January 10, 2020

In my last blog post, I said that tornado is a fantastic building block that will let some clever developers build a much more private Ethereum wallet. In this post I’m going to describe the wallet I’d like to use.

I’ll sacrifice a little privacy for lots of convenience #

I don’t want to have to think about anonymity sets or unspent transaction outputs, and I’m not going to keep track of separate ‘accounts’ for everyone I interact with financially. I want an opinionated wallet that doesn’t ask me a lot of questions, but is easy to use and makes it a lot harder for somebody to see what I’m doing by tracking transactions on the blockchain.

Ideally, setting up / backing up the wallet is just “write down these twelve words…” and that master private key is used to generate (or re-generate if I’m restoring the wallet) all the secrets needed.

If data has to be backed up somewhere other than the blockchain every time I create a transaction then that needs to be easy… and I haven’t seen a truly easy solution to that sticky problem. Linking the wallet to DropBox or Google Drive or an email address are all clunky, fragile solutions.

The wallet would give you a normal ETH/ERC20 address where you would receive ether or tokens. But after funds were received to that address, the wallet would automatically forward them into tornado.

And the next time a receiving address was needed, the wallet would generate a new one.

For example, receive 1.4 ETH and the wallet would make five tornado deposits (one for 1 ETH and four for 0.1 ETH).

Receive 1.45 ETH… and we’ve run into a problem. To preserve privacy tornado only allows deposits in increments of 0.1, 1, 10 and 100 ETH. What should the wallet do with the extra 0.05 ETH? Let’s ignore that for now and talk about:

Sending is a three-step process: First, make one more more withdrawals from tornado to a never-before-used address (with transaction fees paid by a relay service as necessary). Second, send funds to the destination address. And third, re-deposit any leftover funds back into tornado. The wallet would do all that automatically; I’d just poke the “send 11 ETH to adress 0xabc…” buttons.

We’ve got the same problem with leftover bits of ETH; if I pay somebody 0.95 ETH, I’ll have 0.05 ETH left. It is tempting to just have the wallet keep track of all the leftover bits, and when it gets enough of them combine them together and deposit them into tornado. But that’s a bad idea; combining them links them together, which is exactly what we are trying to avoid.

I’ll be happy with dead-simple sending and receiving of just ETH, with my funds always stored inside tornado and withdrawn only when I send. If I want to do something fancy like earn trading fees by being a Uniswap liquidity provider or earn interest on Compound I can always send to a full-featured traditional wallet. When I want to spend some of the accumulated fees or interest I can always move the funds back to the private wallet and then spend from there.

Maybe version 2.0 of the wallet could let me maintain a separate cDAI (or cUSDC) balance inside tornado, like an interest-bearing checking account. And maybe version 2.0 could integrate with Uniswap so I could easily send any Uniswap-supported token.

(And maybe this is where ethereum wallet developers tell me I’m an idiot and if the private wallet can send and receive then all the tornado stuff can be hidden away behind a web3.0-compatible API so it is a drop-in replacement for Metamask…)

The “change” problem #

The Wasabi Wallet FAQ has this to say about change:

There are no hard and fast rules for what to do with the change. Generally try to avoid the change and use the Max button extensively at sending. The most problematic type of change is what has anonymity set 1 (red shield.) You should treat it as a kind of toxic waste (handled with great care).

A future version of tornado might support depositing and withdrawing arbitrary amounts, which is the best solution to the problem. You still shouldn’t deposit 1,987.542 ETH on a Monday then move exactly that amount a week later, but if you use the wallet as a wallet and not a one-time mixer you’ll have much better privacy than today’s wallets.

Or somebody could write a PoolTogether-like smart contract that bundled up loose change, periodically picked ‘winners’ fairly at random, and then made tornado deposits on behalf of the winners. I think people would use an opinionated wallet that “rounds wallet balances up or down, at random, to the nearest 0.1 ETH to help maintain your privacy.”

I’d also be happy with an opinionated wallet that “rounds down balances for privacy” and automatically sent the change to the wallet developer’s favorite charity (or maybe goes to fund wallet development, or a little bit of both). The minimum tornado deposit amount is 0.1 ETH, and most payments on the ethereum chain are a couple of ETH– the median ETH transaction value is about 2 ETH. So if you are like a typical ETH user, you would end up donating something like 5% to charity. Not a huge price to pay for privacy, especially if it goes to a good cause.

108 Kudos