Ethereum co-founder Vitalik Buterin has commended privacy protocol Railgun for successfully preventing an attacker from laundering stolen funds. His response sheds light on Railgun, a privacy pool mechanism that seeks to allow financial privacy while implementing measures to curb rampant fraud.
On Feb. 12, an attacker exploited a rounding precision issue at zkLend, which is a money-market protocol in Starknet, stolen amounting to 3,600 ETH, equivalent to $9.5m at that time. The hacker increased the “lending_accumulator” by continuously depositing and then withdrawing wstETH and then transferring the assets to Ethereum.
Further, when transferring the stolen amount to a privacy-focused protocol, Railgun, which uses zero-knowledge proof, the attacker was unable to manage the assets. The Private Proofs of Innocence function in Railgun also screened out illicit funds from getting into the privacy pool.
The stolen assets are still in the hacker’s wallet, which has been marked by blockchain scanners. In a post on Thursday, Buterin addressed Railgun’s response, stating that it is one of the best demonstrations of privacy pools working as intended. He also pointed out that the system did not allow the execution of unlawful operations without leading to surveillance or backdoors.
Privacy pools as a compliance solution
The incident illustrates the current concern over the application of regulation to privacy-enhancing technology based on blockchain. Recently, there has been an effort to shut down crypto mixers, including Tornado Cash and Bitcoin Fog, which are strictly related to money laundering. In contrast to other mixers, Railgun follows a compliance-based approach that allows it to block any fund linked to illegitimate activities.
The zkLend’s team tried to contact a hacker and make a deal to keep 10% of the stolen money and return the rest. However, the hacker has yet to respond.
“To the hacker: We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C”
zkLend
Currently, security personnel from StarkWare, the Starknet Foundation, Binance Security, and other analytical firms are monitoring this address. Buterin made the comments after Threat Researcher Vladimir S. reported that the hackers who hacked zkLend aimed at laundering them through Railgun. The protocol raised the alarm and rejected the transaction, thereby proving the efficiency of the protocol in curbing misuse.
The zkLend hack exposes the timely issue of privacy and compliance in the decentralized space. While transparency is useful for security purposes, exposing stolen funds to the public ledger could create a problem for ordinary wallet holders regarding their financial anonymity.
Buterin has advocated using privacy tools that do not breach compliance standards. In 2023, he coauthored the research paper on Privacy Pool, a framework that will facilitate private transactions while discouraging criminal activities.
For the developers who do not support Railgun’s filtering system, Buterin suggests that they establish privacy pools with different screening conditions. However, these options must be backed by the community that has robust protection of anonymity in place.
Cryptopolitan Academy: How to Write a Web3 Resume That Lands Interviews – FREE Cheat Sheet
Source: https://www.cryptopolitan.com/vitalik-buterin-responds-to-zklend-exploit/