Users of the privacy-focused Aleo blockchain expressed concern after their KYC documents leaked.
To receive a reward on Aleo, users had to complete Know Your Customer (KYC) and Anti-Money Laundering (AML) checks, as well as undergo screening by the Office of Foreign Assets Control (OFAC), all by Aleo’s internal policies.
The decentralized blockchain platform Aleo has reportedly exposed some users’ information on X on Feb. 25. The platform used zero-knowledge (ZK) cryptography and a third-party protocol for Know Your Customer (KYC).
One Aleo user, Emir Soytürk, reported that the platform sent him another user’s KYC documents, including photos of their ID card and selfies. This left Soytürk worried about the security of his information.
Another user, Selim C, corroborated Soytürk’s claim, stating they also received someone else’s KYC documents via email.
To claim a reward on Aleo, users had to complete KYC and Anti-Money Laundering checks and pass OFAC screening, all according to the platform’s internal policies.
Also, HackerOne, a third-party protocol that collected unencrypted KYC data, to process user information.
ZK layer-1 blockchain platforms aimed to provide users with improved privacy and security. They used cryptographic techniques to enable transactions without revealing specific details, ensuring the confidentiality of user information.
The privacy-focused approach employed by ZK platforms made it harder for third parties to trace and access users’ private information, allowing users to retain more control over their data.
According to Mike Sarvodaya, founder of Galactica, a layer-1 blockchain infrastructure, such protocols should never allow for access to user data in theory when asked by Cointelegraph.
He said:
“It’s ironic that a protocol for programmable privacy uses a third party to collect users’ unencrypted KYC data after that leaks to the public. When your ZK stack is so advanced, you might just forget how to practice basic opsec.”
Sarvodaya believed that the Aleo case highlighted the importance of developing storage and proof systems for private data, such as PII, based on ZK or fully homomorphic encryption (FHE) systems.
The founder explained that in such systems, the protocol rules had to guarantee that a single party could not reveal stored information.
In an interview with The Block, Alex Pruden, the executive director of the Aleo Foundation, stated that the Aleo mainnet would launch in the coming weeks, once the team had fixed a few final bugs. The goal of the mainnet launch was to bring privacy to crypto transactions.
Read also: Ethereum Foundation alongside zkSync allocates $900K for ZK Layer 2 development
