Tornado Cash

Tornado Cash

Intro to Tornado Cash
  • Intro article:
  • Tornado Cash is a fully decentralized non-custodial protocol allowing private transactions in the crypto-space.
    • As a decentralized protocol, Tornado.Cash smart contracts have been implemented within the Ethereum blockchain which makes them immutable.
  • They can neither be changed or tampered with.
    • Therefore, nobody - including initial developers - can modify or shut them down.
    • All governance and mining smart contracts are deployed by the community in a decentralized manner.
  • As a non-custodial protocol, users keep custody of their cryptocurrencies while operating Tornado.Cash.
  • Indeed, at each deposit, they are provided with the private key enabling the access to the deposited funds, which gives users complete control over their assets.
How is privacy achieved?
  • Tornado Cash improves transaction privacy by breaking the on-chain link between source and destination addresses.
  • It uses a smart contract that accepts ETH & other tokens deposits from one address and enable their withdrawal from a different address.
  • To preserve privacy, few good practices are in order, such as the use of a relayer for gas payments to withdraw funds towards an address with no pre-existing balance.
How does Tornado Cash work?
  • This video explains:
  • To achieve privacy, Tornado.Cash uses smart contracts that accept tokens deposits from one address and enable their withdrawal from a different address.
    • Those smart contracts work as pools that mix all deposited assets.
  • Once the funds are withdrawn by a complete new address from those pools, the on-chain link between the source & the destination is broken.
    • The withdrawn crypto-assets are therefore anonymized.
  • While tokens are in a Tornado Cash pool, the custody remains in users’ hands.
  • Users, therefore, have a complete control over their tokens.
For traditional Tornado Cash fixed amount pools:
  • When a user puts funds into a pool (a.k.a. the deposit), a private note is generated.
    • This private note works as a private key for the user to access those funds later.
  • To withdraw them, the same user can use a different address - an old or a new one - and recover his/her funds thanks to this private key.
For Tornado Cash Nova, the new ETH pool with arbitrary amounts & shielded transfers:
  • Funds are directly linked to a given wallet address. There is no private note or key. Users can access their funds by connecting to the pool with the appropriate address.
  • Custody is either acquired by the act of depositing tokens into the pool or by registering to the pool & receiving shielded transfers from another address.

The strength of such a protocol comes naturally from its number of users and the size of its pool. The more users deposit into the pool the merrier. However, to preserve privacy & anonymity, the user must keep some basic rules in mind such as:

  • Using a relayer to pay gas at withdrawal;
  • Leaving a lapse of time between the deposit & the withdrawal action;
  • Mixing its funds with the crowd by waiting for several transactions before recovering its assets.
Contribution of zk-SNARK & hashing process
  • Tornado.Cash use Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (also called zk-SNARK) to verify & allow transactions.
  • To process a deposit, Tornado.Cash generates a random area of bytes, computes it through the Pederson Hash (as it is friendlier with zk-SNARK), then send the token & the 20 mimc hash to the smart contract.
    • The contract will then insert it into the Merkle tree.
  • To process a withdrawal, the same area of bytes is split into two separate parts: the secret on one side & the nullifier on the other side.
    • The nullifier is hashed.
    • This nullifier is a public input that is sent on-chain to get checked with the smart contrat & the Merkle tree data. It avoids double spending for instance.
  • Thanks to zk-SNARK, it is possible to prove the 20 mimc hash of the initial commitment and of the nullifier without revealing any information.
  • Even if the nullifier is public, privacy is sustained as there is no way to link the hashed nullifier to the initial commitment.
    • Besides, even if the information that the transaction is present in the Merkle root, the information about the exact Merkle path, thus the location of the transaction, is still kept private.
  • Deposits are simple on a technological point of view, but expensive in terms of gas as they need to compute the 20 mimc hash & update the Merkle tree.
  • At the opposite, the withdrawal process is complex, but cheaper as gas is only needed for the nullifier hash and the zero-knowledge proof.
Community in Tornado Cash
  • In a Decentralized Autonomous Organization (DAO), significant elements such as protocol parameters & token distribution are controlled by the community through governance.
  • This governance allows the community to shape & continuously improve the protocol. However, the role of a community does not stop to suggesting proposals & expressing its opinion through votes.
  • The community can also actively contribute to the success and prosperity of their protocol through constructive debates, mutual help and specific actions.
  • You can meet Tornado.Cash community on its very own forum & on social medias. Here are useful links to join Tornado.Cash community
Token in Tornado Cash

TORN is an ERC20-compatible token with a fixed supply that governs Tornado.Cash. TORN holders can make proposals and vote to change the protocol via governance.

TORN is not a fundraising device or investment opportunity.

Here’s how the initial distribution of TORN would break down:

  • 5% (500,000 TORN): Airdrop to early users of Tornado.Cash ETH pools
  • 10% (1,000,000 TORN): Anonymity mining for Tornado.Cash ETH pools, distributed linearly over 1 year
  • 55% (5,500,000 TORN): DAO treasury, will be unlocked linearly over 5 years with 3 month cliff
  • 30% (3,000,000 TORN): Founding developers and early supporters, will be unlocked linearly over 3 years with 1 year cliff
  • Users who have believed in Tornado.Cash from early on should have a say in governing the protocol. For this reason, early adopters of the protocol did receive an airdrop of TORN.
  • TORN has been airdropped to all addresses that made deposits into Tornado.Cash ETH pools before block 11400000.
  • TORN were airdropped in the form of a non-transferable TORN voucher (vTORN) that can be redeemed 1:1 to TORN within 1 year, from December 18, 2020, to December 18, 2021.
  • TORN that aren’t redeemed will be swept into the governance contract after 1 year and become part of the DAO Treasury.
    • Redeemed TORN will be available immediately.
  • The airdropped amount depends on users’ deposit size and age — larger deposits and older deposits will receive more TORN. Multipliers for deposit size are logarithmic:
  • So a 100 ETH deposit get twice as many tokens as a 1 ETH deposit. The multiplier allows large and small users of Tornado.Cash to both have a say in governance.
  • image
  • The exact curve for the time multiplier looks like this:
  • image
  • The exact airdrop formula is the following:
  • image