Author: Ashley
Table of Contents
Toggle
Can the hacker’s stolen funds be forcibly returned?
On-chain anti-money laundering: How does Railgun achieve this?
The future of the privacy track: Where to go from here?
On February 12, the lending protocol zkLend on Starknet was attacked by hackers, resulting in a loss of nearly $5 million. However, the hackers did not anticipate that after mixing the funds with Railgun (the final step for laundering), they would be constrained by Railgun’s protocol policies and forced to return the funds. Following the incident, zkLend suspended withdrawal services to ensure the safety of remaining funds and announced to the community that the team is actively tracking the hacker’s identity and the flow of funds in collaboration with multiple partners, promising to maintain transparency and ultimately release a detailed investigation analysis report. In addition, zkLend offered the hacker the chance to retain 10% of the funds as a white hat bounty if they returned the remaining 90% (3,300 ETH) to zkLend’s Ethereum address. Upon receiving the transfer, zkLend would agree to waive any and all liabilities related to the attack. As of the time of publication, there has been no response from the hacker regarding this proposal. zkLend posted on social media that they have submitted an incident report to the Hong Kong police, the Federal Bureau of Investigation (FBI), and the Department of Homeland Security, and will initiate legal proceedings.
On February 13, Vitalik Buterin, one of the co-founders of Ethereum, who has consistently supported Railgun, posted on social media to specifically explain how Railgun successfully avoided processing funds from criminal activities this time.
After Vitalik’s post, the market responded sensitively to the news, and Railgun saw a price increase. According to market data, as of the time of publication, Railgun’s price rose by 7.00% in the past 24 hours, with trading volume increasing by 162.31%.
When discussing Railgun’s evident anti-money laundering policy protocol, one cannot overlook the leading mixing service project, Tornado Cash. Tornado Cash and Railgun are both part of the privacy track, with Tornado Cash being the first project to offer mixing services. Its privacy protection features made it a tool for hackers and criminals to launder and hide funds, attracting the attention of governments and regulatory agencies worldwide, particularly the U.S. Treasury’s Office of Foreign Assets Control (OFAC), which sanctioned it.
In August 2022, the U.S. Treasury imposed sanctions on Tornado Cash, stating that the service laundered over $7 billion in the past three years and assisted North Korea’s state-sponsored hacking group, Lazarus Group, in evading U.S. penalties. In May 2024, Alexey Pertsev, one of the founders and core developers of Tornado Cash, was sentenced to 5 years and 4 months in prison.
Related reading: “Convicted! What Does the Verdict in the Tornado Cash Case Mean for DeFi Regulation?”
Due to the lack of anti-money laundering features, Tornado Cash became a handy tool for hackers and money laundering criminals. The regulatory crackdown has sounded the alarm for the entire privacy track. With the lessons learned from Tornado Cash, Railgun, as a prominent player in the privacy track, is naturally expected to take heed and improve in a clear direction: anti-money laundering.
Railgun has adopted a stricter anti-money laundering strategy, focusing on enhancing compliance while protecting privacy. The core of this strategy is to ensure that the platform can maintain user privacy while effectively responding to regulatory requirements and preventing funds from being used for illegal activities. The following are the specific measures taken by Railgun:
First, Railgun does not focus solely on optimizing code but cleverly compiles a blacklist from regulatory bodies and compliance platforms. This blacklist encompasses transaction data related to illegal activities such as money laundering, fraud, and sanctions violations. With these records, precise targets for intervention can be identified.
Second, after a user makes a deposit, there is a 1-hour detection period during which various algorithms analyze whether the deposit may originate from the blacklist. The entire process is fully encrypted, outputting only the conclusion of “related or not,” without disclosing sensitive information such as user addresses, transaction histories, or balances, thus technically ensuring user privacy is not violated.
Third, after the 1-hour period, users can use zero-knowledge proofs (ZKP) for private withdrawals. Additionally, Railgun’s internal protocol stipulates that if a suspected blacklisted address attempts to mix funds, the funds of that suspicious address will be forcibly returned.
Finally, Railgun proactively collaborates with regulators. All proofs generated by user wallets can be provided to exchanges or regulatory bodies, allowing these third-party organizations to verify the validity of the proofs through verification algorithms without needing to access user fund flows, wallet activity details, or identity data. This mechanism not only meets external entities’ scrutiny of transaction compliance but also thoroughly avoids the risk of user privacy leakage, achieving “self-proof of innocence without the need for trust.”
It is precisely this combination of privacy protection, compliance mechanisms, and risk control strategies that forms the last line of defense in intercepting the attackers’ money laundering in the zkLend incident.
The founder of SlowMist also stated, “This is a very good privacy solution.”
While Railgun builds a moat for compliance, U.S. regulatory policies seem to be easing. On November 27 last year, the U.S. Fifth Circuit Court ruled that the U.S. Treasury’s sanctions against Tornado Cash smart contracts were illegal. For cryptocurrency and all those concerned with defending freedom, this was a historic victory. The founder of Uniswap referred to it as “immutable smart contracts defeating the Treasury in court.”
Will this ruling lead to an increasing number of projects in the privacy track waving the banner of “code is law” while actually fostering crime?
Related reading: “A Comprehensive Analysis of the Privacy Track: Defending Privacy or Fostering Crime, the Revolution is Not Yet Successful”
Regardless, in the current environment of increasingly clear cryptocurrency regulation post-Trump administration, Railgun, which integrates privacy and compliance, should set an example for the development of this track.
Original link: This article is reprinted with permission from Lidu BlockBeats.
