Alice the Liquidity Provider

Put yourself in the shoes of Alice, a long term believer in Crypto. Alice bought a lot of ETH and USDC early on and wanted to support these growing protocols, so she deposited her assets in Uniswap as a Liquidity Provider (LP) back in 2018. She left them there as she watched the price of ETH 5x. Alice was delighted (as we all would be!), she had 5x’d her money on ETH right? WRONG. She had actually lost up to 25% of her capital vs. HODLing and not LPing.

Alice believed the same misconception that many of us do. She believed that providing liquidity in an AMM was like HODLing her asset with interest from transaction fees. Alice believed she would ride the upside when her tokens increased in value. And she did, but a lot less than if she had HODLed.

Alice could be you, or me, and the reason she lost money is because she didn’t understand impermanent loss. And it is not Alice’s fault. Impermanent loss is a deeply technical concept that most people don’t see in their day-to-day. There are many great technical explanations of impermanent loss like this but in this blog, we wanted to provide a more practical explanation.

What is Impermanent Loss (IL)?

Impermanent loss occurs when the prices of your tokens diverge whilst in a liquidity pool. It would be more appropriate to call it divergence loss.

It occurs because AMM liquidity pools have to maintain a fixed ratio (often 50% / 50%) of tokens (e.g. ETH-USDC) in a pool. For example, if we want to deposit 1 ETH @ $3,000, we will also have to deposit 3000 USDC @ $1 - $3,000 of each token.

Assuming no transaction fees (for now), IL can roughly be defined as:

By LPing, Alice’s payoff is maximized when the relative price of her tokens remains roughly constant, as you can see in Figure 1. The x axis shows the amount of price deviation. In other words, as prices change, Alice’s payoff begins to suffer. It is only at 0% price change (no divergence!) that Alice reaches the maximum payoff. Note that with transaction fees, the curve in Figure 1 will be shifted upwards.

How does impermanent loss occur?

TL:DR; When relative prices change, the # of each token changes so when we withdraw, we get back a different # of each token than we deposited.

1. When we deposit tokens (e.g. ETH + USDC) in a liquidity pool, we receive LP tokens.

2. LP tokens give us the right to a proportion of the assets in the liquidity pool.

3. Liquidity pools are required by their trading function (e.g. Uniswap uses the Constant Product Market Maker, x * y = k) to keep a constant ratio of each asset (i.e. 50% ETH, 50% USDC).

4. When the relative price of assets change, the number of each token in the pool changes to keep that constant ratio.

5. When we withdraw, we get back a different number of ETH and USDC than we deposited, which, excluding fees, will be worth less.

Let’s look at an example of this process below.

ETH-USDC Example (No Transaction Fees)

• Scene-setting - in this example, the price of ETH doubles from $100 to $200, and USDC remains constant at $1. We start with $1,000 of assets, $500 of ETH (5 ETH @ $100) and $500 USDC (500 USDC @ $1). The AMM uses the Uniswap constant product trading function.

• The HODL Scenario is straightforward, we now own $1,500 of assets, $1,000 of ETH, (5 ETH @ $200) and $500 USDC, the same as before.

• In the LP Scenario, the pool must hold 50% of each asset, so as the ETH price increases, the pool sells ETH and adds USDC. This means we can withdraw $1414: $707 of ETH (3.54 ETH @ $200) and $707 USDC (707 USDC @ $1).

• Other AMMs, such as Balancer can hold a different ratio of assets in each pool. Take their 60% WETH, 40% DAI pool for example. This ratio is defined by their trading function.

Impermanent loss as a % of pool TVL is a rough approximation for what fees should be, over a fixed time period, for an LP to be profitable.

Why is it important?

TL:DR;…

If impermanent loss is greater than transaction fees on average, then it is not rational to provide liquidity, assuming no other benefits (e.g. liquidity mining, hedging). It can be hard to notice though because your assets may be increasing in absolute value, but losing relative value (to HODL).

How can LPing remain profitable?

