users are mixing ETH already, they might not be such a fan of converting their ETH dust to DAI and missing out on the appreciation of Ether while they wait to collect enough DUST to call a dust bunny deposit

Basically, my assertion in picking an initial pool would be:

  • 1k DAI would be best to experiment with from the point of view that more dust bunnies could be formed more quickly (increasing the anonymity set of the dust devil), but…
  • 1 ETH would fulfill the needs of the most likely/active users (increasing the adoption and ultimate success of dust devils in the long run)

I would cast my vote in favor of 1 ETH

Why not have both 1 ETH and 1K DAI pools and give the option to the user?

1 Like

Also a reasonable option

Only reason to focus on one to begin with would be if the community felt initial DUST liquidity would be too low to spread across multiple pools

I fully support this amazing idea. Everything is perfect, down to the names and the memes it could spawn. I’d also cast my vote for 1 ETH.

If the preference is to focus on one pool to start, I’d vote for 1K DAI. It may be harder to collect 1 ETH worth of DUST laying around.

Thanks @sockawoo. I must admit, I felt pretty satisfied with how it all came together, names and all. Even took a crack at logo-ing the proposal

And thanks for the token-denomination votes @sockawoo & @another1. Really useful feedback


Great proposal, definitely was a regard where Tornado lacked in anonymizing all of an individuals holdings.

I am in full support and you have my vote when the proposal goes live.

1 Like

Im not that big brain but wont a zk-snark system like this be so complicated to build that you might as well just build full private transactions of any size (like in zcash).

I thought that tornadocash had the fixed amounts because that means that the proofing system only had to proof ownership of a note, which was simpler to implement.
This proposal would also need to proof that a balance is greater then the withdraw amount from a combined set of UTXO’s (notes). Isn’t that the same stuff you need for a zcash style (any amount) private transaction? Might be missing something here tho.

You could use renZEC to move that anonymously as well. If you don’t mind the gas and extra hassle.

Or use aztecs private rollup at zk.money. Although it is capped at 1 eth because they are still waiting for audits. Also anon set is small there!

It’s the same level of complexity as AP mining actually

Kinda. So the way AP mining works right now is that you generate a proof of the length of time you kept a deposit in a pool (example: 100 ETH for 10,000 blocks). You earn x AP per block (400 AP per block for 100 ETH pool). So then you can claim those AP to any wallet you own’s shielded account (the example user would redeem 4M AP).

A user could continue to claim AP from other “mining tornado deposits.” Let’s say they end up mining and claiming a total of 10M AP. They are then able to go to the custom Tornado AMM and swap any amount of AP for TORN. Right now the exchange rate is approximately 1M AP = 1 TORN. So they’d walk away with an anonymously withdrawn amount of 10 TORN to any wallet they control.

This proposed protocol would be similar, except that instead of accumulating AP from notes based on tornado deposits, DUST would be earned from notes on dust deposits. Both go to your shielded account so you can claim them from any wallet you own (different than the one you initially made the deposits from).

Then instead of using AP to buy TORN from the tornado AMM, DUST would be used to buy a regular tornado deposit (using a similarly made custom AMM)

AFAICT the tech stack here is nearly identical to what we already have

Not quite, it’s more like a savings account. You’re saving up enough DUST to buy yourself a regular tornado deposit. So you’re not actually transfer DUST around anonymously or anything like that

Yeah, zk.money is brilliant. However, the application is different. If you deposit 100 ETH from one account and withdraw 100 ETH to another account with zk.money, it will be almost perfectly obvious it was you. To make the most of zk.money, you’d need to deposit 100 ETH and then send 22 ETH, 33 ETH and 45 ETH to three different address to better anonymize your activity (assuming nobody else has deposited any denominations more than 22 ET). Or just use it as a payment channel to privately pay your friends or retailers you don’t want made public, etc.

Tornado is better for mixing. Keeping you funds intact and still owned by you. Just in another wallet.

Neither are perfect. But having both to use in tandem is better.

If you need help proposing this on-chain let me know, eager to see the ball rolling but I imagine you’re stilling in the process of fine-tuning the contracts before doing so.