Author: Ashley
Table of Contents
Toggle
Can the stolen funds of hackers actually be forced to be returned?
On-chain anti-money laundering: How does Railgun achieve this?
The future of the privacy track: where do we go from here?
On February 12, the lending protocol zkLend on Starknet was attacked by hackers, resulting in a loss of nearly $5 million. However, the hackers did not anticipate that after mixing the money with Railgun (the last step to clean the funds), they would be restricted by Railgun’s protocol policy and forced to return the funds.
Following the incident, zkLend suspended withdrawal services to protect the safety of the remaining funds and announced to the community that the team was actively tracking the hacker’s identity and the flow of funds with multiple partners, promising to maintain transparency and eventually release a detailed investigation analysis report. Additionally, zkLend offered the hacker the opportunity to keep 10% of the funds as a white hat bounty, with the remaining 90% (3,300 ETH) to be returned to zkLend’s Ethereum address. Upon receiving the transfer, zkLend would agree to waive any and all liabilities related to the attack.
As of the time of publication, there has been no response from the hacker regarding this proposal. zkLend posted on social media that they have submitted an incident report to the Hong Kong police, the FBI, and the Department of Homeland Security, and will initiate judicial proceedings.
On February 13, Ethereum co-founder Vitalik, a consistent supporter of Railgun, posted on social media specifically explaining how Railgun successfully avoided processing illicit funds this time.
Following Vitalik’s post, the market reacted sensitively to the news, and Railgun’s value surged. According to market data, as of the time of publication, Railgun increased by 7.00% in the past 24 hours, with trading volume rising by 162.31%.
When discussing Railgun’s apparent anti-money laundering policy protocol, it is essential to mention the leading mixing service project, Tornado Cash. Tornado Cash and Railgun both belong to the privacy track and were the first to provide mixing services. Its privacy protection features have made it a tool for hackers and criminals to launder and hide funds, drawing attention from governments and regulatory bodies worldwide, especially the U.S. Treasury’s Office of Foreign Assets Control (OFAC), which imposed sanctions on it.
In August 2022, the U.S. Treasury imposed sanctions on Tornado Cash, stating that the service had laundered over $7 billion in the past three years and helped the North Korean state-sponsored hacking group Lazarus Group evade U.S. sanctions. In May 2024, Alexey Pertsev, one of the founders and core developers of Tornado Cash, was sentenced to 5 years and 4 months in prison.
Related Reading: “Convicted! What Does the Tornado Cash Verdict Mean for DeFi Regulation?”
Due to its lack of anti-money laundering functionalities, Tornado Cash became a handy tool for hackers and money laundering criminals. The regulatory crackdown has sounded the alarm for the entire privacy track. With Tornado Cash as a cautionary tale, Railgun, as a second-tier project in the privacy track, has naturally taken lessons and the direction for improvement is clear: anti-money laundering.
Railgun has adopted stricter anti-money laundering strategies, focusing on enhancing compliance while ensuring privacy protection. The core of this strategy is to ensure that the platform can maintain user privacy while effectively addressing regulatory requirements and preventing funds from being used for illegal activities. The following are the specific measures taken by Railgun:
First, Railgun did not focus solely on optimizing code but cleverly compiled a blacklist from regulatory bodies, compliance platforms, and other sources. This blacklist includes transaction data related to money laundering, fraud, and violations of sanctions. With these records, the targeting for precise strikes becomes possible.
Second, after any user deposits, there is a one-hour detection period during which various algorithms analyze whether the deposit may come from the blacklist. The entire process is fully encrypted, outputting only the conclusion of “whether associated” without disclosing sensitive information such as user addresses, transaction histories, or balances, technically ensuring user privacy is not violated.
Third, after one hour, users can use zero-knowledge proofs (ZKP) for private withdrawals. Additionally, Railgun’s internal protocol policy stipulates that if a suspected blacklisted address attempts to mix funds, the funds will be forcibly returned.
Finally, Railgun proactively collaborates with regulators. Proofs generated by all user wallets can be provided to exchanges or regulatory bodies, which can verify the validity of the proofs through verification algorithms without needing to access user fund flows, wallet activity details, or identity data. This mechanism meets the external institutions’ review requirements for transaction compliance while completely avoiding the risk of user privacy leakage, achieving “self-evident innocence without trust.”
It is this combination of privacy protection, compliance mechanisms, and risk control strategies that constitutes the last barrier against the attackers’ money laundering in the zkLend incident.
The founder of SlowMist also stated: “This is a very good privacy solution.”
While Railgun builds a moat for compliance, U.S. regulatory policies seem to be easing. On November 27 last year, the U.S. Fifth Circuit Court ruled that the U.S. Treasury’s sanctions against the Tornado Cash smart contract were illegal. For cryptocurrency and all those concerned with defending freedom, this was a historic victory. The founder of Uniswap called it “immutable smart contracts defeating the Treasury in court.”
Will this ruling lead to the emergence of more projects in the privacy track waving the banner of “code is law” that in fact encourage crime?
Related Reading: “A Comprehensive Analysis of the Privacy Track: Defending Privacy or Encouraging Crime, the Revolution is Not Yet Successful.”
Regardless, in the current increasingly clear regulatory environment for cryptocurrency following the Trump administration, Railgun, which integrates privacy and compliance, should set an example for the development of this track.
The original article is reprinted with permission from the author, Li Dong BlockBeats.