A New Route To Privacy: Introducing Aggregator v2
Over the past two years, the Houdini Swap team has been hellbent on achieving “functional privacy” within web3. Our core privacy-enabling system is built on the principles of being functional, affordable, and convenient for as many people as possible. That same privacy-enabling technology has largely remained unchanged since its inception, until now.
Historically, we relied on privacy coins like Monero to achieve privacy, as previously described. It worked well in the early stages, but as we scaled, challenges emerged. We noticed slower speeds due to Monero network congestion, higher fees due to Monero’s volatility, and general FUD around Monero as a utility token.
It became clear that to maintain our rapid scaling, we must adopt an improved system to enable more reliable, fast, and affordable transactions for our users.
We are now proud to introduce Aggregator v2 to greatly improve our legacy privacy-enabling architecture.
The innovation we’ve introduced is that Aggregator v2 uses randomized Layer 1s as agnostic privacy routes instead of exclusively using XMR. These Layer 1s are randomized among nearly a dozen Layer 1 chains with deep liquidity, such as TRX, LTC, SOL, DOT, and many more. Both v1 and v2 still utilize the same “dual-exchange system”, which means that transactions process through two distinct and unrelated exchange partners (read more here). The result is reliable, fast, and lower-cost transactions for users without compromising privacy.
For example, under the old system, a transaction from ETH to USDT would be routed as ETH-XMR-USDT.
Under Aggregator v2, the transaction might be routed as ETH-TRX-USDT, or ETH-DOT-USDT, etc.
All other components of our privacy system — and most importantly, the privacy of our users’ transactions — remain unchanged.
Despite the tremendous improvement from v1 to v2. We also appreciate that XMR plays a special role in the hearts and minds of some of our users. So, in the same way that Uniswap released their v3 router, although kept v2 functionality, we have created an XMR toggle to allow users to utilize the legacy v1 XMR-only router. The toggle can be found on the top right of the swap page, beside the refresh icon. Users can toggle between v1/v2, ensuring they can transact in a way that aligns with their preferences.
From a privacy standpoint, neither v1 nor v2 is “more private” than the other.
FAQ
Q: What pushed the use of alt Layer 1 rather than other privacy coins besides XMR?
A: Unfortunately, there are no viable alternatives to Monero. We looked at nearly two dozen privacy tokens such as AZTEC, Mina, SCRT, Oasis, etc. The problem is that these coins have public ledgers with optional wrapped privacy coins. SCRT, for example, is a public network. sSCRT is private, not listed on any exchanges, and the bridge in and out of sSCRT is one address, making it very traceable.
Q: What about ZK-based tech?
A: The problems with ZK-based tech are similar to alt privacy coins; they are only private within the confines of their respective ecosystems. Railgun, for example, only offers transactional privacy once you’ve bridged/wrapped into their Railgen ecosystem.
Q: What about permissionless defi options?
A: We don’t believe that permissionless defi systems are viable privacy solutions for the long term. We’ve seen what happened with Tornado and recently Samourai. There needs to be permissioned systems in place to secure the environment from bad actors. We believe that privacy is necessary for any financial system, although privacy must exist within the confines of the law.
Q: How much did the XMR delisting from Binance affect your decision?
A: XMR was experiencing all sorts of issues leading to the delisting. Latency and predictability issues were rampant. The delisting expedited the launch of v2, although it’s been in the works for over a year.
Q: How can you reassure me that v2 is still private?
A: We publicly released v2 in April and challenged the community to try and trace a transaction in return for a $50,000 bounty. Nobody was able to trace the transaction, and thus the new system was rolled out.
Q: For people that want even more privacy, maybe you could offer more “hops” for peace of mind?
A: We want to enable privacy for 95% of people. It’s the Pareto Principle, 80/20. For the people that want 99.9%, we don’t want to spend 80% of our time building privacy enhancements for them.
Q: If both blockchains are public, if you figure out which chains were used, can’t you time in and out transactions with similar values?
A: Theoretically, but that’s no different than with XMR as the “tunnel”. Since the L1 is randomized and not disclosed, there is an impossible challenge of figuring out which L1 to trace in the first place. Let’s say you figured out which L1 was used somehow. You would need to find the actual transaction that matches an IN transaction. You would then need to find the similar transaction on another chain again for the OUT transaction. It’s virtually impossible and there remains no on-chain connection.
Q: Since v2 uses public Layer 1s, doesn’t Exchange 2 know it’s coming from Exchange 1 and vice versa? With XMR-only (v1), Exchange 2 didn’t know it was coming from Exchange 1, so isn’t v2 worse from a privacy standpoint?
A: Not quite. A global requirement for any exchange partner is that they utilize single-use deposit addresses for receiving deposits. In v2, Exchange 1 only sees that it is sending funds to a fresh wallet (unknown owner), and Exchange 2 only sees that they are receiving funds into their hot wallet from a single-use deposit address. It is not obvious to either exchange that the sender or the recipient is another exchange. The only scenario where two exchanges may connect the dots is if there is an external inquiry/subpoena (e.g. a law enforcement investigation). This is a design feature, not a bug. Aside from that scenario, Exchange 1 has no idea it’s coming from Exchange 2 and vice versa.
Q: Why use two exchanges? Doesn’t this add complexity to the process? If the exchange is what breaks the link, isn’t the fully private option just one hop more than the semi-private?
The need for two exchanges arises because the semi-private design doesn’t effectively conceal transactions involving the same token. For example, if Ethereum enters an exchange and exits as Ethereum right away, the transaction becomes easily traceable. While semi-private transactions can still offer some level of privacy, it’s not sufficient. Most transactions occur within the same blockchain, making it easy to trace if it involves the same exchange for both input and output. For instance, exchanging Ethereum for USDT would involve the same wallet for both transactions. Although swaps between different chains could be harder to trace, not all users engage in these types of transactions.
