Privacy/Anonymity on Ethereum is Doomed


I will be straightforward here, because I think it needs saying.

As a public blockchain, it will be impossible for Ethereum as a platform to deliver any meaningful or realistic guarantees of privacy or anonymity, unless some fundamentals are addressed first. On private blockchains, such as deployed ‘in enterprise’, this is less of problem - iif all participants use the same privacy mechanism and somehow get around the ‘gas payer problem’.

However, the crux of the problem is that if more than one ‘privacy solution’ gains traction on Ethereum main-net, the fact that the anonymity pool is split into factions will do nothing more than reduce privacy for everybody. In this sense - competition will hurt the ecosystem, aside from in a few specific situations.

What do I mean by privacy?

  • No previous or future actions can be associated with, or correlated to, a specific actor.

Think of it in the sense of Perfect Forward Secrecy™, that even if my Ethereum account is fully compromised - my secret keys are leaked to the world etc., nobody should be able to see what I did in the past - and no other key holder should be able to see what I do in the future. It is an ideal.

Ethereum is fundamentally unable to accomplish any part of this Ideal, especially so in a public blockchain setting, because transactions need to be paid for, and there is a linkable history of the movement of funds between accounts this puts the burden of anonymity on the gas payer - they must somehow fund a one-time account without linking it to any of the other accounts. Good luck with that.

One solution is to have ‘transaction proxies/relays’, where you somehow refund the transaction submitter when they successfully execute your transaction, this introduces three really nasty things:

  1. You now have an intermediate with a profit-seeking incentive between you and the miner, who are offering a potentially unreliable service which shouldn’t ever need to exist
  2. You have to re-design all of the smart contracts (imo… design them ‘properly’), to handle relayed transactions, this puts 99% of the current Ethereum ecosystem out of reach of transaction relay services due to ‘custodial risk problems’ (e.g. msg.sender being the owner of your funds)
  3. Censorship, IP logging, capitalist market capture etc. etc. (hello Infura)

The other solution is to use ‘account abstraction’, where any legitimate transaction will be executed iif it appropriately compensates the miner, this is essentially the same solution as ‘transaction relays’, just replace ‘miner’ with ‘relayer’ - it has the same problems: you need to re-design/re-implement a lot of the current smart contract infrastructure to not give anybody and everybody your funds due to shared msg.sender, or to be able to access your funds again (because your previous msg.sender isn’t the same as your current one).

Many ‘anonymity factions’ are worse than a fundamental fix.

Even if we were to implement account abstraction, and then re-design all of the smart contracts to handle the subtleties, then deal with all of the privacy-breaking bugs in the 1000 different implementations, and make everything stop relying on msg.sender as a concept of authorisation/authentication etc.

The reality is that 99% of people would just use transparent transactions, without any anonymity or privacy.

But, an issue which is specific to Ethereum, is that instead of - like with ZCash - the remaining 1% of ‘private transactions’ all use the same technology with a shared anonymity set. Instead - you have many competing and incompatible ‘privacy solutions’ with their own anonymity sets, if there are 10000 users who want privacy, but they are equally spread across 10 different ‘privacy solutions’ - they all have far less privacy than if they stuck with one - and they started with even less than they should’ve had because everybody else doesn’t know/care/whatever.

Where is ZCash is now? 99% of the transactions are ‘transparent’, but the majority are traders/exchanges speculating about the value of anonymity and privacy by investing in a ‘privacy coin’ while not using its one and only benefit compared to BitCoin (the irony, it burns…) meanwhile teams of PhDs analyse every ‘private transaction’, with an anonymity set of hundreds, or possibly thousands, compared to the millions that it could be.

That is worse than Monero, but both are 10x what Ethereum ever possibly could be without really fundamentally addressing this problem - instead we are doomed to add our wishes to the pyre, which only encourages the flames.

TL;DR any privacy technology based on Ethereum, which isn’t used in a strictly controlled enterprise environment, is not only fundamentally dead and floating, but even more than that - trying to compete in ‘privacy on public ethereum’ is causing self inflicted harm and collateral damage.




