Tornado Cash

Tornado Cash is one way to keep your transactions private. If you need to make a transaction, you might be afraid that the person on the other end will spend double. And here is why — with open ledger transactions, there might be some people who could see all your transactions and therefore have ideas about how much money you have and what are you able to spend it on. So, even if there are no evil people in your neighborhood, just the simple fact that everyone can see everything is not so good. But we like privacy! We made a protocol based on smart contracts – this helps keep coin balance and token transfer data private within intelligence contracts stored in Ethereum blockchain.

The goal of Tornado.Cash, since it's founding in 2019, has been to enforce privacy through using smart contracts that allow token deposits from one address and withdrawals from another. Both Bitcoin and Ethereum transactions are public and visible, which puts users at risk of getting their spending habits exposed, and most people don’t like it. 

Cryptocurrency privacy solutions are well appreciated in the space by many users, and solutions like transactions' mixer, which scrambles funds and transactions of multiple users before they arrive at their destination, are very helpful. But the transaction mixer was not considered a complete solution because it could be unwrapped and still traced back to a public address. 

What is Tornado Cash?

Tornado Cash is a decentralized and noncustodial privacy protocol designed on the Ethereum blockchain by the Zcash team. It is an open source solution that allows users to send ETH or ERC-20 through their smart contracts. It ensures privacy by providing users with a new address to withdraw their asset, so it can’t be linked to the deposit address.

Since Tornado.Cash is a noncustodial protocol, users have full control of their cryptocurrencies during transactions. A private key is generated and passed to users at each deposit, enabling them access to the funds deposited, giving users complete control over their assets.

Tornado cash cannot be modified or shut down by its developers, as everything has to be voted for by users with the native Tornado cash token, TORN. The Tornado cash protocol has been owned by the community since May 2020. It was handed over by the team through a contract update known as the Trusted Setup Ceremony. 

TORN is an ERC-20 token with a fixed supply that allows holders to propose changes to the protocol. By interacting with Tornado Cash, users accrue Anonymity Points, which are deposited into a shielded account. Once they have accumulated enough Anonymity Points, they can convert them into TORN tokens in a similar protected process.

Torn was developed on Ethereum, but has also been deployed on other side-chains and blockchains. Currently, the Torn protocol supports new tokens and in some cases it rewards its users with layer 2 benefits, such as cheaper and faster transactions. 

The following platforms are currently used by Tornado Cash:

  • Ethereum Blockchain : ETH (Ethereum), USDT (Tether), DAI (Dai), cDAI (Compound Dai), USDC (USD Coin) & WBTC (Wrapped Bitcoin),
  • Binance Smart Chain: BNB (Binance Coin),
  • Polygon Network: MATIC (Polygon),
  • Optimism, as a Layer-2 for ETH (Ethereum),
  • Arbitrum One, as a Layer-2 ETH
  • Gnosis Chain (former xDAI Chain): xDAI,
  • Avalanche Mainnet: AVAX (Avalanche)

This protocol is a simple plug and re-plug to another source protocol, but there is more than meets the eye. So

How Does Tornado Cash Work?

Tornado cash protocol makes transactions unclear by implementing and mixing with zero-knowledge proof. Because it is a decentralized service that only obeys its smart contract, it is impossible to take control of the funds during the mixing process.

The Torn’s smart contracts are pools of deposited assets that are mixed together. When the funds are withdrawn from these pools by a new address, the on-chain link between the source and the destination is broken. Anonymity is therefore preserved.

The tokens are held in a Tornado Cash pool, but custody is in the hands of the users. The users are fully responsible for their tokens.

The traditional Tornado Cash fixed amount pools look like this:

A personal note is generated when a user deposits funds into a pool (also known as a deposit). The private note works as a private key for the user to access those funds later. The same user can use a different address - an old or a new one - and recover his/her funds using this private key.

For Tornado Cash Nova, the new ETH pool with shielded transfers and arbitrary amounts:

Wallet addresses are directly associated with funds - private keys or notes are not present. Users may access their funds by connecting to a pool using the correct address.

You can either gain custody by depositing tokens into the pool or by registering to the pool and receiving shielded transfers from another address.

This is how you use Tornado Cash if you are interested. After you deposit funds to Tornado Cash, it will generate a random key and allow you to deposit the ERC-20 tokens. You will need to provide proof of having a valid key at some point in the future in order to make a withdrawal.

Withdrawals can be made using either a crypto wallet like MetaMask or Relayer. Be sure to generate a new address if you intend to use a wallet, in order to safeguard your privacy. You may also use Relayer, which avoids publicizing your transactions on the blockchain; once you generate a new Ethereum address, Relayer will deposit your funds, and charge you a fee in ETH.

