On Nov. 18, crypto researcher Ivan Bogatyy published an article on Medium claiming that he had found an extremely easy way of bypassing Grin’s Mimblewimble privacy protocol. As part of his efforts, Bogatyy stated that he was able to trace over 96% of all Grin-related transactions in real time, including the addresses of the senders as well as recipients associated with these sets of transactions.
What’s more striking is the fact that Bogatyy claims he was able to achieve all this by spending just $60 a week on Amazon Web Services computational power, which helped connect him to Grin’s native blockchain nodes.
Not only that, but the Google AI research alum also claims that he could have quite easily exposed the addresses of “almost all” Grin users if he had decided to connect to all 3,000 of the system’s nodes. In this regard, Bogatyy wrote the following:
“Grin still affords a stronger privacy model than Bitcoin or other non-privacy coins, since amounts are safely encrypted. But Mimblewimble provides a strictly weaker privacy model than Zcash or Monero. This makes it insufficient for many real-world privacy use cases.”
As expected, as soon as these developments came to light, the future of Mimblewimble was immediately called into question by people around the globe, who began saying that the privacy protocol could no longer be trusted, since it was clearly not secure enough.
However, a few days after the initial report, Daniel Lehnberg, a member of Grin’s core developers team, published a blog arguing that the “alleged” break-in was confined largely to the protocol’s already-acknowledged privacy limitations. He also added that the attack was facilitated through the use of a passive vector that did not have the capacity to acquire any actionable data.
Lastly, Grin makes use of a technology called “Patient Dandelion,” which is basically a modified version of Bitcoin’s Dandelion++ proposal that was outlined in BIP0156. The protocol is commonly used to mask the IP addresses linked with any given transaction because it adds additional stem hops as well as other delays at each node junction. However, since Grin’s latest privacy scandal came to light, many experts are now calling into question the overall operational efficacy of Dandelion as well.
A closer look at Grin and its privacy framework
In its most basic sense, Grin can be thought of as an implementation of the Mimblewimble, or MW, protocol, whose privacy is derived from two key aspects:
- The protocol employs confidential transactions to obfuscate transaction amounts.
- The protocol makes use of aggregated transactions to prevent the linking of native transaction inputs and outputs.
Additionally, the MW transaction format is substantially different from Bitcoin-like cryptocurrencies, as it allows multiple transactions to be aggregated into a single larger transaction.
This aggregation process is “lossy,” which essentially means that the protocol hides the size of asset transfers taking place between the involved parties, thus improving the overall scalability of the network. The process of mining blocks with Mimblewimble aggregates all of the associated transactions into a single block, thereby making it difficult for bad actors or any third-party entities to link inputs and outputs when viewing the chain on a historical basis.
Are Bogatyy’s assertions valid?
With so many conflicting details currently floating around on the internet regarding the recent Mimblewimble security lapse, CryptoX reached out to Jake Yocom-Piatt, co-founder and project lead for Decred, a community-driven digital currency that uses a hybrid proof-of-work and proof-of-stake consensus model. When asked to comment on Bogatyy’s claims and whether he was right or not with his assertions, Yocom-Piatt pointed out:
“Despite an aggressive response from Daniel Lehnberg from Grin, I am of the opinion that Ivan’s attack is valid. The attack links inputs and outputs to most MW transactions, and it achieves this by monitoring the Grin network, where it can log transactions prior to their being aggregated either over Dandelion or in a block.”
He then added that a few months back, he had published an article in which he too had highlighted the exact same weakness that Bogatyy was able to exploit — that is, once Grin’s native blocks have been mined, participating miners and affiliated nodes have the ability to monitor individual transactions that have been published before they are aggregated.
This basically allows a third-party entity (who may be closely monitoring the transactions being published on the network) to potentially make use of the data in order to link transactions that would otherwise not be possible by looking at the information related to other mined blocks. Yocom-Piatt then added:
“Ivan executes exactly the attack I described. While Daniel takes exception to Ivan’s post for various technical reasons related to terminology, the linking of inputs and outputs is hard to argue against.”
Is Lehnberg’s recent blog post just damage control?
Many crypto enthusiasts firmly believe that Lehnberg’s recent post is a defense tactic. With enough technical know-how, hackers or other third-party entities could easily retrieve a huge volume of the input/output data about the majority of the involved entities, as long as MW-based native transactions can be reliably surveyed before they are aggregated.
With that being said, Ethan Fast — a co-founder of security-oriented crypto exchange Nash — is of the opinion that Bogatyy’s findings are incorrect because of his flawed understanding of how the Mimblewimble protocol works. On the subject, Fast told CryptoX:
“He [Bogatyy] is able to demonstrate that an adversary can construct a transaction graph on the network, in the sense that input A became output B. But because of how the protocol works, this is not like identifying an output address on Bitcoin. Just knowing A=>B does not imply you know who received the funds in any useful sense. So my interpretation is that what Ivan found was already publicly known and he mischaracterized its implications in the article he published.”
Fast then pointed out that a big part of the misunderstanding seems to have stemmed from the confusion surrounding what an “address” within the Grin ecosystem actually represents. To further solidify his stance, Fast highlighted to CryptoX a number of other instances where similar issues over Grin’s native operational framework came to light. He further added:
“Grin does not have anything like Bitcoin addresses. In fact, every time you want to send someone an asset, you need to interact with them in a live computation, working together to create a transaction. Given this fact, my understanding is that being able to construct a transaction graph on Grin is not a major security issue, as transactions don’t have anything like public addresses that tie them together.”
The conversation continues
Despite Grin’s reputation being called into question after the allegations put forth by Bogatyy started to gain widespread attention on the internet over the last week, the platform’s core backers (as well as community members) have continued to claim that the assertions put forth by Bogatyy are inherently wrong and that there are many factual inaccuracies — six, to be exact — in his findings.
Also, it is quite obvious that due to this entire episode, Grin’s financial value has taken quite a beating. The currency has dropped from $1.52 to just under $1 over the space of the past seven days.