Key Takeaways
- Tornado Cash is decentralized, non-custodial protocol that helps crypto users stay private on public blockchains.
- It uses a smart contract that lets users send deposits from one address and then withdraw the funds from to another completely new address, thus breaking the on-chain link between the funds.
- The latest version of the project supports arbitrary amount pools and shielded transactions, allowing users to leverage the protocol as a designated private wallet.
Share this article
Tornado Cash is a decentralized, non-custodial privacy solution for Ethereum and other smart contract-enabled blockchains based on ZK-SNARK technology. It lets users break the links in their on-chain activity to improve their privacy.
Understanding Blockchain Privacy
Tornado Cash is a non-custodial protocol that lets users send ETH and other cryptocurrencies to a smart contract on Ethereum using one address and then withdraw the tokens using a different address, thus breaking the link between the deposited and the withdrawn funds.
To understand Tornado Cash’s value proposition, it’s first essential to dispel the myth of private cryptocurrency transactions. On-chain privacy on public blockchains like Ethereum is essentially non-existent, as anyone can track the blockchain’s public ledger to inspect the entire transaction history of any wallet. In fact, blockchain analytics firms like Nansen are in the business of doing just that. Nansen analyzes the Ethereum blockchain, flags specific wallets and smart contract addresses, translates the insights into human-understandable form, and then sells this tooling to crypto investors looking to make better-informed trading decisions based on the on-chain data. Other blockchain analytics firms like Chainalysis scrutinize public blockchains and work with governments to flag, track, and de-anonymize certain transactions and accounts associated with illicit activities.
While public blockchain addresses do not reveal users’ identities, with some effort, individual wallets can be de-anonymized and analyzed to extract all kinds of information about the user. On-chain transparency can have profound security implications. To make an analogy with the traditional world, if credit card payments worked like Ethereum transactions, all users would have their account balances and financial histories open for anyone to see. This could reveal sensitive information such as their salaries and spending habits, make them a target for criminals, and much more.
In a series of Telegram messages, Crypto Briefing spoke to representatives from Tornado Cash* to discuss the importance of financial privacy. They explained that the public nature of blockchains makes it that much more important for users to care about their financial privacy and have a more considerate approach. They said:
“A sizeable number of individuals fall victim to scams and blackmailers due to the lack of privacy in the blockchain environment. Aside from individuals, businesses are protective of their privacy as well, especially when it comes to the ins and outs of their financial operations (often for the same reasons as individuals—vulnerability to attacks). When assessing the impact in its entirety, it’s hard to think of more important reasons to prioritize financial privacy.”
Tornado Cash Explained
Tornado Cash uses smart contracts to accept token deposits from one address. It enables withdrawals from a different address, thus breaking the on-chain link between the deposited and withdrawn funds. The legacy version of the protocol is operational on Ethereum, BNB Chain, Polygon, Gnosis Chain, Avalanche, Optimism, and Arbitrum. Currently, it supports only fixed amount pools for six tokens: ETH, DAI, cDAI, USDC, USDT, and wBTC.
To help users preserve their privacy, Tornado Cash leverages a technology pioneered by the privacy-focused blockchain project Zcash called ZK-SNARKs—otherwise known as zero-knowledge succinct non-interactive arguments of knowledge. Zero-knowledge proofs allow one party (the prover) to prove to another party (the verifier) that a particular statement is true without disclosing any information apart from the fact that the statement is indeed true.
In other words, zero-knowledge proofs are an encryption technology that lets one party prove to another party that they know a secret without revealing the secret. To understand why Tornado Cash needs these proofs in the first place, it’s worth exploring an example of a typical transaction.
To make a Tornado Cash deposit, a user must first generate two cryptographically linked random numbers, called a “secret” and a “nullifier,” and then send the tokens alongside a hash generated from both numbers called a “commitment” to the smart contract. A “hash” is the output of a hashing algorithm, a one-way function that generates a deterministic, fixed-length result from a given input. Hashing algorithms are basic but incredibly secure encryption tools used extensively in modern cryptography for anything from digital signature generation to password verification.
Tornado Cash then stores the commitment to record the user’s deposit. Later, when the user wants to withdraw their funds using a completely different address, they must prove that they have a valid claim against a specific unspent deposit held in the contract without revealing any piece of potentially identifying information. To do that, they come to Tornado Cash with a new withdrawal address and two zero-knowledge proofs. One proves they know a secret and nullifier whose hash matches some commitment recorded in the smart contract (without pointing to a specific commitment as not to break privacy). At the same time, the other is the nullifier that links them to a particular deposit.
Because Tornado Cash does not know who’s withdrawing, it needs the second zero-knowledge proof to guarantee that the same user can’t withdraw the amount they deposited multiple times. It ensures that by storing a hash of the nullifier inside the contract and then checking whether the proof provided by the user matches against it. If it doesn’t, the user can’t withdraw their funds. If it does, the nullifier hash is marked as spent, meaning the user cannot use the same nullifier to withdraw funds in the future.
Due to the one-way nature of hashing, it is impossible to link a specific commitment or deposit to a particular nullifier but possible to generate a zero-knowledge proof confirming a specific deposit. Using this encryption technology, users can deposit funds to Tornado Cash using one address and then withdraw them to an entirely new address, effectively breaking the on-chain link between the two transactions.
