In the current implementation, we only attempt to solve the on-chain part of privacy. There is also network-level privacy that needs to be handled by users.
- Your IP address can be considered public information because it is known to many parties like your ISP and any router on the way to your target server. For example, your ISP could log timestamps of packets sent to Relayer and correlate them with withdrawal transaction timestamps. Use a VPN or Tor to hide your IP, especially during a withdrawal.
- The note contains data that can be used to link your deposit with withdrawal. If you wish to allow someone else to audit your transactions, you should keep the note data which can act as viewing key, but only after it is spent.
- Make sure you clear cookies for dApps before using your new address, because if a dApp sees both old and new addresses with the same cookies it will know that addresses are from the same owner. A good way to do this is by using a new identity (browser, wallet, IP) for the funds of your new address.
- If you are using a public RPC with all your wallets, it might know that your addresses are linked, for example, if you use the same IP or API token for different identities. Note that if you keep your wallets in Metamask, it will automatically use the same API token for all your requests.
Realistically, for most users, it might be optimal to ignore some of those points in favor of convenience. It might be acceptable that some dapps or RPC nodes have an ability to track the transactions (but most likely they don’t care and don’t log the required data), it still much better privacy than everyone being able to see the full history on a block explorer like Etherscan.
Although external observers cannot prove which withdrawal comes from which deposit, they can make an educated guess about it. For example:
- If a deposit and a withdrawal are right next to each other, it is very likely that they belong to the same person. We recommend waiting until at least a few deposits are made after yours before withdrawing the note.
- If there is a batch of deposits from one address, and then a batch of the same size of withdrawals to a single address, they are very likely connected. If you need to make multiple withdrawals, try to spread them out and withdraw to addresses not linked with each other.
- Wait until some time has passed after your deposit. Even if there are multiple deposits after yours they all might be made by the same person that is trying to spam deposits and make users falsely believe that there is large anonymity set when in fact it is lower (also known as a Sybil attack). We recommend waiting at least 24 hours to make sure that there were deposits made by multiple people during that time. Check the instance statistics when using it.
- It may also be possible that making deposits or withdrawals only during waking hours of the timezone you are in can reduce your anonymity. A simple way to avoid this problem is to try your best to spread out your deposits and withdrawals as evenly across the 24 hours of each day.
- The anonymity set reflected in Tornado.cash statistics is a total amount of deposits made to a given instance. In practice, it can be lower due to various off-chain factors that are hard to formalize. For example, someone might make a Twitter post about their Private transaction — it effectively means that it can be excluded from the anonymity set. Similarly in all other cases when a user deanonymizes himself, his deposit is not contributing any real anonymity. As such, it is in your interest, as well as the interest of all Tornado.cash users, to not publicise the amount that you deposit or the dates and times at which you do so (especially for withdrawals).
In general, try to avoid any correlations that may suggest that your deposits and withdrawals are linked. A good rule of thumb is to mingle with the crowd.
Written by Tornado.cash team, Wei Jie Koh