1. Become more sophisticated / active - easier said than done when you’re competing with institutional market makers!

2. Protocol liquidity incentives can make up for impermanent loss.

This is important because Crypto needs profitable market making to retain composability. For example, Axie Infinity gave many people access to capital because they could swap AXS for ETH. They could only do this because LPs provided AXS-ETH. If the LPs didn’t think it would be profitable for them, then they wouldn’t LP their tokens, reducing composability.

Well aren’t liquidity incentives enough? Yes in the short term, but that is not a long term viable solution. It is a cash plug, like VC funding for unprofitable SaaS businesses. The question remains whether there will be a space for passive LPs in Crypto Market Making.

How bad is it?

TL:DR; not bad for small price changes, very bad for large price changes. If ETH 5x’s vs. USDC, you lose 25% of your capital vs. HODL.

The key takeaway is that impermanent loss is very small for small deviations in price (barely noticeable for +/- 5%) but starts to get quite large (1% of profit) as relative prices move +/- 25%. With meaningful price drift, these losses can be quite large.This takes us onto the next obvious question...

For which token pairs is impermanent loss most likely?

TL:DR; when token prices are volatile and uncorrelated - shitcoin + token (e.g. APE-ETH) and token + stablecoin (e.g. ETH-USDC) pairs.

Most impermanent loss?

• Shitcoin + token (e.g. LOOKS-ETH) pairs with a highly volatile token that increases/decreases in magnitudes of value.

Second most impermanent loss?

• Token + stablecoin pairs (e.g. ETH-USDC) with a fixed value stablecoin, and a token that changes in value. IL is much lower than for shitcoin + token pairs, given the price movement.

Existing AMMs use higher fees for more volatile assets to compensate LPs for the higher IL risk.

How do I check my impermanent loss?

Our simple google sheet, or if you want a better UX, tools like DailyDefi and WhiteboardCrypto.

So what should I do?

TL:DR; don’t passively LP assets indefinitely without thinking about it.

Like every investment strategy, providing liquidity has a specific payoff function. There is no free lunch, and in AMMs, if the relative price goes up or down a lot, we can lose money. If it stays roughly constant, we can make a lot of money. We just want DeFi retail users to understand that. There are several strategies to managing this risk including Uniswap V3, Perps, Option Vaults & our favorite, RMMs like Primitive.

Want to talk more about on-chain market making and derivatives? Please reach out!

1. Linking their distinct Ethereum addresses

2. Linking their Tornado Cash deposits and withdrawals

Since our last update, we’ve added three new features:

1. Diff2Vec, a Machine Learning approach to clustering Ethereum addresses to find more potentially connected Ethereum addresses.

2. A history of potentially revealing transactions for each address, so users can see when they may have compromised their privacy.

3. A live data feed updating with new Ethereum and Tornado Cash transactions.

For the nitty gritty details you can check out the Tutela white paper.

Diff2Vec, a Machine Learning Algorithm

Initial users gave us feedback that often no Ethereum addresses were associated with their input address. This makes sense because we were only using the deposit address reuse (DAR) heuristic to link Ethereum addresses. DAR searches for very specific behavior (e.g. interacting with centralized exchanges), meaning that most Ethereum addresses show no results - it found c.2.5m Ethereum clusters from >180m Ethereum addresses.

To supplement DAR, we implemented Diff2Vec. It projects each Ethereum address to a point in a low-dimensional vector space based on who it transacts with. In this vector space, addresses belonging to the same entity should be close together in Euclidean distance. This allows Tutela to show k-results for every input address. The potential downside is that it is highly unlikely all k-results are connected to the input address. There is a tradeoff between quality and quantity.

Transaction Reveal Data

We’ve recently added a new piece of functionality - a history of potentially revealing transactions for each address. This shows when a user potentially made revealing transactions and the type of reveal. More on the different Ethereum reveals here and Tornado Cash reveals here.

After clicking the transactions tab on the landing page, a user can input an Ethereum address to see historical potentially revealing transactions over time.

