Breaking MimbleWimble - Reading Assignment

The real story is that this vulnerability has been known and discussed since day 1. The author just did the work of demonstrating the first step of this type of attack.

1. A “sniffer” node is a node which can detect how transactions are moving before they are mixed or aggregated by being connected to many other nodes. This means they can work out the sender’s and receiver’s address.

2. The pieces of information which can be determined by a super node are; the origin of a transaction and where it is going (who paid who). The pieces of information which cannot be determined are the amounts people are getting paid.

3. The percentage of live nodes the author connected with is 6.67%.

4. The single potential solution that was mentioned was Dandelion. Maybe another potential solution could be a kind of “mint and burn” mechanism to disconnect the tokens from the wallet before the transaction is broadcast.

5. Regarding what I would add to GRIN’s response, I did wonder if an invite to Ivan Bogatyy to work with GRIN might be useful, as he seems to be keen on actively hunting for bugs, but I am not sure whether he is a genuine expert, or not. Otherwise, a nice, calm, reasoned response.

1. A sniffer node is a node that observes transactions before they aggregate in order to discover the linked addresses.
2. A supernode can be used to find transaction information, such as the addresses to which they are connected. What they can’t do is derive single transactions after they have been aggregated.
3. 6,67%. He connected with 200 peers out of 3000.
4. The solution he mentions is Ethereum 9 3/4. I can’t think of anything right now.
5. I just wanted to say that it is normal that there are problems with such new technologies. Just think of how many problems have had technologies that have become very important in the privacy field. If there is a good team and hard work behind a project, great things can be done.

1. A “sniffer” node is a node which can detect how transactions are moving before they are mixed or aggregated by being connected to many other nodes. This means they can work out the sender’s and receiver’s address.

2. The pieces of information which can be determined by a super node are; the origin of a transaction and where it is going (who paid who). The pieces of information which cannot be determined are the amounts people are getting paid.

3. The percentage of live nodes the author connected with is 6.67%. 200 of 3000

4. The single potential solution that was mentioned was Dandelion. Maybe another potential solution could be to use Peterson Commitments in some way to break the link between sender and receiver.

1. A sniffer node links to the GRIN blockchain trying to catch tx data before it gets aggregated.
2. Sender and recipient can be determined, but not the amount.
3. 6.7% (200 out of 3000).
4. The combination of Mimblewimble with other protocols such as Ethereum 9 3/4.
5. I am not deep enough into the technology to add to this response.

1. A sniffer node can just observe the network and take note of the original transactions before they get aggregated.
2. All of the inputs and outputs are tossed into one giant bucket, with no easy way to determine who paid who within that bucket. Single transactions can’t be seen once they have been added to the bucket.
3. 96%
4. To combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾.
5. Not really.

1: It is a node set up by an attacker to spy on the network to find information that can be useful in determining certain info such as who when where from TRx are made before MW makes its cut through.
2: It can identify sender and receiver but not the amounts or IP if dandelion is used
3: 6.66%
4:Combining MW with another service such as Etherium 9/4 or possibly going through another mixing service .
5: It very informative and can give an honest review of the vunlnaribility so as not to assume that it is completely private and anonymous … Not enough of an expert to give suggestions

1. A peer in the network that can pick up transactions by just observing the network.

2. A supernode can determine which UTXOs are linked to which outputs, but not the amounts.

3. 6.67%

4. You can combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ which combines Mimblewimble with a Zerocash style commitment nullifier scheme.

5. Perfect response!!

1. What is a ‘sniffer node’?
   A sniffer node is a node in the network that listens to all transagtions before there are aggregated in one large coinjoin. by doing this you can unwind before the cut through aggregation is complete.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?
   a super node will not know your IP address but it with a high probablity be able to find out who is transacting with who.

3. What % of live nodes did the author connect with?
   he connected with with 6.67% of the nodes and managed to deaggregate 96% of the transaction… which is pretty powerful.

4. What single potential solution is mentioned? Can you think of another?
   If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in [Ethereum 9¾](which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme).

5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 .

6. Would you add anything to it? Nope, looks like the researcher of the article was being a bit sensationalist without really understanding exactly how the protocols worked.

1. What is a ‘sniffer node’?
   a sniffer node is a node can just observe the network and take note of the original transactions before they get aggregated

2. Which pieces of information can be determined by a supernode? Which pieces cannot?
   it will identify the sender and the receiver but not the amounts

3. What % of live nodes did the author connect with?

6.66 percent

4. What single potential solution is mentioned? Can you think of another?
   f you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9 3/4which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme

5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?

No they have the perfect response to counter the original article

1. What is a ‘sniffer node’?

• It picks up all transactions before cut-through aggregation is finished. Any sniffer node can just observe the network and take note of the original transactions before they get aggregated.

2. Which pieces of information can be determined by a supernode? Which pieces cannot?

• It can see the origin of the transaction.
• Neighbour nodes that linked to it.
• Can’t catch a transaction if two transactions both intersect in their Dandelion path before it sees either of them.

3. What % of live nodes did the author connect with?

• 6.67%

4. What single potential solution is mentioned? Can you think of another?

• Mimblewimble on its own is not strong enough to confer robust privacy.
• Combines Mimblewimble with a Zerocash-style commitment-nullifier scheme to make BTC transactions untraceable like ETH does.

5. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?

• The technology is still young. With time it will stand the test of time and bugs will be cleared as they appear.

