Discover more from WE'VE MOVED TO thedefiant.io
For All You Degens Farming in Public: Here's Your Privacy Toolbox
Hello Defiers! Today’s issue is all about privacy.
With ETH now reaching for $500, the highest since July 2018, there’s bound to be a new wave of holders and users. And as more and more people interact with the Ethereum blockchain for the increasing number of money verbs available, it’s important to highlight that all those transactions are open for the world to see, and will be there forever.
While an unintelligible blockchain address may help make activity on Ethereum pseudonymous, information that governments and companies can easily access (and even sell) such as IP addresses, can help link Ethereum wallet addresses with identities. The link is even more obvious with users who have human-readable ENS addresses.
Today’s feature details the steps you can take to protect your privacy and the alternatives startups are working on to make it easier in the future.
The open economy is taking over the old one. Subscribe to keep up with this evolution. Click here to pay with DAI (for 70 Dai/yr vs $100/yr).
Check out the just-released video on The Defiant’s YouTUbe channel, covering the latest on this week’s governance wars involving Yearn Finance, Curve and 1inch. The video was produced in partnership with Robin Schmidt of Harmony Protocol.
🙌 Together with Zapper, the ultimate hub for managing DeFi assets & liabilities.
How To Use DeFi Anonymously (Ish)
No sign-up, no KYC and no real names.
You’d think that means DeFi is private, but the reality is, while a major improvement from centralized exchanges, all your transaction history and assets are open for the world to see —they can be even linked to your IP address.
We’ll go over what you can do to protect your privacy right now, and what developers are doing to make it easier to do in the future.
Here’s the issue: To start, every smart contract that you interact with —whether that be Uniswap, Compound, or Balancer— can see your balance, token holdings, and all past activity.
MetaMask alerting users of information sharing
This info isn't just available to smart contracts: it's publicly available on the blockchain. Anyone in the world can access it, and even run advanced analytics on that information.
That could be done by anyone: your mother, your neighbor, the NSA, or Amazon. Creepier still, because the blockchain stores information permanently, the transactions you make now will be visible for the entire future of the blockchain.
Top Ethereum accounts by balance
In this way, using DeFi is a bit like getting the financial equivalent of a tattoo. And while that $YAM logo tattooed on your ass might be fun for a week or two, you might regret it 30 years later.
Geolocation Linked to Your ETH Address
To make matters worse, the majority of DeFi activity is accessed through the browser. While this makes for a nice user experience, it also means that without precautions you can end up leaking some highly valuable information.
In particular, services like MetaMask or Etherscan can read your IP address, which means linking your IP address to your wallet address. And IP addresses reveal location data.
If that doesn't scare you- imagine a future where you can correlate asset holdings to a precise geolocation.
Correlating an IP address to local coordinates
To be clear, IP addresses aren't stored on the blockchain. They are shared with companies like MetaMask and Etherscan, your Internet Service Provider, any websites you might visit, and various other parties.
While you might trust the intentions of these companies, it's always possible that centralized services can be hacked. Plus, they might sell your information to third parties.
This might seem a bit sinister, but there is some good news: DeFi tools are becoming more privacy-conscious.
MetaMask used to leak your Ethereum address to websites that you visit, but now that is disabled by default. The wallet also recently launched new privacy-focused features such as warning users every time they share account information with a smart contract.
Plus, many startups in the ecosystem are gearing up for privacy. Countless startups are lining up to protect user data and seize the market share that comes with that.
For now, most of these solutions haven't made it to the Ethereum mainnet. Still, here are the steps you can take right now to protect your information while using DeFi.
Step 1: Make New Accounts
Vitalik Buterin’s alleged Ethereum account
Ethereum manages blockchain data using what’s called an account-based model, which means that in some ways, its privacy is harder to manage than bitcoin.
On bitcoin, users can create new addresses with every transaction. While vulnerable to chain analysis, this step gives a certain level of privacy, as it breaks the link between different transactions.
With Ethereum’s account-based model, however, the blockchain stores a record of each Ethereum account, complete with all the ether and tokens it has ever held and its entire transaction history.
You can’t break these links simply by spinning up a new ETH address. Rather, to properly unlink transactions from your ETH holdings and past activities, you need to deploy an entirely new account.
A new account will show up on the blockchain with no history or assets until you fill it with coins. Still, unless you are careful about how you send the money to that account, you can create a chain of transactions leading back to your original wallet.
Step 2: Use Tornado Cash
That’s where mixing technology comes in.
A way to break the link between sender and receiver, different variants of this technology have been around since 2013. In theory, mixers allow users to shuffle their coins up with other users in order to preserve privacy.
But Tornado Cash is a break from this tradition. Unlike typical mixers, it’s all done automatically over smart contracts, meaning that there’s relatively low trust assumptions, and the chances of anyone running off with your funds are reduced.
Tornado Cash allows users to send ETH into privacy pools that break the link between sender and receiver addresses. To better protect privacy, this is done using fixed amounts, such as 1ETH or 10ETH.
To interact with the pool, users send money to the Tornado Cash smart contract. This generates a unique key —called a “note”— that allows users to withdraw money from the smart contract later on.
This note also allows Tornado Cash users to selectively reveal their transaction path, meaning that the information isn’t lost forever if you ever need to declare your ETH for tax purposes or otherwise.
After a certain amount of time in the pool - the longer the better - a user can withdraw their funds. It’s impossible to do this without revealing your wallet identity, so it’s important to use Tornado Cash’s Relayer service, which will send your ETH back from a different address.
Step 3: VPN Over Tor
But all these steps are all meaningless if you are still leaking your IP address.
