Privacy for large amounts of Ethereum

With Tornado Cash and Railgun mixers

13 Nov 2023

Blog Privacy for large amounts of Ethereum

This report outlines important concepts, common footguns and tools that are available to establish privacy when transacting on the Ethereum blockchain. The report also presents a fee breakdown of these tools, and presents a strategy/recommendation for how to move a large volume of Ethereum, such that it can be used anonymously.

Key concepts

Mixing crypto

A contract such as Tornado Cash works on a concept of blending in with the crowd. Imagine a room filled with observers, in the middle is a table. User-A places 100 ETH on the table (akin to depositing funds into the contract) and receives a private note that gives the holder the ability to redeem 100 ETH. As time goes by more and more users place 100 ETH on the table. A few weeks later, User-B withdraws 100 ETH from the pool. To an outside observer, it’s not clear whose 100 ETH User-B withdrew from the pool. The funds are now mixed. The more funds deposited and withdrawn before during and after a user’s mixing, the larger the anonymity set, and the more anonymized or mixed the crypto becomes.

Relays

To withdraw from a mixing contract, one must interact with the contract. Interacting with a smart contract results in a transaction taking place which is recorded publicly on the blockchain. If a relayer is not used, paying the transaction fee becomes problematic because the transaction fee must be paid from an address you control, and that address will now be linked to the withdrawal. This is where relayers come into play. A relayer acts as a third party that will interact with the contract for you. The relayer deducts the cost of the tx fee from the funds being transferred, and will often charge a premium. The premium varies between mixers; some mixers offer a relay service that charges a percentage of the amount withdrawn (Tornado Cash), others will deduct a percentage of the tx fee (Railgun).

Some mixers allow the user to elect not to use a relayer, the user instead pays the tx fee themselves from a wallet of their choice. To make use of this option the address paying the tx fees needs to be anonymous, to protect anonymity it should not be possible to trace the origin of the address’ funds. Funding a wallet anonymously can be challenging. To fund a wallet anonymously one can:

  1. If one doesn’t mind linking an existing funded address to a mixer, one can run a nominal amount of funds through a mixer (making use of the mixer’s relay) and siphon them to the address that will be paying the tx fee.
  2. Purchase crypto from a peer-to-peer marketplace that does not require KYC to fund the address. Payment can be made to the seller via cash code withdrawal from an ATM (preferred if using this methood) or bank transfer.

Note that both methods are extremely tedious, as one must use a fresh address to pay the tx fee for each individual withdrawal from the mixer (each time the relay is bypassed), otherwise anonymity will be compromised.

Primary concerns

When determining which tool to use to establish privacy, there are some key concerns that must be front of mind to evaluate different mixing services:

  • A mixer will often enforce a deposit/withdrawal limit, this can be done for a few reasons:
    • The software is experimental, and its developers do not want to give users the ability to deposit huge sums of crypto.
    • Lower deposit/withdrawal limits are often associated with less criminal activity, as it makes it much more difficult to anonymise a large sum of crypto.
    • A large deposit (and subsequent withdrawal) can significantly compromise anonymity if the mixer does not already contain a large sum of crypto to mix with.
  • Amount of crypto in the mixer.
    • A small amount of crypto in the mixer reduces the anonymity set. Say a mixer contains 100 ETH; if User-A comes along and deposits 500 ETH, and then a few weeks later User-B withdraws 300 ETH, it can be inferred that the tokens withdrawn by User-B are those deposited by User-A.
  • Mixers that have been sanctioned are problematic for a number of reasons:
    • The contracts are monitored. Deposits/withdrawals to the contracts are scrutinized.
    • Deposits to a mixer are never private. Liquidating crypto from the deposit address/withdrawal address through a centralized exchange (CEX) becomes more challenging, and there is a high risk of funds being frozen before KYC is completed.
  • Fees and transaction cost.
    • Some mixers take a fee on deposits/withdrawals to fund the project’s treasury.  
    • Some mixers use contracts that consume a lot of gas when interacted with. The more data the contract function you are invoking writes to the blockchain, the more expensive the interaction with the contract will be.
  • Reputation of new mixers
    • Are any of the associated contracts upgradeable?
    • Could the frontend be compromised in some way?

