ZCash shielded transaction revealed - Is this possible with Incognito?

Just found this here on reddit https://www.reddit.com/r/CryptoCurrency/comments/hubbvg/did_we_just_see_zcash_get_cracked_twitter_user/ looks like someone was able to trace back a shielded ZCash transaction. Does anyone here understand what exactly has happened and if incognito chain could be affected by this as well, thanks.

2 Likes

It was just a lucky guess. @MoneyKnowledge0 waited just a few minutes between the transparent transaction and the shielded transaction. The “attacker” simply looked back a few blocks and made an educated guess.

How this applies to Incognito – right now, Incognito has a very low transaction count for shielding/unshielding. This means someone could use a similar method to connect a unshield withdrawal to the shielded deposit and the source wallet/owner. However, as noted in the Zcash “hack”, waiting a sufficient period of time, and breaking up the deposit into several withdrawals, will be sufficient to counteract such chainalysis.

For example, Bob’s ownership of his BTC wallet is known. Bob shields 4.2 BTC on the Incognito chain at 10:00am. Anyone is free to see on the BTC blockchain that Bob withdrew 4.2 BTC to another address (the one-time Incognito BTC deposit address). 20 minutes later, 4.2 BTC is deposited back to Bob’s unknown 2nd BTC wallet, from a completely separate BTC address (the BTC trustless contract address). A reasonable assumption would be that Bob has control of the 2nd BTC address because the “same” 4.2 BTC flowed through those addresses in a very short period of time, breaking his Incognito anonymity. There was not sufficient time (and therefore sufficient volume) to provide reasonable cover to his outgoing transaction.

As a counter, Alice’s ownership of her BTC wallet is also well known. Alice also deposits 4.2 BTC at 10:00am the next day. Anyone is free to see on teh BTC blockchain that Alice withdrew 4.2 BTC to another address (her one-time Incognito BTC deposit address, which is different than Bob’s). 20 minutes later Alice deposits 1 BTC in her 2nd, unknown BTC address. Two hours later she deposits .5 BTC to the same address. One day later, she deposits 1.5 BTC. Three days later, she deposits .8 BTC. And finally one week later .4 BTC is deposited. Alice has successfully moved 4.2 BTC from her known address to her unknown address, through Incognito, and has broken any attempts at chainalysis due to delaying her deposits and making multiple deposits. Her ownership of the second address cannot be traced through Incognito because the entry/exit transactions are not congruous (as they were with Bob) and not performed in a very short period of time.

15 Likes

Great, thanks a lot for your detailed answer.

2 Likes

sensei! :slight_smile:

Oh mike this is great advice. Yesterday i was talking to another user who also mentioned that without enough network movement you can actually trace back some transactions as youve mentioned above.

I also suggested:

  • Trading from one asset to another after deposit.

Say you want to send someone 100 USDT, instead of directly depositing USDT, you can deposit ETH instead, trade pETH for pUSDT on the pDEX, and than send the newly traded USDT. Or for even more untraceability, start with a privacy coin like XMR, trade that for pUSDT and send the newly adquired pUSDT. As long as trading doesnt change the original ammount much, this is also another way for even stealthier transactions.

1 Like

Another great way would be… stay Incognito :wink:

2 Likes

I would like to stay incognito but I’m afraid it’s not “idiot proof” yet because I stupidly sent two Eth transactions to the one shield address and now I seem to have lost the second Eth amount of 0.7 Eth, which is not a lot but it’s a good lesson for me.

1 Like

Send a private message to @Peter or @Ducky. They will need some information from you, such as the Incognito receiving address, your wallet address and the Ethereum transaction ID in a private message.

They’ll pass that info along to the devs who will be able to retrieve your 2nd transaction of Ethereum. Be advised it may take a few days for them to retrieve the eth, as we are heading into the weekend and dev resources are prioritizing a fix for an in-app trade bug.

Don’t panic, stay patient and they will eventually be able to recover your funds.

5 Likes

Ok. Thanks for that. I’ve reported to a mod. I think it’s Jamie. Sounds like I just need to stay patient because the team is busy.

Once it works with a hardware wallet for sure :slight_smile:

2 Likes

@FFa @Mike_Wagner

Yes please don’t report to another moderator as well, this will only result in wasting CS resources as multiple people will be bothering the same dev with the same issue.

2 Likes

Regarding hardware wallet. Should it design and produce own Incognito Ledger?:thinking::grin:

Try to look on it from a different angle

  1. If you use Incognito as a mixer - you get Wassabi wallet or Tornado cash a level of privacy

  2. If you stay Incognito - you get Monero level of privacy for all your activity: store, transfer, buy/sell, invest privately, defi, etc.

2 Likes

@andrey I would say basically everything could stay like it is known to solve this problem. We just need the option to control our mobile and later on web wallets with a hardware wallet. Right now we have only mobile wallet, so an option would be necessary where I can connect this wallet to a ledger nano x and create a new privatekey with the ledger nano. Thus the key is never stored on the mobile etc. So we use the app as a control center and the hardware wallet as the key to sign the transaction we want to do. in this case I would feel safe and could sleep well even when I stake for 100k or more.

By the way it does not have to be only ledger. Airgapped wallets would be a great option as well. Like Cobo Vault, which works with QR codes to receive and sign transactions. Maybe even someone here could develop an app which could basically do the same like a cobo vault. Then there would be an option for people who want invest a lot of money to buy a cheap phone install the app and from then onwards make sure that this phone will never connect to the internet again. Plus an option to create within the app encrypted backups which could be written to sd cards etc. This would not be interesting for the average user but for investors, who will improve the network by more nodes.

For the average normal user, they do not care at all. Unfortunately I think they also do not care about privacy so will never use the app. For them we should like mentioned before partner up with ledger etc. to offer an integration of incognito. And this should be more like a background mixing service, because we can not store pBTC instead of BTC without letting them know in my opinion.

1 Like