Share page
Research Shows Privacy Flaws in Mimblewimble Protocol
November 18  |  3 min read

Research Shows Mimblewimble’s Privacy Model Is Flawed

The COIN360 Editorial Team

Crypto research and analysis firm Dragonfly Research has published an experiment in which they were able to identify 96% of Grin transactions senders’ and recipients’ addresses, highlighting privacy flaws in the Mimblewimble protocol.

The Mimblewimble protocol is a scalable, privacy-based blockchain protocol, and its first and most famous implementation came with the launch of the privacy coin Grin. Lately, however, it has been made aware that Mimblewimble is not completely adequate to use as a privacy alternative to protect transactions, with researchers exposing different privacy weaknesses that lie within the protocol itself.

According to the report, by spending $60 a week on Amazon Web Services, Ivan Bogatyy, Editor at Dragonfly Research and General Partner at MetaStable Capital, managed to discover 96% of Grin transaction senders’ and recipients’ exact addresses. Bogatyy’s findings show the way in which he performed a linkability attack on Grin’s network, therefore exposing Mimblewimble’s privacy issues.

Linkability attacks allow people to discover the flow of payments by linking transactions and determining who sent crypto to whom. However, exact amounts are not disclosed thanks to Mimblewimble’s use of elliptic curve cryptography named Pedersen commitments.

The research shows that other privacy coins like Zcash and Monero do not allow for this type of attack since the former has large anonymity sets in which Zcash transactions are shielded in a way that each Zcash transaction is indistinguishable from the rest. In the Mimblewimble protocol, however, anonymity sets can be cut down to a single address as the protocol “leaves a linkable transaction graph.”

Mimblewimble uses 2 different techniques to reduce linkability; the first is full-block cut-through aggregation that accumulates transactions within a single block to form a “super-transaction” in which there’s no easy way to determine who sent what to whom. This method, however, is flawed since the “super-transactions” need to be built up one transaction at a time, meaning there are ways to identify each transaction before they’re aggregated to one single block. The second technique is the Dandelion protocol, designed to obfuscate the origin of transactions by propagating them through a stem phase and a fluff phase; every transaction goes through a random number of hops until it is finally executed, leaving no way of knowing where the transaction originated.

Additionally, each Grin node connects to 8 other peers by default. Bogatyy stated that “by jacking up the number of peers,” he could potentially connect a sniffer node to every node in Grin’s network, eventually turning into a supernode. This means that ultimately, his supernode will be on the path of Dandelion hops, therefore seeing transactions before they’re aggregated to the “super-transaction” block, allowing him to link them to senders’ addresses. Per the experiment, Bogatyy was able to link 96% of all transactions only by connecting to 200 out of the 3000 peers in Grin’s Network.

The research finalizes by stating that Mimblewimble still efficiently hides transaction amounts and that to further protect its users’ privacy, it is recommended to combine it with a different protocol that covers the transaction graph.