Can on-chain privacy and regulatory compliance be balanced in the crypto world?

In November 2024, the Fifth Circuit of the United States ruled that the sanctions imposed by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on the mixer Tornado Cash violated the International Emergency Economic Powers Act (IEEPA). The Fifth Circuit held that Tornado Cash's smart contract is a decentralized, self-running, uncontrollable code that cannot be owned, is not property, and should not be included in OFAC's sanctions list. OFAC's sanctions exceeded its legal authority.

Although the Fifth Circuit's ruling on the Tornado Cash case is seen as a victory for the crypto industry, it is a fact that North Korean hackers and criminal organizations that steal coins are indeed using Tornado Cash to launder coins and evade sanctions from regulatory enforcement agencies. So in the crypto world, can the on-chain privacy of crypto users be guaranteed under the premise of legality and compliance? Today, let's share how the mixing protocol Railgun protects the on-chain privacy of users in compliance with regulations.

Railgun protocol operation mode

Railgun is a privacy protocol based on smart contracts. It guarantees user on-chain privacy payments through zero-knowledge proofs and Merkle trees, and uses "proof of innocence" to ensure the safety and compliance of on-chain funds flowing into the protocol. This method achieves a balance between on-chain privacy payments and regulatory compliance.

Grayscale's parent company DCG Group has currently invested 10 million US dollars in Railgun protocol tokens RAIL, donated more than 7 million US dollars in stablecoins to Railgun DAO, and invested resources through its subsidiary Foundry Labs to ensure the back-end pressure-bearing capacity of the Railgun protocol.

Operation mechanism

1. Token privacy

Users use Railway Wallet to hide the tokens in their 0x address to Railgun's 0zk address. After waiting for an hour, the token balance in the 0zk address can be used for transfers between 0zk addresses and interactions on privacy chains such as Defi. Transfers between 0zk addresses do not require waiting and are credited in real time. Railway Wallet supports the privacy of ERC20 tokens, ERC-721 and ERC-1155 NFTs.

2. Broadcasters are used to replace protocol users to interact with the underlying chain to ensure transaction privacy

After the token is private, users perform on-chain interactions through Broadcasters in the Railgun protocol. Broadcasters refer to public 0x addresses, which replace protocol users to pay gas with the underlying blockchain to complete on-chain interactions. Therefore, in the entire on-chain interaction, users do not need to spend ETH/MATIC/BNB as GAS.

In theory, any 0x address can be used as Broadcasters, and users can choose Broadcasters based on gas and availability. Broadcasters do not control the tokens in the user's address, but only transmit the interaction information. They cannot obtain the detailed information of the sending address, amount, receiving address, and token type of the on-chain interaction, which ensures the privacy and security of the transaction. Broadcasters can obtain 10% of the total GAS fee during the whole process.

3. Release privacy after completing the on-chain interaction

After the user specifies Broadcasters to complete the private transaction on their behalf, enter any 0x address to initiate the release of private interaction, thereby extracting the remaining tokens in the Railgun protocol. In the operation of token privacy and release of privacy, the Railgun protocol smart contract will charge a fee of 0.25% and send it to the vault address of the Railgun DAO. These protocol revenues will be distributed to the protocol governors and pledgers.

Railgun uses zero-knowledge proofs to ensure privacy on the chain

Zero-Knowledge Proof (ZKP) is a cryptographic technique that allows the prover to prove the authenticity of information to the verifier without revealing the details of the source of the information. In the Railgun protocol, users can prove that they have the right to use tokens without revealing the type and amount of tokens, and Broadcasters and fund pools can keep the address of the occurrence and the address of the recipient private.

For example, Railgun users are like letter writers, ZKP is responsible for verifying the content of the letter, the smart contract of the Railgun protocol is the sealed envelope, and Broadcasters are the postmen. From the public chain, they can only see that the letter has been sent, but they cannot determine the content of the letter or the sender and recipient.

Railgun uses Merkle Tree to prevent double spending and ensure transaction security

Merkle Tree, also known as hash tree, is often used to verify the integrity of transaction data on the chain. Each block header contains the root hash value of the Merkle tree to verify whether the transaction data in the entire block has been tampered with. Since the FTX incident of misappropriating user assets, the current mainstream centralized exchanges have adopted Merkle trees to verify the custody security of user assets and prevent them from being misappropriated.

