TL;DR
This paper analyzes Ethereum's privacy limitations, demonstrating how user profiling and deanonymization techniques can compromise user anonymity, including evaluating privacy guarantees of mixers like Tornado Cash and proposing new attack methods.
Contribution
It introduces novel Ethereum user profiling techniques based on quasi-identifiers and assesses privacy risks of existing mixers through new heuristics and attack strategies.
Findings
Successful deanonymization of Ethereum users using machine learning and activity patterns
Identification of vulnerabilities in Tornado Cash mixer
Proposal of a malicious value-fingerprinting attack for confidential transactions
Abstract
Ethereum is the largest public blockchain by usage. It applies an account-based model, which is inferior to Bitcoin's unspent transaction output model from a privacy perspective. Due to its privacy shortcomings, recently several privacy-enhancing overlays have been deployed on Ethereum, such as non-custodial, trustless coin mixers and confidential transactions. In our privacy analysis of Ethereum's account-based model, we describe several patterns that characterize only a limited set of users and successfully apply these quasi-identifiers in address deanonymization tasks. Using Ethereum Name Service identifiers as ground truth information, we quantitatively compare algorithms in recent branch of machine learning, the so-called graph representation learning, as well as time-of-day activity and transaction fee based user profiling techniques. As an application, we rigorously assess the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
