Zero-Knowledge Blockchain Aleo in Hot Waters over KYC Document Data Leak

February 26, 2024

Aleo, the decentralized blockchain platform, inadvertently disclosed the personal information of certain users, according to certain posts on X. With a focus on zero-knowledge cryptography, the platform employs a third-party protocol for Know Your Customer (KYC) verification. However, the users raised their concerns about data privacy and promptly alerted Layer-1 (L1) regarding this matter.

Emir Soytürk, a contributor to the Ethereum Foundation’s Devconnect workshops in Istanbul, claimed that Aleo mistakenly forwarded KYC documents to his email. The documents included selfies and ID card images of another user, making him concerned about the protection of his personal information.

Selim C, another user, verified the assertion by stating that he also received KYC documents in an email, intended for another user.

Zero-Knowledge Blockchain Aleo in Hot Waters over KYC Document Data Leak twitter screenshot

Layer-1 blockchain platforms with zero-knowledge (ZK) features focus on enhancing user privacy and security. Through cryptographic techniques such as ZK-proof, they enable transactions while preserving confidentiality.

In an interview with with crypto news platform Cointelegraph, Mike Sarvodaya, the founder of L1 blockchain infrastructure Galactica, stressed that protocol design like Aleo should ideally never possess access to user data.

He further stated,

“It’s ironic that a protocol for programmable privacy uses a third party to collect users’ unencrypted KYC data after that leaks to the public. Apparently, when your ZK stack is so advanced, you might just forget how to practice basic opsec.”

Alero’s data breach highlights the importance of employing zero-knowledge or fully homomorphic encryption in securing sensitive data storage and proof systems, particularly personally identifiable information (PII). In such platforms, protocol guidelines ensure that no individual party can reveal stored information.

In January, Alex Pruden, executive director at Aleo Foundation, revealed in an interview that Aleo mainnet is anticipated to roll out in the next few weeks, following the resolution of final bugs. Aleo aims to enhance privacy in cryptocurrency transactions with this set of technical controls for KYC validation. However, the breach has sparked questions about the platform’s dedication to privacy and the adequacy of its security measures.

Also read: Open AI Identity Partner Okta’s Customers Data Gets Compromised in Security Breach