Manta founder Shumo: The Future of On-Chain Privacy from the Tornado Cash Incident
The application scenarios of privacy in Web3 are not limited to minting public tokens into privacy tokens. In fact, from the user's perspective, there is a need to mint public tokens into privacy tokens to obtain privacy, while also needing to redeem them back into public tokens for use.Author: Shumo Chu, Manta Network
On August 8, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) added Tornado.cash and its associated Ethereum addresses to the "Specially Designated Nationals List" (SDN);
On August 10, a Tornado.cash developer was arrested in Amsterdam by the Dutch Financial Intelligence and Investigation Service (FIOD);
Shortly after the OFAC announcement, Tornado.cash developer Roman Semenov tweeted that access to its Github code had been blocked by Microsoft. Subsequently, Tornado.cash and the sanctioned addresses were banned by DeFi protocols such as Aave and dydx, RPC providers like Infura, and stablecoin issuers like Circle.
What is Tornado.cash? How does it work?
Tornado.cash is a mixer for ETH and ERC20 tokens that allows users to deposit ETH/ERC20 into a mixing pool and later withdraw the same amount of tokens.
Here’s how it works:
Deposit: Users can deposit a fixed amount of tokens (for simplicity, we use 0.1 ETH as an example; Tornado.cash also has levels of 1 ETH, 10 ETH, and 1,000 ETH), and then receive a unique secret deposit proof. After the deposit operation, 0.1 ETH is transferred from the user's wallet to the Tornado.cash contract address on Ethereum.
Withdrawal: After entering their deposit proof in the Tornado.cash dApp, users can withdraw 0.1 ETH to a brand new address. The underlying principle is that the Tornado.cash dApp uses this secret deposit proof to generate a zero-knowledge proof to verify the validity of the deposit. Then, the Tornado.cash contract verifies this zero-knowledge proof on-chain. Due to the verifiability of zero-knowledge proofs, double spending or malicious withdrawals are impossible. At the same time, due to the zero-knowledge nature of the zero-knowledge proof, the connection between the deposit and withdrawal addresses is protected by the Tornado.cash contract mixing pool and the zero-knowledge proof.
Who is using Tornado.cash?
Viewing Tornado.cash as "a money laundering tool for hackers" is a fixed bias, which I believe mainly stems from the media's "colored" reporting: when hackers use Tornado.cash to hide stolen assets, such news often makes headlines; however, the completely legal and reasonable uses of Tornado.cash are rarely reported by the media.
Let’s look at Chainanalysis's analysis of the uses of Tornado.cash (source):
Approximately only 10.5% of the funds flowing through Tornado.cash are from stolen assets, while the vast majority of the funds are used for DeFi, centralized exchange transfers, and to avoid sanctions. In fact, after the news of Tornado.cash being sanctioned was announced, many users listed how they used Tornado.cash. For example, Vitalik stated that he would use Tornado.cash for anonymous donations:
The Future of On-Chain Privacy
We should reach it, we will definitely reach it
--- Crypto Hilbert (that's me)
Without privacy, the entire Web3 becomes meaningless. Without privacy, how can Web3 empower individual rights?
Future Direction 1: Provide Better Products for Ordinary Users, Not Just Hackers
In a permissionless system, it is difficult to completely prevent others from doing evil. However, we should first build better products for ordinary users, not just for hackers. Here I want to quote a tweet from @dankrad:
(Does anyone want to create a Tornado with usage restrictions? For example, based on Proof of Humanity (PoH), a maximum limit of $1,000 per person per week. This would be a good privacy product for ordinary users, but not very useful for money laundering.)
For ordinary users, the design of Tornado.cash has two points that are not very user-friendly:
Before the launch of Tornado.cash Nova, users had to deposit fixed denominations of tokens (0.1 ETH, 1 ETH, 10 ETH, 100 ETH), which caused significant user experience friction.
Based on L1, Tornado.cash requires a large amount of gas fees. A single deposit on Tornado.cash costs about 1 million gas on Ethereum, which translates to approximately 0.05 ETH at 50 GWEI, and 0.1 ETH at 100 GWEI, which is not friendly for ordinary users.
Fortunately, both of these points have good technical solutions. Protocols like ZCash/Tornado.cash Nova/MantaPay do not require depositing fixed amounts of tokens. Moreover, by deploying privacy solutions on L2, or even building a privacy-specific L2 like ZKOPRU, the gas fee issue can be largely resolved.
Future Direction 2: More Privacy Killer Applications
The application scenarios of privacy in Web3 are not limited to minting public tokens into privacy tokens. In fact, from the user's perspective, needing to mint public tokens into privacy tokens to gain privacy, and then redeem them back to public tokens for use, is itself a poor product experience. A normal user should be able to apply privacy tokens in different Web3 scenarios.
(Privacy application scenarios, from Manta CTO, Brandon Gomes)
In fact, privacy is essential in many applications, rather than just an added bonus, such as:
DeFi: Financial privacy is one of the most valuable application scenarios. Many users avoid using DeFi due to completely transparent transaction records. Additionally, privacy DeFi can alleviate the MEV problem to some extent (fully solving the MEV problem remains a challenging research topic).
NFT: Using NFTs as avatars is the biggest source of privacy leakage (directly exposing public addresses and user identities). Privacy NFTs/privacy NFT auctions/ZKP-based NFT ownership proofs can protect privacy without sacrificing usability.
DAO Tools: As a future organizational form for humanity, the DAO tools field requires privacy, such as privacy voting to avoid malicious competition and retaliation against voters; a privacy salary payment system to maintain the healthy development of the organization; and anonymous feedback requiring a privacy message board. There are many more DAO tools with similar privacy needs.
Interactive on-chain games: If a game is played on-chain, each player needs to hide their real status, or it will cause significant MEV issues. If we want to build a public metaverse on-chain, privacy is a necessity, not an option.
Future Direction 3: Selective, Configurable Asset Policies and Compliance Based on Zero-Knowledge Proofs
As the Web3 world develops, we also need to build better tools to allow crypto asset issuers to customize different asset policies, including compliance. One possible direction is to use zero-knowledge proofs to resolve the conflict between compliance and user sovereignty privacy.
However, to establish a reasonable asset policy, Web3 asset issuers and regulators need to work together to find a reasonable and executable asset policy.
Undoubtedly, the future of Web3 privacy needs to combine all the directions mentioned above, which is also the direction our team (manta.network) is striving for.
