Tornado Cash
Type: Privacy Protocol
Tornado Cash is a decentralized privacy protocol on Ethereum that uses zero-knowledge proofs (zk-SNARKs) to break the on-chain link between deposit and withdrawal addresses. It became a focal point in the debate over financial privacy, regulatory compliance, and protocol-level censorship.
Market Microstructure Analysis
Tornado Cash's privacy mechanism is a standard mixer design with ZK proof of inclusion: users deposit a fixed amount (0.1, 1, 10, or 100 ETH) into a pool and receive a secret commitment. Later, from a different address, they submit a ZK-SNARK proof that they know a valid commitment in the deposit Merkle tree — without revealing which one — along with a withdrawal address and a nullifier hash (to prevent double-spending). The anonymity set is the set of all deposits of the same denomination that have not yet been withdrawn. Larger denominations have smaller anonymity sets (fewer deposits) but handle more value. The OFAC sanctions (August 2022) created a regime where regulated actors cannot interact with Tornado Cash addresses without legal risk, reducing the anonymity set and privacy quality for remaining users. The sanctions also created MEV and builder dynamics: some builders/relays refused to include Tornado-related transactions (censorship), while others included them (often extracting MEV from the inclusion). The forensic question — can deposit-withdrawal links be reconstructed despite the ZK privacy — is actively researched using timing correlation, gas price fingerprinting, withdrawal behavior clustering, and IP-level metadata from relayed transactions.
Key Innovations
- ZK-SNARK mixer: cryptographically unlinkable deposits and withdrawals
- Multi-denomination pools: different anonymity set sizes for different amounts
- Trusted setup ceremony: community-generated proving keys for protocol integrity
- Permissionless privacy: no centralized operator, no admin keys