Grin and Mimblewimble have published a rebuttal to the research published yesterday in which a researcher tried to convey that the Mimblewimble protocol is “fundamentally flawed” by performing an “attack”. According to Grin developers, the attack described in the research “is a misunderstanding of a known limitation.”
Yesterday, the privacy coin Grin’s team published a response to an article that affirmed Mimblewimble’s privacy model was flawed in a way that one researcher at Dragonfly Capital Partners was able to identify the addresses of senders and recipients of 96% of all Grin transactions, by performing a linkability attack.
Per Grin’s response, which is not a point-by-point refutation of the research but a general overview of the most relevant issues pointed out, it is stated that the article “Breaking Mimblewimble’s Privacy Model” is not factually accurate as it “contains many logical leaps that are not substantiated via the network analysis exercise that is described.”
One of the research’s most severe accusations is that, as transactions’ addresses were allegedly traceable, law enforcement could identify whether people obtained their crypto from a darknet market or from a country banned by the OFAC, among other illicit sources. In Grin’s answer, the researcher is accused of “conveniently” confusing transaction outputs (TXOs) with addresses.
According to Grin’s response, Mimblewimble’s most fundamental privacy benefit is the fact that it doesn’t have addresses that can be linked to any particular cryptocurrency wallet. In order to exchange value, users add one-time outputs to a transaction, leaving no trace of addresses on the network or the chain data. Therefore, the linking of addresses referred to in the “Breaking Mimblewimble’s Privacy Model” article cannot be performed.
Grin stated that while Mimblewimble does, in fact, leave a transaction graph, it doesn’t reveal sender and receiver outputs as it is hard to distinguish change outputs from recipient outputs. Furthermore, even though transaction linkability is something the company is aware of and has acknowledged in the past, is not something that “breaks” Mimblewimble, least of all “renders it or Grin’s privacy features useless.”