The privacy model of proof-of-work blockchain Mimblewimble is “fundamentally flawed,” argues Ivan Bogatyy, a founding partner at Dragonfly Capital. No it isn’t, claims Daniel Lenhberg of Grin, a popular implementation of Mimblewimble.
This is a big deal—and it has not yet been settled. If Bogatyy is right (Lehnberg says he is not!), it would undermine the main reason to use Mimblewimble, which prides itself on being a scalable, privacy-based protocol that verifies transactions without having to store the entire history of the chain. It was invented in 2016 by the pseudonymous Tom Elvis Jedusor, who—like the protocol itself—takes their name from Harry Potter.
So, has MimbleWimble been Avada Kedavra’d, or what?
Player 1 enters the game
Bogatyy wrote that he managed to “uncover the exact addresses of senders and recipients for 96% Grin transactions in real time,” while “only connecting to 200 peers out of the total 3000 peers in Grin’s network.” That is bad since he asserts he can work out who paid whom—his attack links transactions together to “determine the flow of payments.”
Further: with a bit more money, Bogatyy claims he could easily ramp up the number to 100 percent.
This, unsurprisingly, would pose a serious problem. For example, imagine that an authoritarian government knows a certain address belongs to a political dissident, and you send the dissident a small donation through Mimblewimble, believing it to be private. Making use of Bogatyy’s exploit, “the government can see the entire transaction graph.” This way, they now know that you supported a political dissident.” Uh-oh!
How? Though Mimblewimble leaves a graph that allows overseers to link transactions, it makes use of several techniques to obfuscate the flow of transactions.
First, Mimblewimble uses “full-block cut-through aggregation,” a technique in which individual transactions are bunched together into one “super-transaction.” But Bogatyy says this doesn’t work. Because the “super-transaction” is built up by one transaction at a time, “it’s trivial to unwind.”
The second way Grin obscures transactions in Mimblewimble is the Dandelion protocol, where the first person in a transaction secretly “whisper[s] their transaction to just one peer, who whispers it to one other peer, and so on in a chain.” At a random interval, one peer proclaims the transaction, and it’s added to the block.
But in Grin, Bogatyy argued, “whenever two transactions cross in their Dandelion chains, they’ll get aggregated early. If this happens, then by the time the transaction is broadcast for everyone to observe, a sniffer node cannot disaggregate them.” If you set up enough “sniffer nodes”—nodes seeking to root out the originator of the transactions—it’s easy to root out transactions, because, eventually, all transactions will reach the sniffer.
And bingo: “In my attack, I was able to link 96% of all transactions while only connecting to 200 peers out of the total 3000 peers in Grin’s network,” Bogatyy says.
Bogatyy’s piece spread across the crypto community, even capturing the attention of Ethereum creator Vitalik Buterin. “If your privacy model has a medium anonymity set, it really has a small anonymity set. If your privacy model has a small anonymity set, it has an anonymity set of 1. Only global anonymity sets (eg. as done with ZK-SNARKs) are truly robustly secure,” tweeted Buterin.
Wipe that smile off your face
Ah, but Grin’s Lehnberg isn't having any of it. Lehnberg says the problem is “well-documented,” and is listed as one of its Open Research Problems.
Worse, says Lehnberg, “Numerous claims, including the title of the article itself, are factually inaccurate.” The attack “does not ‘break’ Mimblewimble nor is it anywhere close to being so fundamental as to render it or Grin’s privacy features useless.”
So where does Lehnberg say Bogatyy went wrong? “Mimblewimble doesn’t have addresses such as those that might be linked to a particular Bitcoin wallet,” and so “It’s not possible to link addresses that do not exist.” Of Bogatyy’s concerns about authoritarian governments? “It’s unclear how law enforcement would know anything about a non-existent address.”
Lehnberg says that all Bogatyy can really determine through the attack is that “Output A spends to Output B.”
We'd like to say who is right, but we just report the news.