I 100% agree with what you have written here and have had conversations in private with people who feel the same way. In order to get any meaningful privacy/anonymity, it would require an overhaul of how Ethereum currently works. This is unfeasible as there are a lot of vested interest in the current chain through DApp developers, core devs and other stakeholders. I have already relented to the fact that only opt-in privacy can be achieved on Ethereum today, unless there’s a change in priorities with regards to privacy/anonymity.


I think the one assumption is that individual people are supposed to use on-chain privacy directly. To me, it seems obvious that 1) privacy at Layer 2 is a much easier, and 2) scalability, UX, fee economics, etc. are better at Later 2. Unless you are participating in the opt-in economics of Layer 1 composability (DeFi use cases, asset issuance, etc.), you are much better served as an individual user by nearly every single metric with Layer 2 solutions.

Transparency is the default on Layer 1, and as you note, it may not be possible to work around it. But that is not a bad thing, as long as the systems we build are properly built to manage that transparency and protect it from any PII being shared. In my opinion, Ethereum is a base layer for developers and institutions to build on top of and trustlessly coordinate with, and the transparency of that is fundamentally important to ensure it works as well as it needs to.

Too much privacy on the base layer can have significant ramifications, for example the inability to audit economic invariants (also an issue with Zcash and Monero). Insecure smart contracts may lead to loss of certain party’s funds, but opaque privacy-preserving mechanisms that are broken affect everyone that uses those systems, and may lead to systemic failure that could spread out to other components of the system and other systems in the ecosystem.

Think about if Maker CDPs were privacy-preserving, but had a bug that broke the 150% collateralization invariant (instead allowing 75%, or printing double the DAI). Now compare that with a ZK version of the xDAI chain that was broken (can transfer funds you didn’t have). The former breaks Ethereum and affects a lot of projects; the latter affects a much smaller subset of parties, but wouldn’t print more DAI than the collateral on the main chain can back.


You make good points. However, I think what @HarryR was getting at is that you don’t get much financial privacy as one would get with, say, Monero. Nobody wants their entire financial transaction history public for the world to see. But, in the context of DApps, this may not be as much of an issue, unless we want completely privacy-preserving smart contracts.


A system that is 100% public is no good as everyone’s wealth will be known, but an advantage to this is law enforcement can hunt down criminals and reduce crime. Contrary to that, a 100% private system would protect everyone’s privacy but criminal operations would be unstoppable. So I think we need to find a sweet spot between these 2 extremes.

“…they must somehow fund a one-time account without linking it to any of the other accounts. Good luck with that.”
I believe this can actually be easily done, without the need for this one-time account, and still preserve privacy to an extent.

1 Like

Many institutions have public reporting requirements, and if open businesses become a thing, it will probably be very helpful to contributors to know what’s going on.

I see a big benefit for businesses that have to report, they might settle out their holdings on a quarterly basis (or faster) and use the “public record” to fulfill their reporting requirement without additional work. 99% of their operations could occur on Layer 2 systems with better privacy (probably a requirement for any business with sensitive financials), but there is definitely a benefit to a public settlement layer at the base of it all (besides proof of auditability of the underlying systems’ economics i.e. not building skyscrapers on sand)


Having a batch of keys for access to a particular address state tied to a contract.
Idk, instead of operating from the UI with one private and public key, somehow have a batch associated with the core currency and have that batch of keys change with every transaction. then get another batch of keys (that changes with each transaction) for an interaction with a smart contract. and of course use multiple nodes for pushing every transaction. The UI would have to manage a lot.
Really just talking out of my ass on this one, but kinda sorta just hunching maybe.

The solution may need to be as elaborate as using physical space and autonomous iot systems to “physically” secure privacy.
Something elaborate like this sounds more feasible.

ironically, you’d need to be in a publicly connected area for either of these to even come close to remotely working because you’d need to make sure your request to the network wasn’t being funneled through 1 malicious actor.

Mainchain can be public. and mainchain being public may be “the right thing” for the world. Sidechains can be private.ah…yeah. that guy said it
@fubuloubu image
ah yeah. yeah. this is key
@fubuloubu image
yeah, that guy gets it