TL;DR: Mimblewimble’s privacy is fundamentally flawed. Using only $60/week of AWS spend, I was able to uncover the exact addresses of senders and recipients for 96% Grin transactions in real time.

The problem is inherent to Mimblewimble, and I don’t believe there’s a way to fix it. This means Mimblewimble should no longer be considered a viable alternative to Zcash or Monero when it comes to privacy.

In the last two years, Mimblewimble has grown in popularity as an up-and-coming, lightweight privacy protocol. Mimblewimble was invented in 2016 by a pseudonymous hacker known as Tom Elvis Jedusor, who dropped a text description of the protocol into an IRC chat and then disappeared. …

Image for post
Founder Cat #4, the main protagonist of the story.

By now everyone has heard of CryptoKitties, a cute game that went viral to the point of overloading the whole Ethereum network. This is the inside story behind how we made $107K investing in CryptoKitties and briefly set the record for the largest sale ever (currently second-largest). Later, we made ~$8K running an automated arbitrage bot. While playing the speculation game at the height of the mania was exciting, the bot was fairly technically involved and will be interesting to people who want to learn blockchain engineering in general.

As I was toying with my Ethereum smart contracts on a regular Saturday night (December 2), something was clearly off: transactions were stuck and took much longer than usual to confirm. A quick investigation showed there were 10–20 times more pending transactions than usual, and many of them were going to the same mysterious address, 0x06012..66d. This is how I first learned of the now-famous CryptoKitties game. …

Image for post
Launching the attack: the green letters look just like on TV

This post is a deep-dive into programmatically trading on the Ethereum / Bancor exchange and exploiting a game-theoretic security flaw in Bancor, a high-profile smart contract on the Ethereum blockchain. The full code can be found at We collaborated with the Bancor team to make sure the current exploit is protected against, although for a little while there would still be a chance to make some beer money for educational purposes.

Imagine trying to hack Bank of America — except you can read all of their code in advance, all of their transactions are public, and if you steal the money it’s irreversible. Sounds like a paranoid worst-case scenario? Well, this is exactly the setup Ethereum smart contract developers have to deal with every day. Bitcoin and the blockchain technology unlocked tremendous possibilities in international payments, and the Ethereum further magnified it by allowing to manage these payments through programs called smart contracts. …


Ivan Bogatyy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store