Mimblewimble may not be considered a viable alternative to Zcash or Monero anymore due to the holes in its security and privacy protocols. A researcher was able to uncover the exact address of senders and recipients for almost all Grin transactions in real time using just $60 a week of AWS spend. Stick with us to find out more.
The Issue at Hand
Invented back in 2016, Mimblewimble has grown in popularity in the recent years as a promising lightweight privacy protocol. With time, several researchers have pointed out that there is a potential privacy weakness in the network. The researcher Ivan Bogatyy made it his mission to expose the deficiency to the community. He managed to unmask the flow of transactions and identify the addresses of both senders and receivers of Grin with a 96% success rate. This is almost complete transparency and makes it clear that Mimblewimble can not be relied upon when it comes to privacy.
How Did Bogatyy Do It?
Shortly after his discovery, Ivan made a large post in GitHub regarding this potential threat and explained the process he undertook in order to achieve it. Of course, if you would like a very detailed explanation, you can check out his official post.
To put it in as less words as possible, Ivan modified a Grin full node into a sniffer node. What it does is logging all intermediary transaction gossiping data, including the data for not-yet-aggregated transactions. This worked and he was able to identify the parties from the transactions with a 96% success chance. As a network that is supposed to provide privacy it fails in its main goal.
Nature of The Attack and Linkability
We would like to mention that this type of attack does not let you see the amounts that are in the transaction, but only the two parties that are sending or receiving the assets. Thus, you are essentially linking the transactions together. Such attacks are not possible in Zcash for example, because that network is unlinkable because each shielded transaction in the Zcash network has a large anonymity set. Your transaction is mixed with other ones and it is practically impossible to distinguish or track.
Essentially, Mimblewimble encrypts the amount of assets in the transaction but still leaves a linkable transaction graph. Of course, the developers knew this and still added some defenses against linkability. One of them is the Dandelion protocol which has two major functions. One of them is to prevent the originator of the transaction of being tracked. As an example, in the Bitcoin network the originator of the transaction just broadcasts to all its peers, quickly moving through the whole network. With Dandelion, the originator of the transaction just informs one of its peers, which then informs only one and so on. After a few hops, the last peer then shouts its transaction to its peers while the original source is not nearby thus being impossible to track.
While this is a great way to hide the IP of the sender, the protocol has a second function as well. It is well equipped to deal with sniffer archive nodes, which are nodes that can record logs of transactions. Due to the nature of Dandelion, transactions get aggregated early in the chain and by the time they are actually broadcasted for the archive nodes to see, they have already been CoinJoined. According to Ivan Bogatty, even this defense can be defeated. By default, nodes connect to 8 other peers. By increasing the number of peers, a sniffer node can be connected to every other node and if it stays online long enough will become a “supernode”(Basically a node connected to a large number of nodes). Once that is done, there is a high chance for it to be in the Dandelion chain for almost every transaction. Here is how he achieved the 96% success rate of identifying sending and receiving addresses.
Conclusion
We would like to finish up our news article with some final thoughts regarding the situation and Mimblewimble in general. Linkability and its issues aside, it is still a unique project with valuable properties and technology. The cut-through aggregation hides transaction amounts. If you are looking for good privacy, unfortunately, Mimblewimble is not strong enough for that. It can be combined with another protocol, such as Ethereum 9 ¾ in order to hide the transaction graph as well. Ivan Bogatyy states that he and the community will continue to make propositions to the team as how to combat that and help the network push through the hardships.