[Proposal] yPhoon - Add the ability for the yearn vaults to act as privacy mixers

Summary:

Name of the feature is yPhoon: aka Typhoon on Yearn…based upon the Tornado cash privacy mixer Tornado Cash · GitHub

If this proposal passes it will add the ability for each vault in the yearn ecosystem to function as a mixer, giving everyone the ability to deposit funds from one address and withdraw them via another. Doing this will enable absolute anonymity and privacy for all users by breaking the chain so to speak and allowing deposits into a fresh address with no traceable history.

Abstract:

The proposal will work in the same way that tornado cash does for Ethereum mixing with slight changes as described below.

See an intro to tornado cash here Introducing Private Transactions On Ethereum NOW! | by Tornado Cash | Medium

To enter a yPhoon enabled vault the user must perform the following actions

1. Generate a secret and send the hash plus the coins to the vault.
2. The amount of coins to be sent must be one of a list of certain quantities. If the amount sent is not part of the anonymity set the deposit should fail.
3. Leave the funds in the vault, the longer the better, not just from a yield perspective but from an anonymity perspective
4. To withdraw, send proof that you lay claim to an unspent commitment (the secret provided in step 1), plus the address you wish to withdraw to

Motivation:

Why would we want to do this? For 3 simple reasons.

1. To attract more/different users to yearn which will generate more fees. We have tapped the investors that want a cheaper way to get yield, there are other discussions around using vaults to work with options, and now we are tapping the privacy market which is new and has not been done before in DeFi afaik. If it works, this piece of lego can be used by other defi dapps, which would bring tremendous volume through
2. To create the largest mixing service on the Eth chain and allow anyone to protect their privacy, not only with Eth, but with any coin/token that yearn provides a vault for. Currently with tornado cash you can only mix Eth, Yearn has the ability to mix anything a vault holds due to the amount of participants within the vault.
3. While your funds are “in the mixer” they will actually be gaining in value via the yield generation strategies, which is something Tornado cash cannot do which is a huge point of difference.

Specification:

Before I get into the spec, just know im not a dev so I have made some assumptions on how the underlying smart contracts work. Also if any of these changes would break something im not aware of please provide feedback in the comments on this proposal.

Firstly we would have to decide what anonymity sets we want. For ETH, Tornado cash has 0.1, 1, 10 and 100 ETH deposits, I don’t see any reason why these would not be appropriate for yPhoon. We could add in 5, 20, 50??? For our Link delegated vaults we might choose a different set, maybe 10, 20, 50, 100, 150, 200, since 1 Link is worth less than 1 ETH accepting anything less than 10 may be a waste of time. The yUSD vault would be in a similar situation and due to its price would need a different set that makes sense.

As a suggestion it would make sense to run a few reports of the vaults to get a sense of the sizes that people are depositing with per vault.

Once we have anonymity sets worked out, the smart contracts that govern deposits will have to be upgraded to filter for yPhoon deposits…ie any deposit that matches an anonymity set quantity, would also require a “secret” to be sent. (Alternatively we could have a check box on the webpage or a separate webpage all together to selectively turn this on, so if it wasn’t ticked yPhoon would be off and the vaults behave as they do now, even if you did end up sending say 10 ETH)

The yearn yPhoon deposit smart contract receives the secret and the coins, sends the coins to the strategy and earns yield. These particular coins are locked and cannot be withdrawn unless a secret is also provided along with a new ETH address. There will need to be a different withdrawal tab on the website to allow yPhoon withdraws vs regular withdraws.

Please note, if you forget your secret, you will not be able to get your coins back, ever.

As stated im not a dev, so if this passes, ill need someone to do the actual work on this. If there is any one time reward or on going reward for this if implemented it would be split with the dev or devs.

For:

Against:

Poll:

That is cool and novel. I am for it!

I think the secret management adds an unnecessary barrier to the UX of using vaults. It’s an interesting proposal, but I would only be for it in the capacity of an experimental vault, rather than something to be applied to all vaults.