Common footguns

Using a mixer does not guarantee privacy. Precautions should be taken:

  • Avoid depositing and immediately withdrawing.
    • If a deposit and withdrawal are right before and after each other, it is more likely they belong to the same person.
  • Avoid multiple withdrawals to the same address.
    • If there are a number of deposits from one address, and a number of withdrawals to a single address, they are likely connected. Try to spread out withdrawals, and prevent withdrawing to addresses linked with each other.
  • Avoid linking withdrawal addresses together.
    • Once funds are withdrawn from the mixer, care should be taken not to link withdrawal addresses to each other. For instance, if all withdrawal addresses are used to spin up ethereum validators, it could be inferred they are linked with each other. Additionally, transferring funds from one withdrawal address to another will link the addresses together, and reduce anonymity. 
  • Avoid withdrawing/depositing idiosyncratic amounts.
    • User-A deposits 2 ETH – Total balance 2 ETH.
    • User-B redeems 1.002 ETH – Total balance 0.99768311 ETH ( 2 – (1 + transaction fee) ).
    • User-C redeems 0.99768311 ETH.
    • It can now be assumed that these 3 transactions are linked to each other, potentially narrowing the anonymity set. Not a problem from mixers that enforce preset amounts for deposits/withdrawals.
  • Avoid the temptation to make multiple withdrawals/deposits in a short period of time.
    • This can be tempting, especially if one sees multiple other interactions with the mixer from someone else shortly after making a deposit/withdrawal. Be wary of a Sybil attack where a dishonest actor makes a number of deposits/withdrawals, to make it seem like the anonymity set is growing.

Tools evaluated

The following mixing tools were evaluated as part of this report:

Railgun

Railgun is a mixer that has only been around for a couple of years, it operates on the Ethereum, Binance Smart Chain, Polygon & Arbitrum networks. Railgun does not support shielding base tokens; deposited ETH will automatically be wrapped into WETH at a 1:1 ratio.

Tornado Cash

Tornado cash is deployed to many blockchains, including Ethereum, Polygon and Binance Smart Chain. It does not rely on any side chains or L2 solutions. Despite being sanctioned, it still has an active community.

RailgunTornado Cash
Deposit limitUnlimited100 ETH
Withdrawal limitUnlimited100 ETH
Pooled funds5,281 WETH109,800 ETH
SanctionedNoYes

Fee breakdown

For the purpose of this breakdown, the following figures are assumed:

  • ETH price: $2,000 USD
  • Gas: 30.5 gwei (average gas price for the year ending November 2023)
CostRailgunTornado Cash
Deposit – Gas ~900,000 ($54)~1,000,000 ($60)
Deposit – Mixer fee0.25% of ETH deposited0%
Deposit – Relay feeN/AN/A
Withdrawal – Gas~950,000 ($57)~350,000 ($21)
Withdrawal – Mixer fee0.25% of ETH withdrawn0%
Withdrawal – Relay fee~10% of gas fee*~0.3% – ~0.4% of ETH withdrawn
* Can be avoided. Varies based on supply/demand of relays. In periods of high demand and low supply, a relay might charge a fee as high as 100% of the gas fee.

Assuming one wants to anonymize 10,000 ETH, let’s use a deposit/withdrawal size of 100 ETH:

CostRailgunTornado Cash
Deposit – Gas$54 (0.02736 ETH)$60 (0.03040 ETH)
Deposit – Mixer fee$500 (0.25000 ETH)$0 (0.00000 ETH)
Deposit – Relay fee$0 (0.00000 ETH)$0 (0.00000 ETH)
Deposit – Total$554(0.27736 ETH)$ 60 (0.03040 ETH)
Withdrawal – Gas$57. (0.02888 ETH)$21 (0.01064 ETH)
Withdrawal – Mixer fee$498 (0.24937 ETH)$0 (0.00000 ETH)
Withdrawal – Relay fee$498 (0.24937 ETH)$700 (0.35000 ETH)
Withdrawal – Total$562 (0.28114 ETH)$721 (0.36064 ETH)
Combined total:
1 cycle of 100 ETH 
$1,117 (0.55850 ETH)$782 (0.39104 ETH)
Combined total:
100 cycles of 100 ETH 
$111,700 (55.85030 ETH)$78,208 (39.10400 ETH)
Combined total w/o relay:
1 cycle of 100 ETH  
$1,111
(0.55561 ETH)
$82
(0.04104 ETH)
Combined total ​​w/o relay:
100 cycles of 100 ETH 
$11,1123
(55.56150 ETH)
$8208
(4.10400 ETH)

Mixing strategy for large amounts of ETH

Caution

It is suggested to wait for improved mixing technology, or another method of anonymizing Ethereum to be developed (mixers that use ZK Proofs look promising). Mixing an amount of 100 – 500 ETH would be feasible, but it’s difficult to endorse the process that would be involved in moving 10,000 ETH. 10,000 ETH would take 100 deposits and 100 withdrawals using chunks of 100 ETH. To maximize anonymity, funds would have to be separated across 100 ETH addresses and these addresses should avoid being ever linked to each other. This includes having the addresses partake in similar activities, such as funding an ethereum validator’s collateral.

