It's a shame this doesn't get as much attention as the sensationalist first article. I hope Monero folks aren't becoming tribalist vs. the MimbleWimble coins, when we're headed solidly in the same direction for the same reasons.
Everybody in crypto is on high alert for words like “hacked” and “rekt”. But let’s make sure we fact check stuff we comment on.
Disclaimer - I was only interested in the mathematical simplicity and beauty of Mimblewimble. Never invested. (Has anyone...)
Mimblewimble wimble Rekt : 800 retweets on twitter
Developer’s denial : 16 retweets on twitter.
Lol - this story shows us “a lie can get half way around the world before the truth can get its pants on”
Key points: Most people who understood MW knew this information was available. The attack author seems to have misunderstood /not reached out to any developer / not even read the github nor information that has been around since 2016.
"Right now, if Alice purchases Grin on an exchange and later uses it to shop on a darknet market, a sniffer node will capture a precise, undeniable trail of commitments (starting at the KYCed exchange commitment and ending on the darknet market) that incriminates Alice. Alice would not expect that, because she thinks Grin is “private” and further, public block explorers can’t show that link, only the special sniffer nodes can. This is the key point."
I find that is a fair assessment that should get heard. It's not news for the more technical users though.
> Regardless, outputs are not addresses and that's more than a semantic difference.
Indeed... but in MW, if you own multiple outputs, and you want to include them in one transaction, are both of them referenced as inputs?
and even if you only use one output as an input, doesn't that one output have the same ID when it first created?
I'm honestly trying to make sure I understand things right. It's highly likely I don't. I thought the whole thing was that, yeah, once its on the chain, there's really no storage of input A -> output B tx graphing. But if you are sniffing the network, and you are logging all of the transactions being published into the txpool, then you can still just track input A -> output B .... but where does the coinjoin stuff happen. Maybe i should re-read the paper.. :/
As I understand it, because of the interactive nature of MW, outputs are created when the receiving party signs the transaction prior to returning it to the sender to finalize and broadcast to the network. Broadcasting involves routing the transaction through a random number of nodes before making the public announcement, during which should another transaction be routed through the same node then the two will be aggregated and relayed further before the public broadcast. The transaction is then aggregated again with all other transactions in the txpool that are mined into the same block, so that the associations between inputs and outputs are broken even should no prior aggregation have taken place during routing.
Assuming there is not passive surveillance of the majority of the nodes on the network, that link between input and output can either be broken during the routing (the "stem phase" of dandelion) or during the block creation. So yes, once it's on chain there's no way to graph them retroactively. However, the more transactions occurring on the network, the harder it becomes to graph as the chance the output was already aggregated during its propagation becomes much higher. Beam also adds another mitigation in creating 0-value decoy outputs that are added to the real ones during the stem phase, which are indistinguishable from real outputs due to CT obscuring all values, and then cut through once the transaction is mined. Afaik, since dandelion is not a consensus-level feature, Grin will be looking to add the same functionality during a minor point release in the future.
Good response. Thanks to the author for writing that. It still doesn’t mitigate the fact that Grin currently contains fundamental flaws that the original article revealed in real time (vs the weaknesses being previously only theoretical), but the sensationalist “breaking Grin” angle is well described.