Tornado.cash is a recently announced dApp on Ethereum that allows private transactions on the otherwise public Ethereum network. Private transactions have been a lot sought after feature on Ethereum, with many projects developing such features. Private transactions are a transfer of funds that provide a measure of privacy in the otherwise quite-public Ethereum network. In the case of Tornado.cash, the measure of privacy is in disconnecting between the entity sending the funds, and the one receiving the funds.
To do this, Tornado.cash uses a mixer contract, in which the funds mix together. Using Zero-knowledge-proofs, Tornado.cash provides mechanisms for deposits to and withdrawal from this mixer contract while hiding the relationship between the sender and the receiver. Each withdrawal could be from any previous deposit. The Tornado.cash contract is designed to be decentralized and non-custodial, leaving users in full control of their funds throughout the process. Under the Tornado.cash implementation, the operator of the mixer receives a predetermined fee for each transaction.
The Tornado.cash project is an elegant solution to enabling somewhat private transactions over Ethereum, and uses existing technologies and is already available for use today on the mainnet. The Tornado.cash team have highlighted the project is still in beta phase, and use is still risky. This project is a great example of community projects and their benefit to the entire ecosystem, pushing the technology to its extremes.
Reviewing the Tornado.cash contracts, we can see once again proof that truly decentralized applications are a difficult thing to create. While we have no doubt the team had the greatest of intentions, constructing systems that are secure against their own creators is a challenging task.
Reviewing the contracts in-depth, our analysis shows the current contract implementation allows the contract's operator to halt all withdrawals from the mixer. The full technical details are available below. The direct meaning of this issue is that the Tornado.cash team or any future operator of the mixer can freeze all funds currently in the mixer. We're confident the team has no intention to use this bug to their advantage, and the team has been very vocal that the contracts are still being reviewed.
Nevertheless, we see this as proof once again, that writing contracts that are safe and decentralized is a challenging task, and can be impacted by even the slightest issue.
Full Issue Technical Details
Tornado.cash contract's withdraw function transfers a constant allowed value minus a fee to the receiver and then transfers the fee to the contract's operator. The contract's operator is an address determined in the constructor, and that can be changed only by the current operator. If the contract's operator itself happened to be a contract where Ether can not be received, e.g. there is no payable function in the contract or the existing payable function reverts, or the payable function is gas heavy, then the whole transaction would be reverted, including the receiver's withdrawal. In other words, funds that have been deposited are locked until the flawed operator contract is replaced, and it puts the operator in a spot of a centralized single point of failure component.
Put the operator's fee transfer logic in a different function, that can only be invoked in a different transaction, and this way eliminate the receiver dependence on the operator's contract.
About Valid Network
Valid Network’s blockchain security platform provides complete life cycle security for enterprise blockchains from initial development to active deployment and management. Based in Be'er Sheva, Israel, the company’s solutions enable enterprises to innovate with blockchain faster, providing complete visibility and control over their distributed applications and smart contract governance, compliance, and security posture through advanced platform capabilities.
Secure the block with Valid Network.
Learn more: https://valid.network
When we hear about Denial of Service attacks in the news, they usually target websites and web applications. But blockchain implementations in cryptocurrencies and various forms of record keeping technologies can be particularly vulnerable to Denial of Service attacks due to having millions of users.
We are excited to announce Ethereplay by Valid Network, a free community tool to support examining, analyzing, optimizing and securing of smart contract code on Ethereum.
What do blockchain, VPN, and SSH all have in common? They’re all implementations of cryptographic technology.