Figure 1 shows the potential reveals by this address. On the left hand side, the user is given raw statistics about potential revealing behavior. On the right hand side, the user is shown when the annotated reveals occurred.

By scrolling down (Figure 2), the user can see the transaction hashs associated with these reveals and look them up on Etherscan.

Analysis - How Accurate is Tutela?

Ethereum Clustering

We can measure the quality of address clusters using a “test set” of known clustered addresses. It is hard to find “ground truth” data in this space but we obtained a data set from (Beres’ et al., 2021) where 1,028 clusters of addresses (average size of 4.0 ± 3.6 Externally Owned Addresses (EOA) per cluster) are derived from ENS names. Admittedly, this is not an unbiased test set but does suffice as a good measure of Tutela’s generalization.

We are interested in “recall” or the ability of a heuristic or algorithm to recover the clusters in the test set. We do not consider precision on purpose as it does not make sense to penalize a model for finding clusters outside of those in the test set.

DAR alone has a recall of 39.4% with NODE (Diff2Vec) at 37.8%, two percent lower than DAR. However, as shown above, when DAR and NODE are combined, total recall increases to 44.8%. This suggests that the types of clusters found by DAR and NODE have diversity.

Tornado Cash Anonymity Set Auditor

In October 2021 there were 97.3k Tornado Cash equal user deposits, Tutela found 42.8k were potentially compromised: 18.6K from the address match reveal, 102 from the unique gas price reveal, 18.9K from the linked ETH address reveal, 16.2K from the multi-denomination reveal, and 358 from the TORN mining reveal (with overlap between reveals).

By pool, we find the anonymity set is reduced by 37% (± 15%) on average. Figure 4 shows the uncompromised anonymity sets by pool. We find that some of the pools could be heavily compromised (such as the cDAI and WBTC pools), whereas other pools are less effected (e.g. USDC). In summary, while many of the Tornado Cash heuristics are simple, they are quite powerful. These findings could help Tornado Cash developers and users alike, measure and understand the degree user privacy offered.

Limitations

Heuristics are not perfect measures. In return for simplicity, there will always be false positives in practice, e.g., addresses in a cluster that should not be there, or faithful Tornado Cash transactions labeled as compromised.

For the Ethereum heuristics, picking proper hyperparameters is the challenge. In DAR, the algorithm is very sensitive to the choice of two thresholds. If the thresholds are too small, no clusters will be found; If the thresholds are too big, clusters will be low quality, containing many addresses they should not. Currently, the best practice is to tune these by hand.

Similarly in NODE (Diff2Vec), the choice of hyperparameters impacts performance. In particular, we must choose a “neighborhood” size to look when summarizing the behavior of a single node/wallet. Too small and we may lose sight of the bigger picture but too large and we may lose granularity on this wallet’s actions.

Running DAR or NODE on Ethereum is computationally expensive, requiring both a large RAM and storage. In particular, NODE is very costly and difficult to parallelize — we are unable to update it live due to its resource constraints. As of now, the NODE algorithm is trained on data up to October 2021 and will remain static.

On the other hand, the Tornado Cash heuristics are much simpler than the Ethereum ones, and more deterministic. However, given that only a small subset of Ethereum addresses are Tornado Cash users, they have limited applicability to the majority of potential Tutela users.

What Next?

This is it for Tutela! What a journey it has been! We’ve learned a lot and had the opportunity to work with amazing people. Shoutout to the LambdaClass team for their critical contributions to the development of the Tornado Cash heuristics.

Mike, Kaili and I will continue to maintain Tutela as far as the Tornado Cash Community deems appropriate. Now we’re turning our attention onto building the next thing! If you want to connect with us - feel free to hit us up on Twitter! @willmctighe @mike_h_wu @kaili_jenner

References

Ferenc Beres, Istvan A Seres, Andras A Benczur, and Mikerah Quintyne-Collins. 2021. Blockchain is watching you: Profiling and deanonymizing ethereum users. In 2021 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS), pages 69–78. IEEE.