When using the internet, your IP address is leaked constantly. For example, when using Tornado Cash, your Internet Service Provider (ISP) can link transactions to your IP address by correlating with the time of withdrawal with the time that information was sent to the Relayer.
Without precautions, using Ethereum and the internet at the same time means correlating your IP address with your wallet address, which potentially gives away dangerous and sensitive information about the physical location of your wallet.
Because of other information connected to your IP address, this could also potentially link your Ethereum account with your true identity.
The best way to ensure that you aren't leaking IP addresses and geolocation data is to use a VPN. By entering you into a private network, VPNs allow you to assume different IP addresses, that are shared among many computers and have no meaningful purchase on the computer you are using now.
Still, VPNs have trade-offs. For one, they are centralized services, meaning that they are also vulnerable to hacks. The most secure way to use a VPN is over Tor, an encrypted browser that mixes your internet activity through many volunteer nodes.
Step 4: Brave Browser
Tor comes with built-in privacy at the network layer, but the crypto community also has its own privacy-preserving browser- Brave.
Brave doesn’t hide IP addresses so it must be used in combination with a VPN. It also has an internal Tor integration, but the Brave team insist that this isn’t as secure as using the Tor browser itself.
Rather, Brave browser comes with some other privacy promises. For one, it doesn't give out your IP addresses without asking first. It also automatically blocks all ads and trackers and makes online advertising opt-in.
In particular, users can be optionally paid in $BAT for handing over some user-specific information.
If you are reading this newsletter you are probably familiar with $BAT. A popular choice for yield farming and liquidity -mining platforms. Brave’s native token is up 50% in value since January.
Step 5: Keep Your Money Offline
Ledger hardware wallet
MetaMask dominates the DeFi landscape. This is problematic because it means that the browser is the main portal to Ethereum finance.
Because of the difficulties of combining Ethereum usage with the internet, by far the safest place to keep funds is in a hardware wallet.
Many DeFi platforms offer Ledger hardware wallets as an alternative payment option. While it's not a standalone safeguard, because your data is stored locally and offline, this is an improvement on using a browser-based service.
Still, if you are constantly connecting your hardware wallet to the internet to make DeFi payments it will suffer similar problems as you will encounter using MetaMask. So it’s still essential to use a VPN and multiple accounts to reach a higher level of privacy.
Step 6: Run a Full Node
Ethereum full node requirements
Currently requiring 470GB of disk space, running a full Ethereum node is pretty hardware intensive. That said, it comes with privacy benefits that make it attractive to any committed user.
In particular, by running a full node, users are storing all their transaction data locally and can access it without interacting with anything else.
Because full nodes verify that Ethereum’s underlying state is correct, running a full node comes with security benefits, and helps contribute to Ethereum’s decentralization as well.
But because the hardware constraints make running a full node unattractive to many users, some startups are gearing up to make using full nodes more accessible.
Toward this end, Binance-Labs backed startup HOPR has released a pre-assembled Ethereum node, that automatically runs over a mixnet. By shuffling activity between many participants, mixnets are a privacy technique that protects a user’s metadata, such as IP addresses.
That might seem like a lot to take in- and it is. Maintaining user privacy on DeFi is hard. Still, going forward, many startups are looking to offer better privacy-protecting solutions.
For one, Tornado Cash is planning to release a privacy-focused wallet which will allow users to keep their funds private without having to enter into a Tornado Cash pool. To protect IP addresses, this will run over Tor by default.
Privacy-focused startup Nym Technologies is also providing a mixnet solution geared toward privacy for the network layer, meaning the part that exposes IP addresses. Nym is quietly working with Ethereum teams to raise the bar on privacy solutions going forward.
And while it’s currently a bane on DeFi users, soaring gas costs might be good news for privacy in the long run. With use of the Ethereum mainnet becoming prohibitively expensive, DeFi is being forced to move to off-chain, layer two solutions.
And there’s a big overlap between scaling and privacy technology, with both features relying on zero-knowledge cryptography. For example, upcoming privacy project Zkopru will move ethereum transactions off-chain, while additionally encrypting that information.
Rather than publishing transaction activity on the blockchain as DeFi does now, future-facing solutions may look more like this: encrypted statements on the blockchain that offer the security of Ethereum without sharing any user-sensitive information at all.
Aave has issued more than $300 million in flash loans since its inception. But at the beginning of July, that figure was just $14 million. According to data collected from Aavewatch, a decent chunk of that $300 million is from an August 29 flash loan worth $14 million in Dai, the largest-ever transaction on the platform, Decrypt reported.
Coinbase CEO Brian Armstrong has confirmed that the exchange operator is working on an initial exchange offering (IEO)-like service, months after first hinting at such plans last year, The Block reported. The article cited a podcast hosted in mid-August with Patrick O'Shaughnessy, the CEO of O'Shaughnessy Asset Management, where Armstrong said Coinbase is working on a product called "Coinbase Launch or something like that."
The Defiant is a daily newsletter focusing on decentralized finance, a new financial system that’s being built on top of open blockchains. The space is evolving at breakneck speed and revolutionizing tech and money. Sign up to learn more and keep up on the latest, most interesting developments. Subscribers get full access at $10/month or $100/year or 70 Dai/year, while free signups get only part of the content.
About the founder: I’m Camila Russo, author of The Infinite Machine, the first book on the history of Ethereum. I was previously at Bloomberg News in New York, Madrid and Buenos Aires covering markets. I’ve extensively covered crypto and finance, and now I’m diving into DeFi, the intersection of the two.