Researcher Breaks Grin's 'Privacy' Spending Just $60 Per Week

According to an expert at blockchain research firm Dragonfly Research, Mimblewimble's privacy is fundamentally flawed, which he reportedly proved by discovering the exact addresses of senders and recipients for 96% transactions of Mimblewimble's privacy-centric coin Grin.

Ivan Bogatyy, a researcher at United States-based Dragonfly Capital Partners, published a Medium post on Nov. 18 in which he claimed that he was able to break Grin's purported privacy while spending just $60 per week on Amazon Web Services.

In the analysis, Bogatyy referred to anonymity sets, which are patterns that aggregate multiple transactions into a set, such that they can no longer be distinguished.

Based on anonymity sets, Bogatyy pointed out three major approaches to privacy in cryptocurrencies such as Zcash, Monero and Mimblewimble.

According to the researcher, Zcash purportedly provides the maximum possible anonymity as its anonymity set includes all the shielded transactions.

In Monero, users should pick their own anonymity set of size 10-25 for any existing on-chain unspent output from Bitcoin transactions.

In Mimblewimble, all transactions in a block are aggregated into one big CoinJoin, purportedly ensuring that an anonymity set is all the transactions that ended up in the same block.

"So in reality, there is no one in their anonymity set," the expert claimed, adding that he was not able to hack all 100% transactions because there was a small minority of transactions that merged before most nodes could see them.

Following Bogatyy's tweet, Ethereum co-founder Vitalik Buterin replied to emphasize that Zero-Knowledge Succinct Non-Interactive Argument of Knowledge is an example of the only global anonymity sets that are secure.

"If your privacy model has a medium anonymity set, it really has a small anonymity set. If your privacy model has a small anonymity set, it has an anonymity set of 1. Only global anonymity sets are truly robustly secure."