According to news from X, the decentralized blockchain platform Aleo exposed some users’ information on February 25th. The platform focuses on zero-knowledge (zk) cryptography and uses a third-party protocol for Know Your Customer (KYC) procedures. A user with the handle “0xemirsoyturk” on X stated that Aleo accidentally sent KYC documents to their email, which included another person’s identity card photos, causing concern for their own information security.
What’s Happening at Aleo?
Another user, “Selim_jpeg,” confirmed the claim by stating that they also received someone else’s KYC documents in their email. To claim a reward on Aleo, users must complete the KYC process and pass the Office of Foreign Assets Control (OFAC) screening in accordance with Aleo’s internal policies. Users must complete this process while registering with HackerOne, a third-party protocol that collects unencrypted KYC data from users.
Layer-1 blockchain platforms based on zero-knowledge technology focus on providing enhanced privacy and security for users. They use cryptographic techniques called zero-knowledge proofs to enable transactions without revealing specific details, thus maintaining privacy.
This privacy-centric approach offers users more control over their data by making it difficult for external parties to track or access sensitive information. These platforms aim to increase privacy in blockchain transactions and make them more secure and confidential for participants.
Noteworthy Comments from the Management
Mike Sarvodaya, the founder of the Layer-1 blockchain infrastructure Galactica, made significant comments about the process and explained that such a protocol should never theoretically allow access to user data:
“It’s ironic for a protocol designed for programmable privacy to use a third party to collect users’ unencrypted KYC data after a leak. It seems that when your zk stack is very advanced, you might forget how to implement basic operational security (opsec).”
According to Sarvodaya, the Aleo incident ironically underscores the importance of creating storage and proof systems based on zero-knowledge solutions or fully homomorphic encryption (FHE) for sensitive data like Personally Identifiable Information (PII). Such systems should ensure that no party can reveal the stored data according to protocol rules.
As stated in an interview by Aleo Foundation Executive Director Alex Pruden, the Aleo mainnet will be launched in the coming weeks to introduce privacy to crypto transactions after some final bugs are fixed.
