Privacy-focused Aleo users concerned after KYC documents leak
To claim a reward on Aleo, users must complete KYC/AML and pass the Office of Foreign Assets Control (OFAC) screening in accordance with Aleo’s internal policies.
Aleo, a blockchain platform focusing on zero-knowledge (zk) applications, has revealed its users’ information. Users raised concerns on the X social platform and informed the layer-1 (L-1) platform about the issue.
A user named @0xemirsoyturk claims that Aleo mistakenly sent Know Your Customer (KYC) documents to his email. These documents included selfies and ID card photos of another user, making him concerned about the security of his information.
Zero-knowledge layer-1 blockchain platforms focus on providing enhanced privacy and security for users. They employ zero-knowledge proof cryptographic techniques to enable transactions without revealing specific details, ensuring confidentiality.
This privacy-centric approach makes it challenging for external parties to trace or access sensitive information, offering users greater control over their data. These platforms aim to enhance privacy in blockchain transactions, making them more secure and confidential for participants.
Another user, @Selim_jpeg, confirmed the claim, stating that he also got the KYC documents of another user in his email.
To claim a reward on Aleo, users must complete KYC/AML and pass the Office of Foreign Assets Control (OFAC) screening in accordance with Aleo’s internal policies. Users must complete this process when signing up for HackerOne — a third-party protocol to collect users’ unencrypted KYC data.
Related: Citrea raises $2.7M in seed funding to launch Bitcoin ZK-rollup
Mike Sarvodaya, the founder of Galactica, an L1 blockchain infrastructure, speaking to Cointelegraph, said that in a protocol design like this, one should never have theoretical access to the user data. He said:
“It’s ironic that a protocol for programmable privacy uses a third party to collect users’ unencrypted KYC data after that leaks to the public. Apparently, when your zk stack is so advanced, you might just forget how to practice basic opsec.”
According to Sarvodaya, The Aleo case ironically underscores the significance of creating storage and proof systems for sensitive data, like Personally Identifiable Information (PII), using zero knowledge or Fully Homomorphic Encryption (FHE). In such systems, protocol rules ensure that no single party can reveal stored data.
The Aleo mainnet is set to launch in the next few weeks; once some final bugs have been taken care of, to bring privacy to crypto transactions, as stated by Aleo Foundation Executive Director Alex Pruden in an interview with The Block.
Responses