NFT Mixer (+ Potential TORN Utility)

Although I’m sure it’s possible, I’m skeptical how effective it would ultimately be. But Rick Dudley just posted a potential design for an NFT mixer that would be similar to Tornado. Seems like if it is in fact possible and practical to build, then Tornado should be the one to pioneer this.

Design Example

Here’s an example based version of Rick’s design:

  • Bob has a Cryptopunk and Alice has 50 ETH. They agree to trade
  • Bob and Alice escrow their assets into the mixer
  • Alice gives Bob her address privately, which Bob signs into the “note.” This note will be given to Alice ensuring she is the only one who can withdraw the Cryptopunk from the mixer
  • Alice verifies her address is signed into the note correctly by Bob
  • Once confirmed, the exchange is executed

Benefit

The real benefit of an NFT mixer is that Bob and Alice could each have different input and output addresses. Meaning:

  • Bob could deposit his Cryptopunk from Bob.eth
  • Alice could deposit her 50 ETH from Alice.eth
  • Alice could give Bob a new address for the note, like DefinitelyNotAlice.eth
  • And Bob could withdraw the 50 ETH to ForSureNotBob.eth

In this case it would appear that:

  • Alice bought something for 50 ETH
  • Bob sent his Cryptopunk somewhere (not necessarily a sale, bc Bob could potentially have created a 0 ETH “sale” to himself as a means to simply transfer his cryptopunk with plausible deniability; eg “No, I don’t still have it anymore. I just sold it.”)
  • DefinitelyNotAlice.eth was the one who bought the Cryptopunk for some amount
  • ForSureNotBob.eth sold something for 50 ETH

With enough NFT sales going through this mixer, there’d be enough of an anonymity set to radically decrease the traceability of NFT sales and transfers.

Risks

There are leaky aspects of this design:

  1. You’d always know that Bob.eth and DefinitelyNotAlice.eth had some kind of an agreement given the non-fungibility of the Cryptopunk is perfectly traceable (you just wouldn’t know how much it was sold for)
  2. Unless there are tons of ETH deposits in the same denomination as the buy amount, you’d more often than not know that Alice.eth and ForSureNotBob.eth had some kind of arrangement (but you wouldn’t know what NFT was traded)
  3. Mixers are most effective when there is some kind of time delay to them. However, NFT sale typically need to resolve quickly before markets move in either direction. So if Bob and Alice make their escrow deposits within an hour of each other to “lock in” the current market value of the sale, then outsiders might suspect a high likelihood that Bob.eth and Alice.eth made their arrangement together. Which subsequently would implicate both DefinitelyNotAlice.eth and ForSureNotBob.eth in the tx, as well, losing all anonymity for the entire tx
  4. You’d have to give your counter-party your new “anon” address, so Bob would forever know that Alice.eth is the same person as DefinitelyNotAlice.eth

Understanding and Mitigating Risks

There are probably more similar flaws to the design which introduce risk, but from the above list of problems:

  1. Ultimately this could never fully be resolved, and that might just be “good enough.” The only caveat being: there might be a way that Alice could abstain from claiming the Cryptopunk with her note, and she could subsequently use DefinitelyNotAlice.eth to sign a new timelock for another recipient to withdraw it instead. This could then be used to create a second sale of the Cryptopunk which would enable the first “buyer” to potentially never be publicly detected
  2. This can sometimes be resolved, but might also just have to be “good enough.” Alternatively, it might be possible to use zk state channel to only withdraw part of the note at a time and not the full note.
  3. Mindful strategies can eliminate this, such as (a) if NFT owners deposit their NFT to escrow long before they decide to sell and a buyer makes their deposit, and (b) if enough users create 0 ETH buys to obfuscate their NFT transfers among this network of sales
  4. Potentially, there might be a way to use a relayer as a middleman to obfuscate the output address of both parties

Bonus: TORN Utility

If there is, in fact, a way to use relayers to help mitigate against the risk of buyer-sell address sharing (problem #4), then it would be very appropriate for relayers to charge their fee in TORN. If TORN is required to mix NFTs in order to pay relayers, then suddenly there is terrific demand and utility for TORN beyond just governance.

Renumeration

If it is possible to build this and we can find a team willing, this can be funded by the Tornado Cash Community Fund (upon application approval by the community). In such an event, I nominate Rick to be included in the renumeration as part of the grant (someone should feel free to tweet this at Rick so he becomes aware of it)

6 Likes

Thanks @ethdev for this proposal.
NFTs are the trend of the moment and if it is feasible, it would add another very useful feature to the protocol. Especially since it would bring a new utility to the token, which is very important and heavily requested by the community. If it’s something that’s feasible, I would definitely be in favor of it.

1 Like

That seems overly complicated to me.

If I wanted to own some NFTs as anonymously as possible, I’d just:

  1. Create a fresh address (Metamask “account”) to hold them.
  2. Move enough ETH there, via Tornado, to buy them.
  3. Buy them.

If I later wanted to sell them, I’d sell them, then move the ETH to my main wallet through Tornado.

1 Like

The mixer could still be useful to a seller who wished to obfuscate how much they sold the NFT for when you bought it. Especially if they didn’t originally buy the NFT having used any privacy measures. With an established mixer, sellers might wish to make a sale conditional on a price-agnostic sale.

1 Like