Hi I’ve been trying to understand the guidance to use a completely separate address + relayer for claiming AP: why is this needed? Say we used a withdrawal address to accumulate and swap AP, but were careful not to swap amounts/timings which would reveal the exact number of blocks spent in the pool: what would this reveal to an attacker that they didn’t already know about that address? Is it that the AP balance can be inspected on-chain if the holding address is known? Thanks!
- if you want to withdraw TORN (from swapped AP) to a virgin address (no ETH or other history)
- if you want to manufacture plausible deniability (“I didn’t withdraw TORN, someone else must’ve done it!”)
- if you don’t want to pay gas in ETH, then you can just give a relayer some TORN to sign the tx for you
Thanks for the response, some follow-up questions if you don’t mind:
- Can’t we still accomplish this using a relayer for the AP/TORN swap?
- This makes sense, though if I’m understanding correctly any AP withdrawn to an address would be “as deniable as” any ETH/whatever else already in said account? That is, if there weren’t already a connection between the ETH address and our identity, extracting AP there wouldn’t create any new way to discover it (again, assuming that we disguise the AP/TORN exchange amounts to prevent inference from AP/block rates).
- Also makes sense, though this is the reason I started wondering about this question in the first place… I could be interpreting the numbers wrong, but at the current rates it seems like going through a relayer is ~2x as expensive as paying in ETH.
Sorry, normally I’d be glad to go figure things out on my own, but I’m hoping this discussion also helps others who may have been wondering similar things. Thanks again!
Wow, I totally messed up my response and answered as if you were asking about using relayers for AP/TORN swaps, not AP claims. Sorry
- Yes, it’s possible at both relayer points
- What I said here isn’t even applicable bc AP is linked to your private account, not public. Sorry
- Depends on the size of the relay and the relayer fee, but yes. It usually comes out to be just less than 2x as expensive as paying in ETH
Here’s the real answer to the AP claim question: it might be useful to accumulate many AP claims via a relayer as to not reveal the frequency of claims a single address is making
For example, Bob makes 3 claims in a week for a private account (undisclosed amount of AP), and then makes an AP/TORN swap at the end of the week. The AP/TORN swap reveals that Bob claimed 237.56 TORN at a publicly available AP/TORN rate of 1.283 million AP per TORN, revealing that Bob has at least 304.79 million AP. A malicious party could then go on chain and look for 3 potential deposit/withdraws transaction pair sets that are bunched together in a similar time frame (such as also all within one week) that might add up to 304.79 million AP
This might sound difficult, but even knowing the number of AP claims made to acquire 304.79 million AP is enough to narrow down the possible deposit/withdraw transaction pairs to maybe a few dozen sets. This would be especially true given that AP mining has only been live for a few months (only have to search sets from the last 90-120 days)
Great explanation, thanks. I think the part that I was underestimating is the difficulty of that last part of the attack, where the adversary must find all k-sums > our AP claim. You point out what I think is the key observation, that we’re still so relatively early on in the lifetime of the protocol that brute force is well within reason for solving a combinatorial problem of this scale.
Thinking it through, then, it seems like any of the following would make life harder for our attacker:
- Spread out our AP collection over more deposits/claims to increase k
- Swap AP for Torn in smaller amounts, to increase the number of k-sets whose sum could be greater than our withdrawal
- [As the documentation often suggests] spread out our deposits / withdrawals over time to prevent them from being correlated to each other.
3a. On this theme, another defense it seems we have is to avoid withdrawing/claiming all deposits at once, so that the number of claims can’t be used as a clue.
3b. “Wait longer” also naturally solves the problem of AP mining being relatively young, since the number of claims should steadily grow over time.
As fun as it is to discuss, this seems like somewhat of an academic discussion for now: given that properly gaming (1) and (2) will also incur more transactions/fees, at some point it becomes more cost-effective to just pay for the AP relay.
In any event, thanks again for the thoughtful responses. Cheers!