Ethereum founder Vitalik Buterin has praised Railgun for successfully thwarting the zkLend attacker’s attempt to wash his stolen funds, demonstrating what compliant, onchain privacy can look like, in a post on Thursday.
“This is a solid demonstration of Railgun's privacy pools mechanism working in practice, allowing Railgun to avoid serving proceeds of crime without using any snooping / backdoors,” Buterin wrote.
The move is significant given the hurdles many privacy projects in crypto have faced — including, in recent years, a concerted effort to clamp down on so-called blockchain “mixers,” including Tornado Cash and Bitcoin Fog.
While Bitcoin was born out of the largely pro-digital-privacy cypherpunk movement, these systems today are largely operational only because anyone can “trustlessly” audit the chain.
Railgun is a protocol that enables users to conduct anonymous transactions on Ethereum by using zero-knowledge proofs and liquidity pools to hide details about the sender, recipient and transaction amount.
However, unlike most so-called “mixers,” Railgun has implemented a system called “Private Proofs of Innocence” designed to block illicit funds from entering the privacy pool. When deposited into Railgun, tokens are automatically screened against a list of known malicious addresses. If found to have a suspicious provenance, the tokens will not be allowed to enter the protocol’s privacy set and can only be withdrawn to the original address.
It appears that is precisely what happened on Railgun.
On Feb. 12, an attacker began exploiting an unknown “rounding error bug” on the Starknet-based money-market protocol zkLend that allowed him to withdraw 3,600 ETH (worth around $9.5 million at the time).
After inflating his balance by repeatedly depositing and withdrawing wstETH by manipulating the “lending_accumulator,” the attacker bridged his assets to the Ethereum mainchain and moved them to Railgun.
Because all of this so far was visible onchain, the zKLend team contacted the hacker in an attempt to get him to send back the majority of the funds and keep 10% as a “white hat” reward.
“We are actively tracking the funds and pursuing the identification of the hacker, in collaboration with @StarkWareLtd, the @StarknetFndn, @zeroshadow_io (formerly @chainalysis Incident Response), Binance Security Team, and @HypernativeLabs,” the team posted.
The attacker has yet to take up the offer, and the funds are sitting in his address, which has been marked on most blockchain scanners as being associated with the zKLend attack.
“He can use tornado cash (contracts are still working) or probably can use fake KYC to launder money through CEXes… or maybe use non-KYC exchanges,” blockchain threat researcher Vladimir S. told The Block in a direct message. “But this is very unlikely because his address is flagged everywhere. The best for the attacker is to return the money because otherwise costs for transfering may exceed 90% lol.”
Hackers are increasingly being thwarted by onchain sleuths who can keep track of blockchain hops. To some degree, onchain privacy would increase the threat of attacks. However, projects like Railgun, which cater to “honest” uses like anonymizing payroll and payments, offer a middle-ground approach.
Buterin has been writing about the possibility of compliant privacy tools since at least 2023 when he co-authored a research paper on "Privacy Pools" that would use curated privacy sets to screen out potential bad actors.
“If you disagree with Railgun's filters, anyone is free to fork and make their own pool with their own rules, though if you can't get reasonably wide public support you're going to have a tiny anonymity set,” Buterin said.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