Mixing funds (in particular, through a notorious and monitored contract such as the 100 ETH Tornado Cash contract) will attract attention. It will become difficult to liquidate the mixed funds if this becomes necessary. It will also draw a lot of attention to the deposit address. 

Overview

If mixing the Ethereum is absolutely necessary, the following strategy is suggested as the least bad.

Tornado Cash seems the only viable option to move 10,000 ETH. Primarily due to the fact that its existing pool of funds in the 100 ETH contract (109,800 ETH at the time of writing) make it the mixer with the largest anonymity set. By contrast, Railgun’s pool contains only 5,281 ETH, making the anonymity set far smaller, meaning it would be significantly harder to blend in relative to Tornado Cash. To blend in using Railgun would take an inordinate amount of time and effort, given deposits would have to be significantly spaced out and their amounts reduced. Transaction fees on Railgun are also higher, and there is no way to avoid their 0.25% deposit and withdrawal fee.

It is recommended to use Tornado Cash without making use of a relay. Use of a relay, while significantly easing the process, would require roughly ~0.35% of 10,000 ETH (35 ETH) being taken as a fee.

Avoiding the use of a relay will require, for each withdrawal, a fresh address containing enough ETH to pay the transaction fee to interact with the withdrawal function of the Tornado Cash contract (roughly 0.01 ETH at the current gas price). The ETH deposited to the address must not be linked in any way to the address used to deposit the funds. The fresh address needs to be funded in an anonymous manner. This can be achieved by using a mixer.

Tornado Cash cannot be used to mix these funds because Tornado Cash only allows set withdrawal amounts (minimum 0.1 ETH), there would be too much left over in the address after paying the transaction fee.

However, Railgun can be used to mix the funds that will be used to avoid the use of a Tornado Cash relay. Unlike Tornado Cash, Railgun does not enforce set withdrawal amounts; this is important, as it enables withdrawing just enough ETH to cover the Tornado Cash withdrawal fee.

Note that while this report suggests acting as your own relay to avoid Tornado Cash’s ~0.35% fee on withdrawals (saving ~35 ETH), acting as your own relay significantly complicates the process of mixing the funds. It could also potentially compromise anonymity given a pattern could emerge. For instance, if one is the only person paying Tornado Cash relay fees using funds mixed through Railgun, an on-chain analysis could reveal that all 100 withdrawals from Tornado Cash had their tx fees paid using funds coming from Railgun, and that could potentially link the Tornado Cash withdrawals together, compromising anonymity. Care should be taken when acting as one’s own relay, and it’s advisable to perform some withdrawals using Tornado Cash’s built in relays, to better blend in with the crowd, and prevent any patterns emerging.

Prerequisites

  • (only necessary if acting as one’s own relay) ~5 ETH to be deposited into Railgun.
    • This ETH will be progressively withdrawn from the mixer in small amounts to fresh ETH wallets. The funded wallets will use the ETH to initiate the withdrawal of ETH from Tornado Cash (meaning this wallet will pay the withdrawal TX fee, effectively allowing one to act as their own relay).
  • Access to Tornado Cash is required.
    • There are lots of Tornado Cash phishing links on the internet, it is recommended to download the Tornado Cash frontend from a trusted source, and run it locally. The Tornado Cash source code can be found here. A guide to using Tornado Cash after its censorship can be found here.
  • Storage strategy for private notes from Tornado Cash needs to be decided.
    • The private notes are required to withdraw funds from the mixer. The notes contain data that can be used to link the deposit address with the withdrawal address. This is important if history needs to be maintained for audit purposes.
  • A method to keep track of addresses containing withdrawn funds from Tornado Cash will have to be decided, such as a spreadsheet.
  • An RPC that does not block Tornado Cash will have to be found.
  • Consider any potential risks the deposit address will be exposed to, it might be scrutinized after it begins interacting with the contract.