I love this idea! Am for. As mentioned, to simplify user experience we may want to make it etiher optional or only on specific vaults. Also, you have to click here to add a poll:

image1160×443 24.6 KB

Anything that preserves or increases privacy should be a foundational value for yearn. I am for.

I’d be interested in understanding if the current vaults are able to allow withdrawals to a separate address. I don’t think they are. And if they aren’t how much work does it entail to revamp the contracts? Would it be incompatible with vault infrastructure? More of a developer question.

Thanks, I couldn’t figure out how to add a poll. cheers

My guess, is that there would be another smart contract that sits ahead of the queue which would take care of the yPhoon stuff, which would then pass it on to the rest of the vault sequence. Thereby leaving the original vault sequence in tact, so that if anything funky happened with yPhoon, you just remove that 1 particular contract.

Obviously not a dev, so could be completely wrong, but seems logical in my head

Would love @banteg to chime in with some initial thoughts on this

As long as the code or language used to activate this feature is bullet proof I am all for it .

I like this idea and would love to see it get implemented. I will vote yes on this proposal assuming the devs say this is possible.

I love this idea, and I want to see it happen!

A few comments:

1. Tornado is working on a V3, with a lot of improvements, but most importantly the ability to deposit/withdraw arbitrary amounts. I think this is necessary for any sort of good UX, so we should wait for V3.
2. This doesn’t have to live in the Vaults code (and also, probably shouldn’t, for security reasons). Instead, we can just make a “connector contract” that can take in a deposit, receive the yVault shares, and deposit into Tornado (allowing another address to reverse the process and get the underlying back, plus return)
3. Better yet, we could probably work with Tornado, and get them to basically add a “Earn w/ yEarn” option to deposits, which does this under the hood, and vice-versa with yEarn deposits (maybe under an “advanced” feature opt-in flag). It should increase their anonymity sets, and our Vault deposits. Win-win!
4. There are some proposals that should make it more seamless to use Tornado, hopefully they are planning on increasing UX with these proposals with V3

TL;DR let’s make it happen, but also do it right

Wasn’t aware of V3, if they do add arbitrary amounts, then that would be killer. At the end of it though, Tornado is ETH only, and we would want to be able to do more than ETH, so we would have to code something extra to be able to mix other coins.

re: connector contract…that’s what I was describing, perhaps I didnt do it well enough. Existing vault code shouldnt be touched. yPhoon would be a separate contract that feeds the vault contracts

Important thing to note is that you wouldn’t actually be using Tornado with the underlying tokens (e.g. DAI, USDC, etc.), but with yVault share tokens, as these are the tokens of value you’d want to obfuscate (both for practicality reasons as well as security reasons)

Yes I realise that, we want to do more than ETH which is why we need to build our own mixer, hence the different name, yPhoon.
We can fork the Tornado cash code from github and upgrade it to accept different coins.

Another part of V3 design I think it better ability to work with arbitrary tokens, instead of requiring a different pool for each token.

There’s a lot to V3 lol. I think we’re best off waiting until it drops, and then coordinating with the team. It’s a complicated protocol.

Great idea! How do we make it happen though? I imagine the devs have their hands full already. Can we vote to hire more devs just for that with the treasure money?

Core Devs like @andre.cronje and @banteg would be busy, yeah.

I guess we could use some treasury money, could also ask tornado cash guys if they wanna team up.

@milkyklim is this what you would do as a rep of the multi sig…reach out to tornado cash?

Yes we can. But we are actively seeking devs to help work on yearn too.

Great idea!! Would be great to have the tornado guys add this.

Two comments/questions:

1. Is it fair to assume this feature would be optional? It seems it would increase gas costs and smart contract risk, and for some it may not be something they are willing to do for audit or legal reasons. On other threads people are talking about CeFi integrating with yearn or “big money” depositing – neither is likely to be willing to anonymize. Sime may bot be interested in participating with a platform that is associated with it.

2. Does anonymizing withdrawals in this way create any legal or government problems? For example is there a risk that a centralized stablecoin would be forced to block all addresses that have interacted with Yearn? Even a small risk of this type would cripple the yearn system.