1. What is a ‘sniffer node’?
   A sniffer node is a malicious node that is listening to transmissions with the aim of identifying individual transactions before they can be agregated.
2. Which pieces of information can be determined by a supernode? Which pieces cannot?
   A supernode is one that is connected to all other nodes, this means that there is a very high probability that it will be included in the stem phase of the dandilion. ie. it will see all individual transactions before they are mixed together.The supernode will see the broadcast transactions, from/to but will not know the amount or the IP addresses.
3. What % of live nodes did the author connect with? The author claimed to connect to 200 of the 3000 nodes.
4. What single potential solution is mentioned? Can you think of another? Author suggests combining MW with another protocol that obscurates the transaction graph. Is there a way to detect supernodes? Could you prevent nodes from connecting to more than x other nodes and ensure a random distribution on node connections across the network.
5. Read Grin’s Response: Would you add anything to it? I like the fact that the developers were factual and clam in their response, were open about limitations of their system and open to improvement.

1. What is a ‘sniffer node’?

A sniffer node is a node that listens and observes all movement through its network, here its used take note of original transactions before they get mixed together, thus helping narrowing down who’s transactions belong to whom.

1. Which pieces of information can be determined by a supernode? Which pieces cannot?

" Therefore, the only way that I cannot catch a transaction before it is aggregated is if two transactions both intersect in their Dandelion path before I see either of them . If I see either transaction before they’re aggregated, I can use simple set subtraction to disaggregate them.’

1. What % of live nodes did the author connect with?

The author mentions 96% which a crazy high number to be able to keep in an eye on with such little resources.

What single potential solution is mentioned? Can you think of another?

" If you want strong privacy, you can always combine Mimblewimble with another protocol that obscures the transaction graph, such as in Ethereum 9¾ (which combines Mimblewimble with a Zerocash-style commitment-nullifier scheme)."

if i had to add my own solution, which is coming from a place of ignorance, i imagine finding away to obscure the broadcasting ip address in the beginning of the transaction would help immensely, sure a vpn could work, but imagine to levels of ip obscuring, i imagine it would keeps the cats looking for longer.

1. Read Grin’s Response: https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9 . Would you add anything to it?

There response seems more than fair and responsible. They’ve acknowledged that there project is in need of more work and addresses that there isn’t much traffic/usage on their blockchain but with more usage it’ll be a lot more difficult to make the assessments made in the 1st article.

1: A sniffer node is a node use to watch blockchain activities before they are aggregated
2:A supernode can pick up on transactions origins before they are completed.But cannot see the single transaction once it has been added to the bucket .
3: The author connected with 96% of live nodes.
4: The single potential solution mentioned was MimbleWimble with Ethereum 9 3/4, also mentioned was Mimble-wimble with a Zerocash -like commitment nullifier scheme.
5: I would add it is new and evolving and it may or may not stand the test of time in the continually evolving eco-system of blockchain privacy related protocols.

1. Sniffer node node picks up transactions before being cut through aggregation is finished.
2. The origin of transaction.
3. 6.67%
4. To combine Mimblewimble with another protocol that obscures the transaction graph.
5. Reading about Mimblewimble in the course the issue was apparent and as stated in their response was a misunderstanding of a known limitation.

• What is a ‘sniffer node’? A sniffer node is a node that picks up all tx’s before the cut-through aggregation is finished. An observing “sniffer node” of Mimblewimble can note the original tx’s before they are aggregated and easily be observed.
• Which pieces of information can be determined by a supernode? Which pieces cannot? The supernode can see what tx was sent what to another tx, not the identifying parties, and not the amount of the tx’s.
• What % of live nodes did the author connect with? 96%
• What single potential solution is mentioned? Can you think of another? The author recommended Grin on it’s own wasn’t private enough and that it should be combined with another protocol that obscures the transaction graph such as Ethereum 93/4.
• Read Grin’s Response : https://medium.com/grin-mimblewimble/factual-inaccuracies-of-breaking-mimblewimbles-privacy-model-8063371839b9. Would you add anything to it? Possibly two comments.

1. GRIN’s contribution to crypto “privacy”research is significant as the author mentioned, yet is it important to clarify the GRIN & Mimblewimble strengths and weakness for the user to be aware of. GRIN’s response reported they have never claimed for tx’s to be unlinkable but, pointed out Addresses are not used in the protocol, only transactions. So Bogatyy’s observations in his article also make good points such as the act of cashing out on centralized exchanges (who employ KYC), does then connect the tx to an individual, further compromising privacy.
2. Should Bogatty have collaborated with Mimblewimble and GRIN before publishing the article? Maybe, and if so, only after the inspection of the protocol. The whole point is rigorous testing to find out what the protocols’ security limits are. This helps educate the whole community and allow developers of protocols to learn and grow.

1 A node to monotir the blockchain and check if mixing techniques and such are used…

2 To get info about transactions before anonymity is reached

3 96%

4 increasing Dendelion factore
combine with another protocol that obscures transacion graph or ring signatures

5 dont know, I read throught the other peoples answers to get more thoughts on that

The author was connected to 6.67% of the nodes (200 of total 3000), but was able to link 96% of transactions

What is a ‘sniffer node’?
A sniffer node can just observe the network and take note of the original transactions before they get aggregated

Which pieces of information can be determined by a supernode? Which pieces cannot?
A supernode can determine which UTXOs are linked to which outputs, but not the amounts

What % of live nodes did the author connect with?
6.67%

What single potential solution is mentioned? Can you think of another?
The single solution the author mentioned was to combine MimbleWimble with another protocol that obscures the transaction graph. Another obvious solution would be to implement ring signatures

Read Grin’s Response, Would you add anything to it?
Some parts of the original article seem to be misleading

Ah ok, thanks for clarifying!