Steps

Before starting:

  1. (only necessary if acting as one’s own relay) Deposit ~5 ETH into Railgun. At the current gas price, this should be enough to pay the gas fee of all invocations of the Tornado Cash withdrawal function, and cover the cost of interacting with the Railgun contracts.
  2. Deposit the 10,000 ETH into Tornado Cash. This should be done using the 100 ETH increment, and will have to be done 100 times. For each deposit, store the private note you receive.

These steps must be repeated 100 times:

  1. Wait a random period of time, between 1 day – 4 weeks.
  2. (only necessary if acting as one’s own relay) Once the waiting period is over, make a withdrawal from Railgun into a fresh address. Only withdraw enough funds to cover the estimated fee of interacting with the withdraw function of the Tornado Cash contract (~360,000 gas).
  3. Run Tornado Cash, supply the note and perform the withdrawal.
    1. If acting as your own relay, use the address funded in step 2 to pay the tx fee.
    2. If you are not acting as your own relay, elect to use Tornado Cash’s built in relay when performing the withdrawal.

Repeat steps 1 and 2 until all 10,000 ETH has mixed. Vary the steps, including sometimes using Tornado cashes built in relay, so no obvious pattern emerges.

Final cost analysis

There are two factors to consider when calculating the final cost.

  • The cost of performing 100 equally sized (100 ETH) withdrawals from Tornado Cash.
  • The cost of performing 100 small withdrawals from Railgun (to mix the ETH that will be used to interact with the withdrawal function of the Tornado Cash contract, when acting as one’s own relay).

As outlined in the fee breakdown section of this report, performing 100 withdrawals each of 100 ETH from the Tornado Cash contract will incur a fee of $8,208 (4.104 ETH).

The fee for the smaller withdrawals put through Railgun can be calculated as follows:

Fee typeCost
Deposit of 5 ETH into railgunGas $54 (0.02736 ETH)
Railgun fee$25 (0.01250 ETH)
Withdrawal of 1.5 ETH in 0.015 ETH batchesGas$5,776 (2.88800 ETH)
Railgun fee$7.50 (0.00375 ETH)
Relay fee$577 (0.28880 ETH)
Total fee$6,386 (3.19305 ETH)

In total one can expect to pay:

Cost
Railgun associated fees$6,386 (3.19305 ETH)
Tornado Cash associated fees$8,208 (4.10400 ETH)
Total fee$14,594 (7.29705 ETH)

Without acting as one’s own relay, and using Tornado Cash’s built in relaying functionality, one can expect to pay $78,208 (39.104 ETH) in relay related fees, for a total cost of $86,416 (43.208 ETH).

If one acts their own relay (using Railgun as described above), one can expect to pay $6,386 (3.19305 ETH) in Railgun related fees instead, a saving of $71,821 (35.91095 ETH).

Strategies not explored

The following strategies have not been thoroughly investigated as part of this report:

  • Using a mixing contract on a platform other than Ethereum. For instance, Tornado Cash/Railgun can be used on Polygon which has much cheaper tx fees.
    • This strategy would require swapping the Ethereum into a token such as native Matic (in order to use Tornado Cash), or Wrapped Eth on Polygon (for Railgun). The swap could be facilitated by Thorswap/Maya or the official Polygon Bridge.
    • The strategy is not without risks:
      • Requires exposing oneself to Matic instead of Ethereum for a long period of time (if Tornado Cash is used).
      • Requires exposing oneself to WETH on Polygon for a long period of time.
      • Requires investigation into safety of such a large swap on the chosen platform.
      • A second swap would be required to move the mixed funds back to ETH.
  • Using a mixer that makes use of Zero Knowledge (ZK) technology.
    • A great ZKM based mixer was Aztec Connect, however this product has since been sunset and is no longer maintained.
    • The Aztec team has shifted their focus to Aztec Noir. While there are no mixers built using Aztec Noir yet, the product is something to keep an eye on.
  • Depositing into and then withdrawing from a centralized account based service that pools funds and does not complete KYC. An example may be a crypto gambling website.
  • Using decentralized exchanges (DEXs) to convert the ETH to a privacy coin like Zcash or Monero. sending the privacy coin to yourself, then trading it back to ETH on DEXs.

Gentleman James

Gentleman James: New money trash connoisseur

Gentleman James
New money trash connoisseur


Crypto Financial Planning

Take a step towards financial independence with iYields combined crypto and fiat wealth and budget dashboards.