Privacy focused cryptocurrency Grin (GRIN) plummeted in the last 24 hours after a report started making rounds online of an attack on the privacy protocol Mimblewimble.
As a reminder, while Beam (BEAM) is the first implementation of Mimblewimble, it was followed by the long-expected, community funded privacy coin Grin, released at the beginning of the year.
In the past 24 hours, Grin (ranked 127th by market capitalization) dropped 16.8%, though it appreciated 6.8% in the past week. It started dropping on November 18th, and at the moment of writing (UTC 9:15) it trades at USD 1.26. Beam (ranked 145th) too has fell 11.6% in 24 hours and 4.31% in a week, now trading at USD 0.61.
Yesterday, Ivan Bogatyy, a venture capitalist at Dragonfly Capital, published a report titled “Breaking Mimblewimble’s Privacy Model,” making a key claim that: “Mimblewimble’s privacy is fundamentally flawed. Using only USD 60/week of AWS spend, I was able to uncover the exact addresses of senders and recipients for 96% Grin transactions in real time.” He added that this is a problem inherent to Mimblewimble, which is likely unfixable, and that it shouldn’t be considered “a viable alternative to Zcash (ZEC) or Monero (XMR) when it comes to privacy” any longer.
My attack catches 96% transactions before they can be aggregated with others for anonymity. So in reality, there is no one in their anonymity set! pic.twitter.com/mkMhSxYh5B— Ivan Bogatyy (@IvanBogatyy) November 18, 2019
However, Monero has also issued a security warning:
#Monero Security Warning:— Monero || #xmr (@monero)
Meanwhile, the reactions to the Mimblewimble news were swift. Emin Gün Sirer, CEO of Ava Labs, which created the decentralized services platform Ava, called the report an “excellent attack on the MimbleWimble protocol.”
With Ivan's discovery, Grin and Beam are no longer privacy coins. They also have other drawbacks (e g. need to be online to receive payments, high inflation) compared to nonprivacy coins like Bitcoin.— Emin Gün Sirer (@el33th4xor) November 18, 2019
Bitcoiner and developer Udi Wertheimer also commented on people’s defense of Mimblewimble according to which this is a known attack. “Sure. People who know mimblewimble intimately knew about it and mentioned it a lot,” he says. “But still, no one executed it to empirically show how effective it is, which means most people still didn’t know about it. […] The fact is that most people still thought it offers unique privacy properties.”
If at all, there’s a lesson here to mimblewimble proponents. Why is it that this is a very well known flaw (and a very serious one too), and yet many people interested in MW don’t know about it at all?There’s an opportunity to improve there.— UDI WERTHEIMER (@UDIWERTHEIMER) November 18, 2019
What Wertheimer is talking about, for example, is a blog post published by Grin developer Daniel Lehnberg, according to which Bogatyy’s report is inaccurate. “The described “attack” on Mimblewimble/Grin is a misunderstanding of a known limitation,” and “the results presented do not actually constitute an attack, nor do they back up the sensationalized claims made,” Lehnberg writes. Instead, it’s “the well-documented and discussed transaction graph input-output-linkability problem,” familiar to the Grin team and anyone who has studied the Mimblewimble protocol, the developer claims.
Another Grin developer, David Burkett, tweeted that it’s a “Really awesome write-up, but none of this is "news." I'm actually surprised only 96% was traceable. There are a number of ways to help break linkability in Grin, but none are implemented and released yet. As I always say, don't use Grin if you require privacy - it's not there yet.”
Another person to have allegedly known about this is Litecoin (LTC) creator Charlie Lee, who announced a collaboration with Mimblewimble back in February, as Litecoin has become privacy-focused, and who’s been defending their partner on Twitter.
This limitation of MimbleWimble protocol is well known. MW is basically Confidential Transactions with scaling benefits and slight unlinkability. To get much better privacy, you can still use CoinJoin before broadcasting and CJ works really well with MW due to CT and aggregation. https://t.co/M5sx92nzlZ— Charlie Lee [LTC⚡] (@SatoshiLite) November 18, 2019
Learn more: "Interest in Grin Exceeding Our Wildest Beliefs," Says Team An Interview: The New Hot Beam Coin is Live. What Comes Next?