Abstract
One of the most prominent and widely-used blockchain privacy solutions are zero-knowledge proof (ZKP) mixers operating on top of smart contract-enabled blockchains. ZKP mixers typically advertise their level of privacy through a so-called anonymity set size, similar to k-anonymity, where a user hides among a set of k other users.
In reality, however, these anonymity set claims are mostly inaccurate, as we find through empirical measurements of the currently most active ZKP mixers. We propose five heuristics that, in combination, can increase the probability that an adversary links a withdrawer to the correct depositor on average by 51.94% (108.63%) on the most popular Ethereum (ETH) and Binance Smart Chain (BSC) mixer, respectively. Our empirical evidence is hence also the first to suggest a differing privacy-predilection of users on ETH and BSC. We further identify 105 Decentralized Finance (DeFi) attackers leveraging ZKP mixers as the initial funds and to deposit attack revenue (e.g., from phishing scams, hacking centralized exchanges, and blockchain project attacks).
State-of-the-art mixers are moreover tightly intertwined with the growing DeFi ecosystem by offering "anonymity mining'' (AM) incentives, i.e., mixer users receive monetary rewards for mixing coins. However, contrary to the claims of related work, we find that AM does not always contribute to improving the quality of an anonymity set size of a mixer, because AM tends to attract privacy-ignorant users naively reusing addresses.
In reality, however, these anonymity set claims are mostly inaccurate, as we find through empirical measurements of the currently most active ZKP mixers. We propose five heuristics that, in combination, can increase the probability that an adversary links a withdrawer to the correct depositor on average by 51.94% (108.63%) on the most popular Ethereum (ETH) and Binance Smart Chain (BSC) mixer, respectively. Our empirical evidence is hence also the first to suggest a differing privacy-predilection of users on ETH and BSC. We further identify 105 Decentralized Finance (DeFi) attackers leveraging ZKP mixers as the initial funds and to deposit attack revenue (e.g., from phishing scams, hacking centralized exchanges, and blockchain project attacks).
State-of-the-art mixers are moreover tightly intertwined with the growing DeFi ecosystem by offering "anonymity mining'' (AM) incentives, i.e., mixer users receive monetary rewards for mixing coins. However, contrary to the claims of related work, we find that AM does not always contribute to improving the quality of an anonymity set size of a mixer, because AM tends to attract privacy-ignorant users naively reusing addresses.
| Original language | English |
|---|---|
| Title of host publication | WWW '23 |
| Subtitle of host publication | Proceedings of the ACM Web Conference 2023 |
| Publisher | Association for Computing Machinery (ACM) |
| Pages | 2022-2032 |
| Number of pages | 11 |
| DOIs | |
| Publication status | Published - 30 Apr 2023 |
| Event | The Web Conference 2023 - AT&T Hotel and Conference Center at The University of Texas at Austin, Austin, United States Duration: 30 Apr 2023 → 4 May 2023 |
Conference
| Conference | The Web Conference 2023 |
|---|---|
| Abbreviated title | WWW'23 |
| Country/Territory | United States |
| City | Austin |
| Period | 30/04/23 → 4/05/23 |
Keywords
- cs.CR