Mimblewimble’s Privacy Compromised Via Sniffer Node Attack, and Now the Code Is Publicly Available

November 20, 2019 / by Crypto.IQ

Mimblewimble is a unique and relatively new privacy protocol used by the cryptocurrencies Grin, Beam, and Tari, with Grin and Beam having market caps of $37 million and $30 million respectively. The point of Mimblewimble is to completely obfuscate the origin, destination, and the amount of a transaction. However, a hacker claims to have compromised the privacy of 95.5% of Grin transactions using a sniffer attack and has publicly released the code which can be used to perform the attack.

Mimblewimble depends on two different techniques to ensure that the origin and destination of a transaction cannot be traced, including full-block cut-through aggregation and the dandelion protocol.

Full-block cut-through aggregation is similar to Bitcoin’s (BTC) CoinJoin, where multiple transactions are combined into one bigger transaction to obfuscate the origin and destination of inputs and outputs. In the case of Mimblewimble, all transactions in a block are organized into one transaction that has all of the inputs and outputs.

However, transactions that use full-block cut-through aggregation are built up one transaction at a time in a Mimblewimble block. The hacker created a sniffer node, which essentially logs intermediary pending transactions before a block is aggregated into a single larger transaction.

If the sniffer node encounters a transaction before it is aggregated, then the inputs and outputs can be directly linked to each other, equivalent to discovering the origin and destination. Apparently each Mimblewimble transaction is associated with a single kernel, so a sniffer node can tell if a pending transaction is a single transaction or the aggregate of multiple transactions.

Also, if a sniffer node happens to log a transaction after it has been merged with another transaction, but one of the sniffer nodes has already logged the inputs and outputs of one of the transactions in the aggregate, then subtraction can be used to determine the other transaction in the aggregate. However, the sniffer node encounters almost all transactions before they are aggregated with any other transaction, and subtraction was only needed for a small handful of transactions.

The dandelion protocol is another layer of Mimblewimble security that was supposed to prevent attacks like this. Essentially, with the dandelion protocol, a transaction is broadcast to a single peer which sends it to another peer, and this is repeated ten times before being broadcast to the whole network. The part where the transaction is passed from a single peer to a single peer is called the stem phase, and when the transaction is broadcast to the whole network it is called the fluff phase.

The point of the dandelion protocol is to obfuscate a user’s IP address, since by the time a transaction has been broadcast to the network it is coming from a different IP address than the origin, and has already passed through 10 peers with different IP addresses, making a trace nearly impossible. This is unlike Bitcoin (BTC) which immediately broadcasts a transaction to all pears.

However, if a sniffer node connects to a large fraction of nodes in the network and becomes a supernode, then every time a transaction enters the fluff phase it is immediately logged by a sniffer node. This gives transactions no time to undergo full-block cut-through aggregation before being logged.

The only exception is if transactions aggregate with each other during the stem phase of the dandelion protocol. In that case, a sniffer supernode will probably not be able to log a transaction before it is merged with another transaction. This accounts for the 4.5% of transactions that could not be compromised during the hacker’s experiment.

That being said, the hacker proposes that if a sniffer node connects with every single node in the network, or if enough sniffer nodes were launched to account for almost all of the nodes in the network, then even transactions which aggregate in the stem phase could be caught before the merger.

Apparently this attack costs some money, with $60 needed on Amazon Web Services (AWS) to run the sniffer nodes, and possibly much more money if the number of sniffer nodes was increased. However, $60 per week to expose the origin and destination of almost all Grin transactions is not much money and a relatively tiny expense for government regulators and blockchain forensics firms.

The exact results of the experiment were that three sniffer nodes connected to 200 out of 3,000 total peers on the Grin network for five days. During that time the origin and destination of approximately 8,500 out of 8,900 transactions were exposed.

To be clear, the amounts of the transactions remained anonymous and uncrackable via an elliptic curve cryptography scheme similar to Monero (XMR), and funds were not drained from any wallets. This attack simply exposes origin and destination. That being said, this defeats the whole point of using a privacy-oriented cryptocurrency.

The hacker proposes that increasing the dandelion patience timer, i.e. the number of nodes a transaction goes through in a dandelion stem could provide some more privacy. However, this could be defeated with a sufficient number of sniffer nodes. The best defense against sniffer attacks may be using lots of decoys and dust transactions, but this would be inefficient compared to Monero (XMR), and still not impervious to sniffer nodes.

Ultimately, it seems Mimblewimble has been compromised, and the cryptocurrencies which use it may require a complete overhaul to re-establish privacy. Until then, the cat is out of the bag, and now anyone can use the open-source code from the hacker to compromise the privacy of Mimblewimble cryptocurrencies.