Privacy question on this use case?

Fairly new to Incognito but been researching a lot. Also not a coder and overly technical, but I have a question about any potential vulnerabilities on the following use case both now with V1 and soon with V2.

Scenario

  1. Bob onramps fiat $ on a CEX (Coinbase, etc) buying USDC.
  2. Sends USDC to a normal wallet first (just to keep CEX from seeing it’s going to Incognito)
  3. Sends USDC from wallet to Incognito wallet.
  4. Sends USDC from Incognito wallet to another external wallet or nonKYC CEX/DEX.

In that case, is there any non-private transaction history of the USDC that left the Incognito wallet OR any identifiable data that shows the wallet it left was the wallet the coins went into from the CEX in step 1?

Essentially, if assets go into Incognito and out externally… are they currently traceable to the same wallet or no?

Thank you in advance.

1 Like

Depends – so yes and no.

  1. Bob sends $472.81 USDC on Step 3, then withdraws that same balance 2 hours later on Step 4.

    • Analysis could easily link the two transactions due to the “unique” balance and short period between the two transactions.
  2. Bob sends a “common” deposit of $300.00 USDC on Step 3, then withdraws that same balance 2 hours later on Step 4.

    • “Common” deposit here is highly subjective and depends on the prevelance of a given transactional amount at that time.
    • By using a “common” amount, Bob increases chances that someone else may withdraw the same amount during that 2 hour window.
    • If there are no other $300 USDC withdrawals, then analysis could reasonably connect both transactions.
  3. Bob waits a longer period of two weeks between Step 3 and 4.

    • More time between deposit and withdrawal is better. This increases the likelihood of other transactions in the same amount.
  4. Bob deposits $300 on Step 3 but withdraws his USDC in multiple transactions of different amounts than Step 3 – e.g. $150, $90 and $60 – the next day.

    • Bob sends each transaction to a previously unused address he controls.
    • Analysis will be much harder to link the transactions. However if these transactions are the only transactions in that 24 hour period and/or are closely spaced together, analysis could again link the transactions through their combined value.
  5. Bob deposits $300 USDC on Step 3, then withdraws $150 on Step 4 after one day, $90 four days later and the final $60 one month later.

    • Analysis would be difficult to connect those three withdrawals (again, each to an unused address he controls) with the initial deposit.
  6. Bob deposits $472.81 USDC on Step 3, trades for XMR and withdraws $472.81 XMR on Step 4 one day later.

    • Bob has complicated analysis by converting to a different asset. However since the amounts are unique & identical and close together, it is still potentially possible to connect the transactions by value.
  7. Bob deposits $300 USDC on Step 3, trades for XMR and withdraws $300 XMR on Step 4 one day later.

    • As before, using a “common” transaction amount he increases chances another withdrawal transaction of the same amount occurs during the same period.
  8. Bob deposits USDC on Step 3, trades for XMR and waits a week before withdrawing on Step 4.

    • As before, increasing the time between deposit and withdrawal, coupled with the asset conversion, dramatically improves Bob’s privacy and makes analysis difficult.
  9. Bob deposits $300 USDC on Step 3, trades for XMR, and withdraws on Step 4 in three separate transactions of different amounts.

    • The deposit and withdrawal amounts are different and on different blockchains. However Bob is still relying on other transactions in his withdrawal asset to occur around/between his withdrawals. Any analysis to connect the transactions would be difficult.
  10. Bob deposits $300 USDC on step 3, trades for $150 XMR, $90 LTC and $60 BNB. He withdraws the XMR after one day, the LTC after four days and the BNB after a month.

    • It is utterly difficult to link these transactions. Bob has used different deposit and withdrawal assets for every public transaction as well as waiting then staggering the days of withdrawal. Unless he is (foolishly) reusing addresses or addresses that are somehow connected to him via KYC (in the past or the future), it would prove difficult to show that the XMR, LTC and BNB transactions are linked to each other and to the original USDC transaction.
11 Likes

Brilliant response, thank you very much for this!

So it sounds like only a semi-sophisticated analysis using probability of timing and amount of withdrawals like this would track it.

Simple analysis though using addresses etc should not.

Seriously thank you for the thoroughness

2 Likes

Hey @Mike_Wagner…awesome response there bro…talk about being thorough…big kudos to you on the response thanks bro… :sunglasses:

2 Likes

The main message is, Incognito is not a mixer, it was not developed for that purpose, but with creative transactions can be used like a mixer.

The idea is to create an environment WITHIN which people can perform transactions anonymously. The ideal world would be, everyone on this planet uses Incognito to transfer funds and trade. No one would have to worry about high fees and such.

That is for the future though, still some building to do.

3 Likes