Full Report
Tornado Cash is a smart contract cryptocurrency mixer. This allows users at one address to withdraw funds at another address without creating a traceable link between the two addresses. Seems impossible right? This is all about zero knowledge proofs. This is proof that an operation was carried out with giving the secret value. RSA math says I know two secret prime numbers without ever showing you those prime numbers. The owners of Tornado got sued by the US government because of how well it works for money laundering. A user can put money in and there's no possible way to associate the address on the output. Although, you can associate an address with receiving funds from Tornado cash or depositing funds, you cannot figure out who sent to who. The naive and not privacy preserving solution is to create two secret numbers and put the hash on the chain. If you can reveal the two secret numbers, then you can take the money out. To make this private, we can go over a list of hashes in a loop by ORing all of them together with zero knowledge proof data. This allows us to find a valid hash without revealing which hash is the one we proved. Merkle trees are a common data structure used in blockchain because of the ease of verification. So, instead of iterating through a list of hashes, we can use a merkle tree instead. In particular, the withdrawer must prove knowledge of the preimage of a leaf without revealing the leaf and demonstrate that we have a valid Merkle proof for the node. If we removed a node from the Merkle tree, this would disclose which item we were taking out. So, how do we prevent double spends? The hash from above was two numbers: a nonce and a secret value. The contract code uses a hash of the nonce to determine if this node has been used. So, if you tried to withdraw twice, it would not work. Naturally, this process of knowing the nonce is done as a zk proof. This strategy is called a nullifier scheme. The Merkle tree needs to be faster to be usable. So, some optimizations have been made. First, the tree has a fixed depth of 2^32 deposits with every element starting off as 0s. Second, the left-most node that does not have a value is overwritten. The quirks from above have immense impact on how the program works. Since all updates are performed on the left-most updated node, everything to the right is going to be 0. Because of this, they have recomputed all of these values of different depths to make the program more efficient. The second shortcut is that since we add in a consistent order, we do not have to recalculate the tree all the time. Instead, we can use previously cached values and only update small chunks from the real update. Pretty neat! The rest of the article goes into the code of the project. I still do not understand how the program performs the zero knowledge proofs but understand why they are being used at least. Awesome article!
Analysis Summary
# Tool/Technique: Tornado Cash
## Overview
Tornado Cash is a decentralized, non-custodial cryptocurrency privacy solution built on the Ethereum blockchain. It functions as a "mixer" or "tumbler" that breaks the on-chain link between a source address (depositor) and a destination address (withdrawer). While designed for financial privacy, it has been historically leveraged by various threat actors to obfuscate the movement of stolen funds and conduct money laundering.
## Technical Details
- **Type**: Smart Contract Protocol / Financial Obfuscation Tool
- **Platform**: Ethereum Virtual Machine (EVM) compatible blockchains
- **Capabilities**: Transaction mixing, zero-knowledge proofs, linkability breaking, automated fund distribution.
- **First Seen**: August 2019
## MITRE ATT&CK Mapping
- **[TA0011 - Command and Control]** (Used for infrastructure funding)
- **[TA0010 - Exfiltration]** (Often the endpoint for stolen digital assets)
- **[T1539 - Steal Web Session Cookie]** (Indirectly related via governance hacks)
- **[T1020 - Automated Exfiltration]**
- **[T1565.001 - Data Manipulation]** (Relevant to the 2023 governance hack mentioned in the article)
## Functionality
### Core Capabilities
- **Merkle Tree Deposit System**: Users deposit a fixed amount of ETH or tokens into the contract. Upon deposit, a "commitment" (a hash of a secret and a nullifier) is generated and added as a leaf to an on-chain Merkle Tree.
- **Zero-Knowledge Proofs (zk-SNARKs)**: To withdraw, a user provides a ZK proof that they possess a secret corresponding to a leaf in the Merkle Tree without revealing which leaf is theirs.
- **Nullifier Scheme**: To prevent double-spending, the protocol uses a "nullifier." Once a specific secret is used to withdraw, its nullifier hash is recorded on-chain. If the same nullifier is presented again, the contract rejects the transaction.
### Advanced Features
- **Incremental Merkle Tree**: Optimized for gas efficiency; the tree has a fixed depth (2^32) and only updates small chunks of the tree rather than recalculating the entire structure.
- **Anonymity Mining**: Reward systems that incentivize users to keep funds in the mixer longer, increasing the "anonymity set."
- **Relayer Network**: Allows users to withdraw funds to a fresh address with zero ETH by using a third-party (Relayer) to pay for gas in exchange for a fee, further decoupling the withdrawal from any previous identity.
## Indicators of Compromise
- **Network Indicators (Defanged)**:
- `tornadocash[.]eth`
- `tornado[.]cash`
- `app[.]tornado[.]cash`
- Ethereum Contract Address: `0x1111111254fb6c44bac0bed2854e76f90643097d` (Example of a common router/aggregator link)
- **Behavioral Indicators**:
- Outbound transfers from compromised wallets to known Tornado Cash contract addresses.
- Inbound transfers to new, "clean" wallets originating from Tornado Cash: `0x47CE0C6FDe5D0C257752fBa5D0c98150EF5b6510` (Tornado Cash Router).
## Associated Threat Actors
- **Lazarus Group (APT38)**: Extensively used Tornado Cash to wash funds from the Ronin Bridge and Harmony Bridge heists.
- **Various DeFi Exploiters**: Common tool for "exit" stages of smart contract exploits.
## Detection Methods
- **Blockchain Analytics**: Monitoring for the disposal of assets into Tornado Cash contracts using tools like Chainalysis or Elliptic.
- **Heuristic Analysis**: Identifying "clean" wallets that receive their initial gas funding from the Tornado Cash Relayer addresses.
- **Smart Contract Monitoring**: Utilizing Event Logs (e.g., `Deposit` and `Withdrawal` events) on the Ethereum blockchain to track volume and timing of suspicious activity.
## Mitigation Strategies
- **Asset Tainting**: Centralized exchanges (CEXs) often blacklist or freeze accounts that interact directly with Tornado Cash addresses.
- **Smart Contract Blacklisting**: Protocols can integrate "Oracle" services (like Chainalysis) to block addresses associated with sanctioned entities or mixers from interacting with their front-end or contracts.
- **OFAC Sanctions Compliance**: Adherence to the U.S. Treasury’s Specially Designated Nationals (SDN) list regarding the Tornado Cash smart contract addresses.
## Related Tools/Techniques
- **Railgun**: A private DeFi protocol.
- **Monero (XMR)**: A privacy-centric cryptocurrency often used in conjunction with mixers.
- **Tumblers/Mixers**: General class of tools (e.g., Blender.io, ChipMixer) used for the same obfuscation purpose on different blockchains.