Tutela v1 - an Ethereum and Tornado Cash Anonymity Tool

An Introduction to Tutela, an Ethereum and Tornado Cash Anonymity Tool

Over the last three weeks, in response to the Tornado Cash (TC) Anonymity Research Tools Grant, we have built Tutela v1, an Ethereum wallet anonymity detection tool, to tell you if your blockchain transactions have revealed anything about your identity.

What does this mean? Well, for example, if you have used multiple Ethereum wallets to send tokens to a single centralized exchange deposit address, you may have revealed that your wallets are owned by the same entity.

We’d love to get user feedback! Tell us what you like, what you don’t and what you think is missing! Please leave your feedback in the Tutela-Product-Feedback channel of the Tornado Cash Discord.

The Tornado Cash User’s Dilemma

Tornado cash users have multiple addresses and use Tornado Cash to hide this fact. We believe the most important need for this user base is to know whether their addresses can already be connected by third parties.

Tutela, an Anonymity Detection Tool

In response, our initial MVP has focused on informing users which of their Ethereum addresses are “affiliated” (a non-blockchain analogy would be haveibeenpwned.com). This involves using a clustering algorithm and two heuristics (i.e. reveals) so far, the Ethereum deposit address reuse heuristic [1] and the Tornado Cash unique gas price heuristic [2]. We plan to refine and add additional heuristics over time.

Current Heuristics

Ethereum Deposit Address Reuse Heuristic

When you send tokens from an Ethereum wallet to your account at a centralized exchange, the exchange creates a unique deposit address for each customer. If you reuse the same deposit address by sending tokens from multiple Ethereum wallets to it, your two wallets can be linked. Even if you send tokens from multiple wallets to multiple deposits, all of these addresses can be linked. In this way, it is possible to build a complex graph of address relationships.

Tornado Cash Pools Unique Gas Price Heuristic

Pre EIP-1559 Ethereum transactions contained a gas price. Users can set their wallet gas fee and pay a very specific gas fee (e.g. 147.4535436 Gwei) when they deposit in a Tornado Cash pool. If they also withdraw from that same Tornado cash pool, using the same wallet application (e.g. Metamask), but a different wallet address and haven’t changed the gas fee, it could reveal that two addresses are connected.

Heuristic Interactions

Heuristics can influence each other. For example, the unique gas price heuristic can be used to connect two wallet addresses that merge two clusters found by deposit address reuse. As more heuristics are incorporated, this interaction could enable sophisticated functionality.

How to use Tutela

Landing Page

  • On the landing page, you can input an Ethereum wallet address.
  • For now, addresses are categorized as externally-owned accounts (eoa), centralized exchange deposit addresses and centralized exchange addresses. We plan to add labels for decentralized protocol addresses as we further develop the product.

Results Page

  • If we’ve found other ethereum addresses associated with this address, they will appear on the left hand side, as you can see above. In this example, it looks like Tutela found many EOA addresses associated with a single deposit address, likely a user with multiple wallets.
  • On the right hand side, you’ll see an overall anonymity score - 100 is highly anonymous and 0 is no anonymity.
  • Below that, you’ll see boxes for entity which denotes type of address, name, which denotes a label (e.g. Binance 1), conf which denotes how confident we are that addresses are linked and cluster type, which at this stage is either “dar” (deposit address reuse) or “gas” (unique gas price).

Next Steps

Our plan for the next two months is to refine and develop Tutela v1 by:

  1. Getting your feedback!
  2. Refining the deposit reuse heuristic
  3. Adding anonymity set scoring for Tornado Cash pools
  4. Providing transaction by transaction reveal data (studying anonymity over time)
  5. Identifying, testing and implementing Tornado Cash Specific Heuristics:
  • Same deposit and withdraw address to a specific TC pool

  • Transactions between deposit and withdrawal addresses from a specific TC pool

  • Linking equal value deposits and withdrawals to specific deposit and withdrawal addresses - if there are multiple (say 12) deposit transactions coming from a deposit address and later there are 12 withdraw transactions to the same withdraw address, then we could link all these deposit transactions to the withdraw transactions

  • Careless TC anonymity mining - anonymity mining is a clever way to incentivize users to participate in mixing. However, if users carelessly claim their Anonymity Points (AP) or Tornado tokens, then they can reduce their anonymity set. For instance, if a user withdraws their earned AP tokens to a deposit address, then we can approximate the maximum time a user has left their funds in the mixing pool. This is because users can only claim AP and TORN tokens after deposit transactions that were already withdrawn.

  • Profiling deposit and withdrawal addresses - collect and analyze the behaviour of all addresses that have interacted with Tornado cash pools

  • Wallet fingerprinting - different wallets work in different ways. We have several ideas on how we can distinguish between them. It will allow us to further fragment the anonymity sets of withdraw transactions.

We Need Your Help!

Tutela is still in its very early stages and we are looking for feedback at all levels. Let us know your thoughts, critiques, and suggestions in the Tutela-Product-Feedback channel of the Tornado Cash Discord. How can we make Tutela something useful for you? What features or heuristics are we missing?

Project Contributors:

  • Will McTighe, a Stanford MBA, is managing this team effort.
  • Mike Wu, a Stanford PhD in AI, is leading the clustering and ML analysis.
  • Kaili Wang, a 4th year computer science major at Stanford, is leading front-end development.
  • Dr. Nick Bax, a Stanford PhD graduate who has traced funds related to several hacks and recently published on tracing the WannaCry 2.0 malware Monero transactions. Nick leads the identification of heuristics.
  • István A. Seres, an applied mathematician, leads defining heuristics and the research part of the project.
  • Federico Carrone, Founder of LambdaClass, is in charge of a team of computer scientists, computer engineers and data scientists (mathematicians, physicists, engineers) who work on Zero Knowledge proof cryptography.
  • Tomas De Mattey, a UNTreF Grad, project manages the Lambda team.
  • Manuel Puebla, a UBA Mathematics grad, supports the Tornado Cash heuristics research.
  • Herman Obst Demaestri, a UBA engineer, leads Tornado Cash heuristics development.
  • Mariano Nicolini, a UBA physics grad, supports Tornado Cash heuristics development.
  • Pedro Fontana, a UBA Mathematics grad, supports Tornado Cash heuristics development.

Sources:

[1] Address clustering heuristics for Ethereum. Friedhelm Victor, 2020.

[2] Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users. Beres, Seres et. al., 2021.

9 Likes

Thank you for the status update. Would be nice to have HTTPS … otherwise Exits (for example) can see and correlate all the usage activity. (PS: Haven’t tested the tool in detail, yet.)

Thanks @pass123, this is on our roadmap for this week.
We are posting weekly updates in the Discord Channel and have a larger feature release coming up soon which evaluates the anonymity of Tornado Cash Pools.