After the user uses the Railgun protocol to privatize the address, the token will be added to the privacy pool. The token balance in the Railgun protocol privacy pool is constructed through a UTXO registry similar to BTC. The entire list of Railgun UTXO constitutes a Merkle tree data structure, which is used to verify the balance status during the transaction. All tokens in the Railgun protocol share the Merkle tree. Each token privacy operation will update the state of the Merkle tree and generate a new Merkle root/leaf. This ensures that users have sufficient tokens when sending private transactions, prevents double spending, and ensures the security of transactions.

How does the Railgun protocol achieve regulatory compliance?

The main reason why Tornado Cash was sanctioned is that the North Korean hacker organization Lazarus Group and the criminal group that steals and launders coins use it to mix coins and evade the tracking and investigation of regulatory law enforcement agencies such as the FBI.

Private Proofs of Innocence

When introducing the operating mechanism of the Railgun protocol above, it was mentioned that there is an hour waiting period when users make their 0x addresses private. During the waiting period, Railgun will conduct on-chain anti-money laundering on the tokens in the user's address to ensure that the funds in the user's address are not from high-risk criminal or sanctioned addresses.

Railgun Protocol's on-chain anti-money laundering does not require users to provide KYC information like centralized exchanges or institutions, which poses a risk of exposing privacy. Instead, it uses on-chain label data verification. Users can choose the verification label library corresponding to the applicable jurisdiction. For example, US users can choose the US regulatory address list. During the waiting period, users own the tokens and can remove the token privacy at any time and retrieve the tokens through the user's original 0x address.

After completing the on-chain anti-money laundering verification of the tokens, the user will obtain a private proof of innocence, and subsequent tokens sent to the public blockchain address will be accompanied by a private proof of innocence to prove that the tokens have been tested and verified.

Currently, the default on-chain anti-money laundering label list data of the Railgun protocol is composed of Chainalysis's public free library and public OFAC sanctions addresses.

Chainalysis is a US blockchain analysis company founded in 2014. In May 2022, Chainalysis announced the completion of a $170 million Series F financing round led by GIC, with a valuation of $8.6 billion. Chainalysis's anti-money laundering system has become a compliance necessity for exchanges, stablecoin issuers, NFT trading platforms, and crypto banks. Chainalysis has also reached cooperation with government departments such as the US Internal Revenue Service, Immigration Service, and FBI.

For the Railgun protocol, when tokens enter the protocol privacy pool, they use Chainalysis's address tag library for anti-money laundering detection, which is equivalent to wearing a talisman. Token receiving addresses, exchanges, and institutional addresses are no longer afraid of on-chain transfer transactions from the Railgun protocol, worrying about violating anti-money laundering regulations and being sanctioned and punished for helping criminal organizations launder money.

Cryptocurrency tax calculation (Koinly Tax Exports)

The privacy transactions of the Railgun protocol can cause users to encounter difficulties in calculating the tax payment of crypto asset transactions, so Railway Wallet supports exporting the user's interaction records with the protocol for the tax software Koinly to calculate the user's tax amount.

Summary and thinking

In the public blockchain, every on-chain interaction is transparent and traceable. In order to protect the privacy of on-chain transactions, private public chains and mixed currency protocols such as Tornado Cash have emerged, but they also give criminal organizations that use virtual currencies to transfer stolen money an opportunity. The emergence of the Railgun protocol has achieved a balance between protecting on-chain privacy and combating cryptocurrency money laundering crimes, allowing on-chain addresses to make private payments safely and compliantly without violating anti-money laundering regulations.

From December last year to May this year, the address of Ethereum founder Vitalik Buterin has used the Railgun protocol address to conduct 260 ETH private transactions worth millions of dollars. However, this method only means that anti-money laundering verification is carried out before the token enters the protocol. Once the token passes the verification and is transferred out of the protocol, what should be done if the subsequent regulatory authorities find that there is a problem with the transaction and need to investigate? After all, criminal techniques are often ahead of criminal prevention measures, and Chainalysis's address tag library data always lags behind the latest addresses used by criminal groups.