Tutela is an Ethereum and Tornado Cash anonymity detection tool, built as a response to a Tornado Cash Community Grant. It allows Ethereum and Tornado Cash users to see when they potentially revealed themselves on-chain by:
Since our last update, we’ve added three new features:
For the nitty gritty details you can check out the Tutela white paper.
Initial users gave us feedback that often no Ethereum addresses were associated with their input address. This makes sense because we were only using the deposit address reuse (DAR) heuristic to link Ethereum addresses. DAR searches for very specific behavior (e.g. interacting with centralized exchanges), meaning that most Ethereum addresses show no results - it found c.2.5m Ethereum clusters from >180m Ethereum addresses.
To supplement DAR, we implemented Diff2Vec. It projects each Ethereum address to a point in a low-dimensional vector space based on who it transacts with. In this vector space, addresses belonging to the same entity should be close together in Euclidean distance. This allows Tutela to show k-results for every input address. The potential downside is that it is highly unlikely all k-results are connected to the input address. There is a tradeoff between quality and quantity.
We’ve recently added a new piece of functionality - a history of potentially revealing transactions for each address. This shows when a user potentially made revealing transactions and the type of reveal. More on the different Ethereum reveals here and Tornado Cash reveals here.
After clicking the transactions tab on the landing page, a user can input an Ethereum address to see historical potentially revealing transactions over time.
Figure 1 shows the potential reveals by this address. On the left hand side, the user is given raw statistics about potential revealing behavior. On the right hand side, the user is shown when the annotated reveals occurred.
By scrolling down (Figure 2), the user can see the transaction hashs associated with these reveals and look them up on Etherscan.
We can measure the quality of address clusters using a “test set” of known clustered addresses. It is hard to find “ground truth” data in this space but we obtained a data set from (Beres’ et al., 2021) where 1,028 clusters of addresses (average size of 4.0 ± 3.6 Externally Owned Addresses (EOA) per cluster) are derived from ENS names. Admittedly, this is not an unbiased test set but does suffice as a good measure of Tutela’s generalization.
We are interested in “recall” or the ability of a heuristic or algorithm to recover the clusters in the test set. We do not consider precision on purpose as it does not make sense to penalize a model for finding clusters outside of those in the test set.
DAR alone has a recall of 39.4% with NODE (Diff2Vec) at 37.8%, two percent lower than DAR. However, as shown above, when DAR and NODE are combined, total recall increases to 44.8%. This suggests that the types of clusters found by DAR and NODE have diversity.
In October 2021 there were 97.3k Tornado Cash equal user deposits, Tutela found 42.8k were potentially compromised: 18.6K from the address match reveal, 102 from the unique gas price reveal, 18.9K from the linked ETH address reveal, 16.2K from the multi-denomination reveal, and 358 from the TORN mining reveal (with overlap between reveals).
By pool, we find the anonymity set is reduced by 37% (± 15%) on average. Figure 4 shows the uncompromised anonymity sets by pool. We find that some of the pools could be heavily compromised (such as the cDAI and WBTC pools), whereas other pools are less effected (e.g. USDC). In summary, while many of the Tornado Cash heuristics are simple, they are quite powerful. These findings could help Tornado Cash developers and users alike, measure and understand the degree user privacy offered.
Heuristics are not perfect measures. In return for simplicity, there will always be false positives in practice, e.g., addresses in a cluster that should not be there, or faithful Tornado Cash transactions labeled as compromised.
For the Ethereum heuristics, picking proper hyperparameters is the challenge. In DAR, the algorithm is very sensitive to the choice of two thresholds. If the thresholds are too small, no clusters will be found; If the thresholds are too big, clusters will be low quality, containing many addresses they should not. Currently, the best practice is to tune these by hand.
Similarly in NODE (Diff2Vec), the choice of hyperparameters impacts performance. In particular, we must choose a “neighborhood” size to look when summarizing the behavior of a single node/wallet. Too small and we may lose sight of the bigger picture but too large and we may lose granularity on this wallet’s actions.
Running DAR or NODE on Ethereum is computationally expensive, requiring both a large RAM and storage. In particular, NODE is very costly and difficult to parallelize — we are unable to update it live due to its resource constraints. As of now, the NODE algorithm is trained on data up to October 2021 and will remain static.
On the other hand, the Tornado Cash heuristics are much simpler than the Ethereum ones, and more deterministic. However, given that only a small subset of Ethereum addresses are Tornado Cash users, they have limited applicability to the majority of potential Tutela users.
This is it for Tutela! What a journey it has been! We’ve learned a lot and had the opportunity to work with amazing people. Shoutout to the LambdaClass team for their critical contributions to the development of the Tornado Cash heuristics.
Mike, Kaili and I will continue to maintain Tutela as far as the Tornado Cash Community deems appropriate. Now we’re turning our attention onto building the next thing! If you want to connect with us - feel free to hit us up on Twitter! @willmctighe @mike_h_wu @kaili_jenner
Ferenc Beres, Istvan A Seres, Andras A Benczur, and Mikerah Quintyne-Collins. 2021. Blockchain is watching you: Profiling and deanonymizing ethereum users. In 2021 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS), pages 69–78. IEEE.