When you have decided how you wish to withdraw your funds, enter your deposit's secret and click on the "Settings" menu. Here, you can choose your wallet option and save it. You will then be asked to enter your address and click "Withdrawal."

What Makes Tornado Cash Unique?

In a nutshell, Tornado Cash improves financial privacy by disclosing transactions' source and destination addresses on the blockchain. ETH deposits can be made to Tornado Cash using smart contracts, and withdrawals can then be made to a variety of addresses. Also, to prevent a threat to privacy, the Relayer can be used to withdraw to an address that does not have an ETH balance. One of the reasons Torn protocol stands out is thanks to zk-SNARK and the hashing process

By implementing Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (also called zk-SNARK), Tornado cash was able to verify and allow transactions, 

When Tornado.Cash processes a deposit, it generates a random area of bytes, computes it through the Pederson Hash (since it is compatible with zk-SNARK), and sends the token & the 20 mimc hash to the smart contract. The contract will then be inserted into the Merkle tree.

During a withdrawal, the same area of bytes is split into two parts: the secret on one side and the nullifier on the other. This nullifier is then hashed. The nullifier is a public input sent on-chain to verify the contract & Merkle tree data. This help prevents double spending.

By using zk-SNARK, it is possible to prove the 20 mimc hash of the initial commitment and of the nullifier without revealing any information. Even if the nullifier is public, privacy is maintained since the hashed nullifier can't be linked to the original commitment. In addition, even if the Merkle root contains the information that the transaction is present, the Merkle path, and thus the exact location of the transaction, is still kept private.

With Tornado Cash, zk-SNARK (zero-knowledge succinct non-interactive argument of knowledge) proofs are used to keep transactions anonymous. 

There are two parties involved in the zero-knowledge proof protocol.

  • Prover - one who seeks to prove a hypothesis.
  • The Verifier - assesses the credibility of the prover's claims.

Technologically, deposits are straightforward, but gas-intensive, since they need to compute the 20 mimc hash and update the Merkle tree. In contrast, the withdrawal process is complex, but cheaper since only the nullifier hash and the zero-knowledge proof require gas.

TORN Token

Tornado.Cash is governed by the TORN token, which is an ERC20-compatible token with a fixed supply. Token holders can propose changes and vote on them.

TORN is neither a fundraising tool nor an investment opportunity. No transfers will be permitted until the community determines that enabling transfers as part of a governance vote, not earlier than 45 days following deployment, would comply with all applicable laws.

The following is how TORN would be distributed in the beginning:

  • 5% (500,000 TORN): To early Tornado.Cash ETH pool users
  • 10% (1,000,000 TORN): Anonymous Tornado.Cash ETH mining, distributed linearly among 1 year
  • 55% (5,500,000 TORN): The DAO Treasury will be unlocked linearly over 5 years, with a cliff of 3 months
  • 30% (3,000,000 TORN): This will be unlocked linearly over 3 years with a 1 year cliff for early developers and early supporters


The circulating supply throughout 60 months:

Anonymity Mining

Tornado.Cash was built on the principle that privacy is a human right, and that the more people adopt privacy measures, the more secure the web becomes for all of us (in the same way HTTPS has made your web browser more secure). In the future, users who contribute to the anonymity set of Tornado.Cash will receive TORN as well.

Traditionally, the distribution of tokens is accomplished through DeFi liquidity mining. Nevertheless, any naive liquidity mining scheme would require users to divulge how much time their deposits spent in a Tornado.Cash pool. In this case, Tornado.Cash's core value is violated: the preservation of privacy.

In order to make anonymity mining practical, that is the driving impetus behind its invention. Anonymity Mining enables users to receive TORN through a two-stage shielded liquidity mining system, preserving their privacy to the fullest extent.

Upon transferring funds to Tornado.Cash, a user is awarded Anonymity Points (AP) that accrue into a shielded account - which protects your wallet address, your balance, and does not reveal any information about your deposits. Our Tornado.Cash AMM allows users to convert their accumulated AP into public TORN tokens at any time via the Tornado.Cash shielded account.

A little complexity is involved in this system. Yet it makes sure that user privacy is always protected during the process of claiming TORN tokens.

Anonymity Mining is only available for notes deposited after the deployment ceremony - earlier notes are distributed via a TORN airdrop.

The following is a step-by-step description of how it works:

The process of claiming your AP

In order to claim Anonymity Points (AP), users need to spend Tornado.Cash notes already. When notes are spent, there is a delay before they can be claimed for AP.

When a user claims AP, their browser generates a special zero knowledge proof, which calculates the amount of AP owed (based on how many blocks their note was in an ETH Tornado.Cash pool) and adds it to their shielded balance. 