Tornado Cash also needs to take care of the transaction fees to ensure complete privacy. Like all blockchain transactions, withdrawing funds from Tornado Cash requires paying transaction fees, which should be impossible when one is withdrawing to an entirely new address. Tornado Cash uses a network of so-called “relayers” that manage the entire withdrawal to solve this. They pay for the transaction fees by deducting them directly from the withdrawal and charging an additional service fee.
“If Tornado Cash is used correctly and all instructions and tips were followed diligently, it is not possible [even theoretically] to deanonymize transactions,” the anonymous source said. And while there have been instances of similar privacy-ensuring protocols or coin mixers being deanonymized in the past, such as when Chainalysis reportedly demixed a series of CoinJoin transactions, they explained that all privacy protocols—including Tornado Cash—are prone to user errors. They said:
“In the instance of Chainalysis, it is probable that the CoinJoin service wasn’t used correctly. A service like this, just like any other (including Tornado Cash), can be prone to user error—hence the compromised privacy. For example, even with all other privacy practices in place, a user who makes 18 deposits of 100 ETH and later withdraws those same 18 deposits runs a high risk of breaking anonymity.”
That being said, Tornado Cash makes several recommendations to maximize users’ privacy when using the protocol. One is to use the TOR browser or a VPN with a “no-log policy” to prevent third parties from learning that they’re interacting with the protocol. The other recommendations include waiting at least a day between deposits and withdrawals, deleting browser data and cookies after each deposit, and reinstalling the wallet application or browser extension with each transaction. “Remember to save your notes in a secure place, clear your cookies, be patient (the longer you wait, the higher your anonymity), and multiply withdrawal addresses,” the representatives added.
Tornado Cash Nova
The legacy, time-proven Tornado Cash protocol only supports fixed-amount deposits, meaning users could only deposit predefined amounts of tokens into the pools. Users would typically choose between depositing 1 ETH, 10 ETH, or 100 ETH and then withdrawing the same amount later. However, the project recently released a new, upgraded version of the protocol called Tornado Cash Nova that supports arbitrary amount pools and so-called shielded transactions.
Arbitrary amount transactions allow for deposits and withdrawals of completely customized amounts of ETH, while shielded transactions let users transfer the custody of their tokens without ever leaving the pools. Shielded transfers improve transactional privacy because the transferred amounts are concealed from public view. Moreover, they significantly improve user experience, allowing the protocol to be used like a dedicated privacy wallet.
“Nova offers yet another enhancement to privacy because now, rather than storing balances with separate notes for specific amounts, a user can begin utilizing Nova much like a crypto wallet,” the representatives said. “Balances can simply be stored in the dApp for as long as needed, minimizing unnecessary manipulations and thus maximizing privacy by default.”
Nova is a groundbreaking technology because, rather than simply breaking the on-chain link between two wallets, it lets users privately move funds from one wallet to another and use the protocol as a shielded wallet to stay permanently private while operating within decentralized finance.
Criticism and Scrutiny
Due to the nature of Tornado Cash’s product, it has faced criticism and occasional scrutiny from the cryptocurrency community and mainstream world alike. That’s because it’s popularly used by criminals after they steal funds on the blockchain. Hacks and scams are a regular occurrence in crypto, with millions of dollars lost in DeFi rug pulls and other attacks on a regular basis. In January, hackers stole $34 million from the crypto exchange Crypto.com then attempted to launder a chunk of the funds through Tornado Cash. DeFi hackers frequently target smart contract vulnerabilities to drain liquidity pools then turn to Tornado Cash to move the stolen funds without leaving a paper trail behind.
As multi-million dollar hacks have increasingly attracted the interest of authorities and mainstream news publications, Tornado Cash has also found itself under the spotlight. Earlier this month, Bloomberg ran a misleading article titled “Crypto Mixer Tornado Cash Doesn’t Plan to Comply With Sanctions” in reference to the West’s recent economic sanctions against Russia. Tornado Cash’s Roman Semenov described the piece as “an example of dishonest journalism” in a tweet; the headline was later amended.
Crypto Briefing asked the anonymous source whether the Tornado Cash team had ever been contacted by law enforcement agencies but did not receive a clear answer. Instead, they said that they did not know.
Final Thoughts
Tornado Cash is one of very few protocols that has become an Ethereum staple in a little over two years since launching. So far, the legacy protocol has welcomed over 12,000 unique users and received over $5.9 billion in deposits. A large part of its success can be attributed to its perfect product-market fit. Tornado Cash has built a privacy-ensuring product in a very transparent environment.
Tornado Cash is a working, well-designed, well-thought-out product. Just as importantly, in many respects, it is unstoppable. It is fully decentralized with governance handled by a DAO, the code is open-source, and the smart contracts making up the product’s core are fully autonomous and deployed by the community. Now that they are deployed on the blockchain, there is no way of shutting them down—regardless of how authorities may feel about the project. The community also hosts the user interface on the InterPlanetary File System, a peer-to-peer protocol for storing and sharing data in a distributed file system, which minimizes the risk of censorship.
When it comes to moving money on public blockchains, privacy is almost synonymous with operational security, making Tornado Cash one of the premier security-enhancing protocols in the industry.
Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies.
*The quotes from our conversation were originally attributed to the Tornado Cash core team. The anonymous source we spoke to later said that the quotes came from members of the Tornado Cash DAO.