Dragonfly Capital researcher Ivan Bogaty this Monday presented the results of a study on the Mimblewimble technology used to provide anonymity in cryptocurrencies such as Grin and BEAM, as well as considered for adding to Litecoin.
The author claims that Mimblewimble has a vulnerability at a fundamental level that he sees no way to fix it. He came to this conclusion while testing the Grin network. After leasing Amazon Web Services for $ 60 a week, he connected to 200 of the 3,000 peers on the Grin network. This allowed him to identify the senders and recipients of 96% of transactions. The researcher claims that he could connect to all nodes and de-anonymize almost all transactions.
“The easiest way to attack Grin is to run a full node, modified to log all transactions, with which she collides. We log all intermediate pending transactions that are committed before the block is completed and are collected in one mega-transaction. If a certain previously noticed transaction is connected to the rest, our node will be able to establish a direct connection between inputs and outputs, “explains the researcher..
This attack does not allow disclosing the amount of the transaction, but it helps to find out who is sending the payment and to whom, link transactions with each other and track the payment chains..
“It is now clear that Mimblewimble should not be relied on for secure privacy,” writes Bogaty.
The author also notes that other privacy-focused cryptocurrencies where Mimblewimble technology is not used, such as Zcash and Monero, this vulnerability is not found..
“I believe Grin does not have an obvious path to eliminate transaction traceability. However, Mimblewimble has unique and valuable qualities in that it can hide transaction amounts. If you need enhanced privacy, you can always combine Mimblewimble with another protocol that shadows the transaction graph, for example Ethereum 9¾, “he concludes..