Privacy Question AP-Mining

  1. For the security experts here I want to ask if I am leaking my privacy since I am a regular user of tornado cash. I make regular deposits into the eth pools. For the example say 5 (A, B, C, D, E). They are deposited over week and withdrawn of differing weeks. None of the 5 deposits happen at the same time and none of the withdrawals at the same time. “A” was withdrawn by relayer to a new address. Then I claim the AP from mining and convert it to TORN for the notes of C and D (on same day A is withdrawn) and deposited to the same address A is at.

Unless I am missing something (and the point of this post) what could be discerned?

  1. Secondly since I do not understand the AP process that well despite reading many posts here, what information is left available for an adversary to find? Just the amount of AP converted to Torn and the rate at time of conversion? Can someone determine specifically how many notes were converted?

  2. Lastly, what benefit would an analytics company such as ciphertrace, chainalysis gain from becoming relayers? If there is a benefit I am sure tehy already are. What info does a relayer capture?


Very good questions, I hope one of the devs sees this and can help.

Are you refreshing your Metamask (assuming that’s what you use) API key before every interaction? Otherwise Metamask—or someone who can pressure/coerce Metamask—could in theory link everything you do.

I haven’t figured out yet how to swap out the Metamask API key efficiently. Currently I reinstall the extension before every withdrawal or deposit. Yes, it’s painful. But you gotta do what you gotta do.

It’s probably a good idea to also alternate between a number of separate browsers, given how many ways there are to fingerprint browsers. Also, you should obviously always use Tor.

One additional question regarding anonymity mining:
Do I make it easier for an analytics company to link multiple ETH withdrawals to the same person if I later withdraw TORN from several notes in one go (to save on fees)? Or is the anonymity mining activity not linkable to the ETH mixing activity?

Have you reviewed MetaMasks privacy policy? I have not and am curious if they maintain records of the API keys as you are alluding to. I do not know but would be curious what the company says.

I would think you make it super easy if you only withdraw one note. I would think withdrawing several notes makes it almost impossible for any analytics company to trace IMO as they do not know how many AP went with each note…

There is trustless, and there is trusted. Companies rarely make disclosures this detailed. Also, I haven’t looked because I don’t care what they say, I care what I can verify.

To clarify, my question is whether any information is linked when multiple notes are withdrawn together. Most importantly, anything that could be used to conclude that 2 ETH withdrawals are likely to belong to the same actor.