Others will only see in the Tornado.Cash blockchain that someone claimed a certain amount of AP for some note for some Tornado.Cash pool. Additionally, the user can claim AP via a relayer to enhance privacy

The following is a table of AP per block for different Tornado.Cash note sizes:

Shielded Accounts

Due to the fact that AP is completely private, if you want to store your shielded AP balance, you have to create a secret key. In Metamask, the eth_getEncryptionPublicKey function uses a random key generation method and then encrypts the key with your Ethereum public key, which is then stored on the Ethereum blockchain. Consequently, if it is lost, its recovery can be performed using the person's Ethereum keys.

In order to submit claim and withdrawal data securely, this secret key is used to encrypt and protect the user's identity.

TORN conversion from AP

The automated market maker (AMM) on Tornado.Cash converts mined AP into publicly visible TORN.

TORN tokens are consistently dripped into the AMM (1M TORN tokens over one year). All APs that are claimed at any given time can bid on the TORN that has accumulated in the AMM up until that point.

As a result, the timing for converting AP into TORN is somewhat strategic -- if too many people withdraw simultaneously, the conversion ratio will contract; if few people withdraw, the conversion ratio will improve. In the first 45 days, TORN is not transferable.

Those are the steps involved in claiming TORN. Unfortunately, the process is quite complex.

This is how the AMM formula looks:


  • T — Allocation of the TORN mining program
  • Tvirt — The virtual TORN balance
  • Twithdrawn — Total amount of TORN already withdrawn by users
  • TORN — The amount of TORN that will be received by the user
  • AP — Exchange anonymity points
  • W — Constant for AMM exchange weight


Tornado Cash pools are governed by the following rules 

How to suggest a proposal ?

Tornado cash users must lock tokens in the governance contract before they can participate in governance. When a user votes or creates a proposal, the tokens cannot be unlocked before the proposal execution period ends (8.25 days from proposal creation). You can also delegate the locked tokens to another address.

An individual must have 1,000 TORN in order to create a proposal. A governance contract must execute smart contracts (using delegatecall) with verified code. Any changes to a governance contract can then be audited and tested.

A proposal is subject to a five-day voting period. In order for a proposal to succeed, it must receive a simple majority of votes and have at least 25,000 TORNs.

Proposals that succeed are subject to a 2-day timelock after they are approved. When the timelock expires, any user has the ability to initiate the change by executing the proposal. A proposal that is not executed within 3 days after submission is considered expired and cannot be executed.

Considering there are not many TORN tokens in circulation early on, all of these parameters are relatively small. The governance is likely to adjust these thresholds as TORN's circulation increases.

Proposals can be categorized as follows:

  • In the proxy, create a new Tornado Cash pool
  • The AP reward rate parameters can be changed
  • Take action to unpause/pause the TORN token
  • A change may be needed in some core mining contracts, such as the Tornado Tree contract
  • In a combination of all of the above

And many more can be done. To find out exactly what can be changed through governance in the protocol, look for the functions with the modifier “onlyGovernance” in the smart contracts.


TORN tokens have been used as tokens of governance by Tornado Cash users since their inception. It provides the ability to suggest proposals and vote both in-chain (through locked Tokens for governance proposals) and off-chain (on Snapshot). 

In the wake of Tornado Cash's tenth governance proposal, TORN tokens have gained one more useful function. Currently, all holders of TORN locked in the governance contract will receive a staking reward due to the introduction of the decentralized relayer register.

Owners of TORN tokens are still able to lock them into the governance contract as they used to do. There is one significant difference: relayers now receive a portion of the fees collected by the protocol. Evidently, the proportion of the reward will be the same as the proportion of their locked TORN.

Where do these collected fees come from?

The decentralized relayer registry enabled the collection of these fees. A relayer must stake a certain amount of TORNs (currently 300 TORNs by governance) to be listed on the protocol UI.

In short, for each withdrawal via the relayer method, the chosen relayer must pay a fee from the staked balance (which should still stay above the 300 TORN threshold). The governance has fixed this fee at 0.3%, but it can be changed at any time by a proposal & vote on-chain.

How to stake TORN token ?

Steps to start staking Torn 

  • First, go here and click on the Manage tab then select Lock
  • Next, click on “Approve” to allow transfer of your token to the smart contract. 
  • Select the amount to lock and click on the Lock button
  • Finally, wait for the transaction to complete

How to Claim Your Staking Reward ?

You can redeem your stake reward now that your TORN tokens have stayed safe and warm inside the governance contract. The process is as follows.

Community Involvement

It is no news that the community controls significant elements of Decentralized Autonomous Organizations (DAOs), such as protocol parameters and token distribution. It shapes and continuously improves the protocol through this governance mechanism.

Nevertheless, a community's role goes beyond suggesting solutions & voicing its opinions. By actively participating in constructive debates, mutual help, and specific actions, the community can also help the protocol succeed.

You can get the minimum Tron and join the communities