Tutela - Tornado Cash Pool Anonymity Set Auditor

In late October, in response to the Tornado Cash (TC) Anonymity Research Tools Grant, we began building Tutela, an anonymity detection tool, to help Ethereum users to check:

1.) if their Ethereum addresses can be linked; and

2.) if their Tornado Cash transactions are compromised.

Since our last update 8 weeks ago, we’ve received incredibly helpful user feedback and have added functionality like ENS searching - thank you for your contributions! P.S. if you have feedback, we’d love to hear about it in the Tutela Discord Channel.

Our latest tool is the Tornado Cash Anonymity Pool Auditor. It allows you to see a more accurate anonymity set of each Tornado Cash Pool than the headline numbers. Before diving into it, a quick recap on Tornado Cash and TC Pool Anonymity Sets.

Quick Recap on Tornado Cash

@unbalancedparen provides an excellent summary of how Tornado Cash works here. I will provide a brief recap - apologies that many of already know this!

  1. In all Tornado Cash Pools apart from Nova, you can deposit a fixed amount of ETH in their pools (e.g., 1 ETH, 10 ETH, 100 ETH). With that deposit, you receive a note, which you can later use to withdraw your deposit to any address.

  2. Your anonymity is defined by the number of equal user deposits in a given pool. This is called the Anonymity Set. In the example below, D’s withdrawal could have come from A, B or C, so the anonymity set is 3 and the probability of correctly guessing the deposit / withdrawal connection is 1/3*.

  1. The more people that deposit in the pool, the greater the number of people that a withdrawal could have come from. If you add a 4th deposit above, the probability of being correctly detected decreases to 1/4.

  2. However, there are lots of ways users can compromise their privacy. If you can link A’s deposit to E’s withdrawal, then the pool’s anonymity set decreases from 3 to 2. This means the probability of correctly guessing your deposit / withdrawal connection increases to 1/2 because any withdrawal could only have come from B or C’s deposits.

  3. @Unbalancedparen’s team at Lambda School and István have codified 5 ways that Tornado Cash users can misuse the protocol to link their deposits and withdrawals and reduce the anonymity sets of Tornado Cash pools. More on them on below.

* For the nerdy details, this is simple combinatorics. The number of possible combinations in this example is 3C1 = 3. It assumes only 1 deposit and withdrawal per entity. Combinatorics is also why you should withdraw to multiple addresses - it meaningfully increases the set of possible deposit / withdrawal combinations and improves your privacy!

Five Tornado Cash Heuristics

  1. Address Match Reveal - Reuse of Deposit Address for Withdrawal

If a user deposits from an address and that address withdraws from the same pool, this deposit and withdrawal are assumed to be linked. There are cases when this may not be true but in general, these users are likely TORN yield farmers who do not care about privacy. We believe this heuristic is relatively deterministic.

H1 Address Match

  1. Unique Gas Price Reveal

This involves using the same unique gas price for a deposit and a withdrawal to different addresses. Many wallets like Metamask have gas price recommendation systems. However, if the user manually sets the amount of gas to pay, that amount will remain the default price that the wallet will use for other transactions, irrespective of the address used. Given this heuristic maps a unique deposit to a unique withdrawal, we believe it is deterministic.

  1. Linked Address Reveal - Transactions outside Tornado Cash

This heuristic looks at all the interactions between deposit and withdrawal addresses outside of Tornado Cash. If addresses have interacted more than 3 times, they are assumed to be owned by the same entity. This heuristic is probabilistic and can produce false positives, so we added the >3 interactions constraint to limit these. More interactions increases the likelihood that addresses are linked.

H3 Linked Addresses

  1. Multi-Denomination Reveal

If your deposit address mixes a specific set of denominations and your withdrawal address withdraws them all (e.g. if you mix 1x 10 ETH, 1x 1 ETH, 1x 0.1 ETH in order to get 11.1 ETH), then you could reveal yourself if no other wallet has mixed this exact denomination set. This is a probabilistic heuristic given multiple addresses have deposited and withdrawn the same combinations.

  1. TORN Mining Reveal - Careless Usage of Tornado Cash Anonymity Mining

Anonymity mining was an incentive scheme to increase the anonymity set in TC Pools (number of deposits). TC rewarded participants a fixed amount of anonymity points (AP) based on how long they left their assets in a pool.

After withdrawing assets, users can claim Anonymity Points. The amount withdrawn is recorded in the transaction. If a user uses an address to claim all of their anonymity points, you can calculate the exact amount of time their assets were in the pool and then potentially link their deposit and withdrawal addresses.

Tornado Cash Anonymity Set Auditor

Overview

The Tornado Cash Anonymity Set Auditor, computes the above heuristics for each Tornado Cash pool to determine how many potentially compromised deposits there are in each pool.

Try this yourself, by simply selecting the Tornado Cash Pool you are interested in from the drop down list on Tutela’s search page.

Results

Using the 10 ETH pool as an example, you’ll see that the Tornado Cash app, shows 28,188 equal user deposits as of late December.

Searching the 10 ETH pool address in Tutela returns that 8,060 deposits are potentially compromised by the five reveals above. The discrepancy in the number of equal user deposits is because our current dataset is from October. We will be introducing live updates shortly.

Worried you’ve compromised yourself in a pool?

There are two ways to check this:

  1. Input your deposit or withdrawal address on the Tutela Search Page to see your deposits, withdrawals and reveals using Tornado Cash - the results will look like the below.

  1. Input your deposit or withdrawal address at the bottom of the Tornado Cash Pool Address results page (shown two images above) to see if it has been linked in that pool. We don’t make these compromised transactions public without search to protect the identities of Tornado Cash Users.

Worried about your privacy? We don’t store your IP addresses (use a VPN anyway please!) or have any permanent search storage. Check for yourself, our code base is publicly available here.

What Next? Machine Learning, Tx Data & Live Updates

Next up, we are working on applying Diff2Vec, a ML algorithm, to the entire set of Ethereum transactions. This is to cluster Ethereum addresses and empower everyday users to understand what the likes of Chainalysis can find out about them. Excitingly, this may be the first public application of Diff2Vec at scale!

We are concurrently working on displaying ethereum transaction data to show you when you revealed yourself and a live data feed. Until next time!

Project Contributors:

  • Will McTighe, a Stanford MBA, is managing this team effort.
  • Mike Wu, a Stanford PhD in AI, is leading the clustering and ML analysis.
  • Kaili Wang, a 4th year computer science major at Stanford, is leading front-end development.
  • Dr. Nick Bax, a Stanford PhD graduate who has traced funds related to several hacks and recently published on tracing the WannaCry 2.0 malware Monero transactions. Nick leads the identification of heuristics.
  • István A. Seres, an applied mathematician, leads defining heuristics and the research part of the project.
  • Federico Carrone, Founder of LambdaClass, is in charge of a team of computer scientists, computer engineers and data scientists (mathematicians, physicists, engineers) who work on Zero Knowledge proof cryptography.
  • Tomas De Mattey, a UNTreF Grad, project manages the Lambda team.
  • Manuel Puebla, a UBA Mathematics grad, supports the Tornado Cash heuristics research.
  • Herman Obst Demaestri, a UBA engineer, leads Tornado Cash heuristics development.
  • Mariano Nicolini, a UBA physics grad, supports Tornado Cash heuristics development.
  • Pedro Fontana, a UBA Mathematics grad, supports Tornado Cash heuristics development.
6 Likes