Attacking Anonymity Set in Tornado Cash via Wallet Fingerprints

Tornado Cash is a decentralized application (dApp) that runs on Ethereum Virtual Machine (EVM) compatible networks to enhance users’ privacy in terms of user transaction history over the blockchain. The dApp achieves this goal by enabling users to deposit currencies into designated pools and subsequently withdraw them, severing the link between depositor and withdrawer addresses. At deposit time, Tornado Cash communicates to users the level of privacy they will benefit from (anonymity set) by depositing currencies into one of its pools. Existing analyses have indicated discrepancies between the claimed anonymity set and the actual level of privacy provided, primarily attributed to users’ incorrect utilization of the dApp. The current project aims to explore a new way to challenge the dApp proposed anonymity set by examining wallet fingerprints, a factor not directly related to user behavior within the application. The findings of this research shed light on the potential for creating links between clusters of users in TC according to the new proposed approach and raise a privacy concern within the Ethereum network.