Zero-knowledge chain Aleo faces privacy leak issues
A private post claims that Aleo mistakenly sent Know Your Customer (KYC) documents to their users.
Share this article
Aleo, a blockchain platform focusing on zero-knowledge (zk) applications, has revealed its users’ information. Users raised concerns on social media and informed the layer-1 (L1) platform about the issue.
Emir Soytürk, a developer involved with the Ethereum Foundation’s Devconnect workshops in Istanbul, claimed through a private post on X that Aleo mistakenly sent Know Your Customer (KYC) documents to his email. These documents included selfies and ID card photos of another user, making him concerned about the security of his information.
The situation thus opens a unique irony: zero-knowledge layer-1 blockchain platforms such as Aleo focus on providing enhanced privacy and security for users. They employ zero-knowledge proof cryptographic techniques to enable transactions without revealing specific details, ensuring confidentiality.
Aleo’s privacy-centric approach makes it challenging for external parties to trace or access sensitive information, offering users greater control over their data. These platforms aim to enhance privacy in blockchain transactions, making them more secure and confidential for participants.
Now, it appears that the privacy-focused chain is facing a data privacy issue of its own. This development comes in as the Aleo blockchain’s mainnet is set for launch in the next few weeks as it works to have “some final bugs […] squashed,” according to Aleo Foundation Executive Director Alex Pruden, who spoke in a January interview detailing the project.
Selim C, an analyst from crypto dashboard Alphaday, confirmed that the issue was not isolated, saying it also happens to them. On-chain sleuth ZachXBT noticed the thread and reached out to the crypto community on X by amplifying the discussion.
To claim a reward on Aleo, users must complete KYC/AML and pass the Office of Foreign Assets Control (OFAC) screening by Aleo’s internal policies. Users must complete this process when signing up for HackerOne, a third-party protocol for collecting unencrypted KYC data.
Mike Sarvodaya, the founder of L1 blockchain infrastructure Galactica, stated in an interview with crypto news platform Cointelegraph that such a protocol design like Aleo’s should never have access to the user data (theoretically).
“It’s ironic that a protocol for programmable privacy uses a third party to collect users’ unencrypted KYC data after that leaks to the public. Apparently, when your zk stack is so advanced, you might just forget how to practice basic opsec,” Sarvodaya said.
Aleo’s privacy leak case highlights the importance of zero-knowledge or fully homomorphic encryption for sensitive data storage and proof systems, particularly for personally identifiable information (PII). In such systems, protocol rules ensure no single party can reveal stored data.
Update
A representative from Aleo has reached out to CryptoBriefing and requested that Aleo’s statement on the matter be included. According to Aleo, they have begun implementation for a new set of long-term technical controls for their KYC confirmation practices.
Aleo’s full statement apologizing for the errors with their metadata handling can be read here.
This weekend, Know Your Customer (KYC) information about 10 participants from our recent Aleo Learn & Earn events was mistakenly exposed to other Aleo community members through a copy/paste error in email metadata.
We appreciate everyone’s patience as our team worked to remove…
— Aleo (@AleoHQ) February 26, 2024
Share this article