1.) if their Ethereum addresses can be linked; and

2.) if their Tornado Cash transactions are compromised.

Since our last update 8 weeks ago, we’ve received incredibly helpful user feedback and have added functionality like ENS searching and showing Tornado Cash interactions for all input addresses! If you have feedback, we’d love to hear about it in the Tutela Discord Channel.

Our latest tool is the Tornado Cash Anonymity Pool Auditor. It allows you to see a more accurate anonymity set of each Tornado Cash Pool than the headline numbers. Before diving into it, a quick recap on blockchain privacy, Tornado Cash and TC Pool Anonymity Sets.

Blockchain Privacy

Currently, there is very little transaction privacy for Ethereum users. On Etherscan, we can clearly see the value of transactions, their contents and the sender/receiver. For greater adoption this has to change — it is not acceptable in Web2 for others to be able to see our salaries, online purchase history or charitable donations! Similarly, businesses don’t want you to know who their suppliers are and how much they are being paid.

Tornado Cash

Tornado Cash is a mixer protocol that helps Ethereum users have some transaction privacy by breaking the connection between two addresses. It is called a mixer because you mix your funds with those of others.

Federico, Founder of LambdaClass and a collaborator on Tutela, provides an excellent summary of how Tornado Cash works here. I will provide a brief recap:

1. In all Tornado Cash Pools apart from Nova, you can deposit a fixed amount of ETH in their pools (e.g., 1 ETH, 10 ETH, 100 ETH). With that deposit, you receive a note, which you can later use to withdraw your deposit to any address.

2. Your anonymity is defined by the number of equal user deposits in a given pool. This is the Anonymity Set. In the example above, D’s withdrawal could have come from A, B or C, so the anonymity set is 3 and the probability of correctly guessing the deposit / withdrawal connection is 1/3*.

3. The more people that deposit in the pool, the greater the number of people that a withdrawal could have come from. If you add a 4th deposit above, the probability of being correctly detected decreases to 1/4.

4. However, there are lots of ways users can compromise their privacy. If you can link A’s deposit to E’s withdrawal, then the pool’s anonymity set decreases from 3 to 2. This means the probability of correctly guessing your deposit / withdrawal connection increases to 1/2 because any withdrawal could only have come from B or C’s deposits.

5. Federico’s team at Lambda School and István have codified 5 ways that Tornado Cash users can misuse the protocol to link their deposits and withdrawals and reduce the anonymity sets of Tornado Cash pools. More on them on below.

* For the nerdy details, this is simple combinatorics. The number of possible combinations in this example is 3C1 = 3. It assumes only 1 deposit and withdrawal per entity. Combinatorics is also why you should withdraw to multiple addresses — it meaningfully increases the set of possible deposit / withdrawal combinations and improves your privacy!

Five Tornado Cash Reveals

Remaining anonymous using Tornado Cash requires you to not make obvious mistakes that could reveal yourself. Here are 5 that could reduce your anonymity:

1. Address Match Reveal — Reuse of Deposit Address for Withdrawal

If a user deposits from an address and that address withdraws from the same pool, this deposit and withdrawal are assumed to be linked. There are cases when this may not be true but in general, these users are likely TORN yield farmers who do not care about privacy. We believe this heuristic is relatively deterministic.

2. Unique Gas Price Reveal

This involves using the same unique gas price for a deposit and a withdrawal to different addresses. Many wallets like Metamask have gas price recommendation systems. However, if the user manually sets the amount of gas to pay, that amount will remain the default price that the wallet will use for other transactions, irrespective of the address used. Given this heuristic maps a unique deposit to a unique withdrawal, we believe it is deterministic.

3. Linked Address Reveal — Transactions outside Tornado Cash

This heuristic looks at all the interactions between deposit and withdrawal addresses outside of Tornado Cash. If addresses have interacted more than 3 times, they are assumed to be owned by the same entity. This heuristic is probabilistic and can produce false positives, so we added the >3 interactions constraint to limit these. More interactions increases the likelihood that addresses are linked.

