Earlier this year, two altcoin projects, Grin and Beam, made waves in the cryptocurrency community; even some hardline Bitcoin maximalists, known for detesting cryptocurrencies, showed some interest in the project.
Also, many claimed that the launch of these new digital assets would spell the end for ZCash and Monero, two privacy-centric blockchains that have long had their issues; not all ZCash transactions are private by default because “shielded” transactions can be computationally demanding, and Monero transactions, some researchers say, are vulnerable to attacks that hamper the private nature of the chain.
Launched at similar times, the two blockchains rolled out with a technology called “Mimblewimble,” a protocol that enables higher levels of privacy and scalability. Grin, especially, was marketed as a “privacy-preserving digital currency built openly by developers distributed all over the world.”
Though it seems that the integration of Mimblewimble for Grin has failed, according to a blockchain security analyst anyway.
Grin Isn’t so Private After All
On Monday, Ivan Bogatyy, a current researcher at Dragonfly Capital Partners and a Google Artificial Intelligence alumnus, released an article to Medium, in which he revealed that Mimblewimble is not a reliable protocol for privacy.
In fact, the former Google engineer remarked that “Mimblewimble should not be relied upon for robust privacy,” before adding that he sees no viable way to fix the issue.
The extensive report, entitled “Breaking Mimblewimble’s Privacy Model,” revealed how he came to this conclusion and how exactly the blockchain protocol is affected.
I just published a new attack that breaks Mimblewimble's privacy model. This attack traces 96% of all sender and recipient addresses in real time. Here's a summary and what it means for the future of privacy coins:https://t.co/tsIDLyfpzp
— Ivan Bogatyy (@IvanBogatyy) November 18, 2019
Long story short, Bogatyy spent $60 per week on Amazon Web Services computational power connecting to Grin blockchain nodes, which allowed him to use an attack reveal the “exact addresses of senders and recipients for 96% Grin transactions in real-time.”
The researcher could have theoretically revealed the addresses of “almost all” users of the network if he connected to all 3,000 nodes, he wrote in the report.
What’s crazy is that this news comes literal days after many on Crypto Twitter spotted that an early Bitcoin UTXO, one that dates back to 2010 (there were only a few Bitcoiners around back then), was sent to Grin’s General Fund.
The anonymous donor, who is presumably a Bitcoin whale and early adopter, said that the launch of Grin makes “it feel like 2009/2010 again,” before adding that the funds should be used “for the development of Grin.”
ANNOUNCEMENT: Donation to the Grin General Fund – Nov 11: @lehnberg wrote: I’m pleased to announce receipt of another coinbase donation to Grin’s General Fund: https://t.co/hFpY9Zc7iL I had the privilege to interact… https://t.co/BwQtFFRCSc #Announcements via grin-forum $GRIN
— 😶 (@grinMW) November 11, 2019
As Bogatyy believes that there is no way to salvage the Mimblewimble protocol, these funds may have been donated for naught.
Not So Fast
Or maybe not… Published on Medium shortly after Bogatyy’s articles went live, a number of Grin developers and key community members remarked that the assertion that Mimblewimble is “fundamentally flawed” is wrong.
They drew attention to six “factual inaccuracies” published by the aforementioned researcher, amongst them being the idea that Mimblewimble does not have addresses and that the linkability depicted above is not a byproduct of a broken Mimblewimble privacy model.
The group continued that Grin remains more private than Bitcoin, “achieving an equivalent security model as Bitcoin with better privacy that comes enabled by default, with less data required to be kept on chain” — accomplished even though there isn’t a company in the middle mediating development, or an ICO/pre-mine to fund project contributors.
Then they concluded by asserting that Grin has yet to achieve its full potential, implying that privacy developments can still be made with time and adoption:
“Yet, Grin is still very young and has yet to reach its full potential. Eleven months into mainnet, there is low network usage. In the last 1000 blocks, 22% contained only a single tx, meaning their inputs and outputs are trivially linkable. This won’t change until there’s greater network usage.”