What is Tornado Cash?
Tornado Cash is a decentralized privacy solution built on the Ethereum blockchain. By using zero-knowledge proofs, it enables users to break the link between transactions on the chain and enhances transaction privacy between the addresses used for depositing and withdrawing.
When a user deposits cryptocurrency into Tornado, a secret hash is generated. This deposit undergoes a commitment process, which is a process that determines ownership along with the associated hash. During the withdrawal process, the user must provide the secret hash as proof of ownership while keeping their activities on the chain anonymous.
Tornado Cash operates as a community-driven initiative. In May 2020, the developers of Tornado relinquished control over the protocol’s multi-signature wallet through a contract update known as the Trusted Setup Ceremony. As a result, the founders no longer have authority over Tornado, and a fully decentralized protocol emerged.
Tornado Cash’s native currency is TORN, an ERC-20 token with a maximum supply of 10 billion tokens. TORN allows token holders to make proposals and vote on changes to the protocol. Additionally, TORN holders accumulate Anonymity Points as they use the protocol, which can be deposited into a secure account and exchanged for TORN tokens.
How to Use Tornado Cash?
By using the Tornado protocol, you can enhance your privacy on a public network like Ethereum and obfuscate your blockchain transaction link. This allows you to deposit assets into the protocol and later withdraw them to your web3 wallet.
For example, let’s say Ali wants to hide a 100 ETH transaction on the blockchain. To do this, Ali can send the tokens to the Tornado protocol, where they will be mixed in liquidity pools. Then, with the help of the protocol, Ali can withdraw the mixed tokens to a separate address to ensure anonymity on the blockchain.
However, it is important to note that the privacy provided by the protocol is only partial, as anonymity cannot be guaranteed without additional measures in the upstream and downstream processes.
To maximize privacy, Tornado Cash suggests specific precautions such as using a VPN to prevent third parties from identifying your Tornado Cash usage, clearing browsing history, being patient during asset withdrawal to prevent address correlation after the mixing process, and using multiple addresses.
If you want to use Tornado Cash and take advantage of its services, you can follow these simple steps:
- Visit the Tornado Cash website.
- Connect your web3 wallet and select the asset you want to mix.
- Deposit your funds and securely copy your private key.
- Complete and sign the transaction.
- Wait for some time using multiple addresses before withdrawing your assets.
Note: Please be aware that using Tornado Cash may result in your wallet being banned by certain institutions and websites. Using a wallet connected to your current wallet will increase your risk.
How Does Tornado Cash Work?
Tornado Cash operates by breaking the link between deposit and withdrawal addresses, significantly enhancing the privacy of on-chain activities.
Utilizing smart contracts, Tornado Cash accepts Ethereum (ETH) deposits and allows users to withdraw funds to multiple addresses. Additionally, the use of a Router enables withdrawals to an address without an ETH balance, further strengthening privacy.
Tornado Cash functions as a mixer to preserve the anonymity of on-chain activities through the implementation of zkSNARKs proofs. These proofs involve two parties:
- Prover: The entity aiming to validate a hypothesis.
- Verifier: The entity responsible for verifying the legitimacy of the prover’s claims.
Anonymity mining is another feature of Tornado Cash. This feature enables Tornado to reward users who support project operations through liquidity mining. Tornado ensures privacy even during the mining process by employing a two-stage protected liquidity mining approach.
When users deposit funds into the Tornado Protocol, they receive Anonymity Points in protected accounts. These accounts do not expose user account balances, addresses, or types of assets held. When users accumulate the required minimum number of Anonymity Points, they can convert them into TORN tokens through Tornado Cash’s Automatic Market Maker (AMM).
It is important to note that Anonymity Points can only be claimed for the specific Tornado Cash notes used. Therefore, the reward process requires the introduction of zero-knowledge proofs in the protocol to determine the appropriate allocation of Anonymity Points.
US Sanctions on Tornado Cash
Tornado Cash, as a cryptocurrency protocol, has been subjected to sanctions by the US Treasury on August 7, 2022. The Treasury claims that the protocol has failed to implement effective controls to prevent money laundering on behalf of malicious cyber actors. As a result, US crypto users and businesses are prohibited from engaging with Tornado Cash.
According to the Treasury, since its launch in 2019, Tornado Cash has facilitated the laundering of over $7 billion in cryptocurrency. However, a report by the cryptocurrency analysis firm Elliptic refutes this claim, stating that only $1.5 billion of funds obtained through ransomware, hacks, and fraud were laundered using the Tornado protocol. The figure of $7 billion conveyed by the Treasury is said to represent the total amount of cryptocurrency processed by Tornado Cash, including legitimate users seeking financial privacy.
Among the laundered assets, it is noted that $445 million was stolen by Lazarus Group, a notorious North Korea-based hacking group already under US sanctions. The Treasury also highlights examples of hackers using Tornado Cash to launder stolen assets, including a recent amount of $7.8 million from the Nomad heist. The perpetrators made a significant error in their attempt to steal $100 million worth of cryptocurrency.
The Treasury asserts that the protocol has taken inadequate measures to prevent hackers from utilizing it for money laundering activities. They emphasize their commitment to sanctioning mixers that assist criminals in money laundering.
Tornado Cash DAO Hack Incident in May 2023
Over the past weekend, the attacker(s) effectively took control of the decentralized autonomous organization (DAO) that governs Tornado Cash’s operations.
In this situation, the attacker presented a malicious proposal that concealed the code function enabling the acquisition of fake votes. These votes could be used to manipulate specific aspects of Tornado Cash, such as the management of torn (TORN) tokens held in the main contract or the withdrawal of locked torn tokens.
The attacker achieved this by submitting a proposal resembling a previous version but containing malicious code. This code allowed the attacker access to all governance votes by updating the governance logic.
It is important to note that this attack does not impact the actual functioning of the Tornado Cash protocol, which enables users to obfuscate their actions when transferring funds and crypto addresses through the Tornado Cash service. The attack did not exploit any smart contract or technology associated with the core functionality of Tornado Cash.
Consequently, the management control of the protocol fell into the hands of the attacker.
However, in an unexpected turn of events, the attacker proposed a plan that suggests returning the governance control to the original token holders of Tornado Cash.
This unexpected move piqued curiosity within the crypto community, leading to speculation about the intentions behind the proposal.
The governance proposal was successfully approved on May 26, with 517,000 votes in favor and no votes against. The hack did not directly impact the protocol itself, but the malicious actor managed to steal a significant amount of tokens. Interestingly, some of the stolen ETH was laundered through Tornado Cash, introducing an additional layer of complexity to the transactions.