4. Multi-Denomination Reveal

If your deposit address mixes a specific set of denominations and your withdrawal address withdraws them all (e.g. if you mix 1x 10 ETH, 1x 1 ETH, 1x 0.1 ETH in order to get 11.1 ETH), then you could reveal yourself if no other wallet has mixed this exact denomination set. This is a probabilistic heuristic given multiple addresses have deposited and withdrawn the same combinations.

5. TORN Mining Reveal — Careless Usage of Tornado Cash Anonymity Mining

Anonymity mining was an incentive scheme to increase the anonymity set in TC Pools (number of deposits). TC rewarded participants a fixed amount of anonymity points (AP) based on how long they left their assets in a pool.

After withdrawing assets, users can claim Anonymity Points. The amount withdrawn is recorded in the transaction. If a user uses an address to claim all of their anonymity points, you can calculate the exact amount of time their assets were in the pool and then potentially link their deposit and withdrawal addresses.

Tornado Cash Anonymity Set Auditor

Overview

The Tornado Cash Anonymity Set Auditor, computes the above heuristics for each Tornado Cash pool to determine how many potentially compromised deposits there are in each pool.

Try this yourself, by simply selecting the Tornado Cash Pool you are interested in from the drop down list on Tutela’s search page.

Results

Using the 10 ETH pool as an example, you’ll see that the Tornado Cash app, shows 28,188 equal user deposits as of late December.

Searching the 10 ETH pool address in Tutela returns that 8,060 deposits are potentially compromised by the five reveals above. The discrepancy in the number of equal user deposits is because our current dataset is from October. We will be introducing live updates shortly.

Worried you’ve compromised yourself on-chain?

There are two ways to check this:

1. Ethereum addresses — input your address / ENS on Tutela and it will show ethereum addresses clustered using the ethereum deposit address reuse reveal and your Tornado Cash deposits, withdrawals and reveals — shown like the below.

2. Tornado Cash Pools — input your deposit/withdrawal address at the bottom of the Tornado Cash Pool Address results page (shown two images above) to see if it has been linked in that pool. We don’t make these compromised transactions public without searching to protect the identities of Tornado Cash Users.

Worried about your privacy? We don’t store your IP addresses (use a VPN anyway please!) or have any permanent search storage. Check for yourself, our code base is publicly available here.

What Next? Machine Learning and Tx Reveal Data

Our next article will provide details of our application of Diff2Vec, a ML algorithm, to the entire set of Ethereum transactions. This also clusters Ethereum addresses and can help everyday users to understand what the likes of Chainalysis can find out about them. Excitingly, this may be the first public application of Diff2Vec at scale!

We recently built out functionality to display Ethereum transaction data to show you when you revealed yourself and a live data feed, so will post on this next time!

Project Contributors:

- Will McTighe, a Stanford MBA, is managing this team effort.

- Mike Wu, a Stanford PhD in AI, is leading the clustering and ML analysis.

- Kaili Wang, a 4th year computer science major at Stanford, is leading front-end development.

- Dr. Nick Bax, a Stanford PhD graduate who has traced funds related to several hacks and recently published on tracing the WannaCry 2.0 malware Monero transactions. Nick leads the identification of heuristics.

- István A. Seres, an applied mathematician, leads defining heuristics and the research part of the project.

- Federico Carrone, Founder of LambdaClass, is in charge of a team of computer scientists, computer engineers and data scientists (mathematicians, physicists, engineers) who work on Zero Knowledge proof cryptography.

- Tomas De Mattey, a UNTreF Grad, project manages the Lambda team.

- Manuel Puebla, a UBA Mathematics grad, supports the Tornado Cash heuristics research.- Herman Obst Demaestri, a UBA engineer, leads Tornado Cash heuristics development.

- Mariano Nicolini, a UBA physics grad, supports Tornado Cash heuristics development.

- Pedro Fontana, a UBA Mathematics grad, supports Tornado Cash heuristics development.