Decentralised blockchain platform Aleo has reportedly exposed certain users’ information on 25th February, as per reports on X (previously Twitter).
The platform, centred on zero-knowledge (zk) cryptography, utilises a third-party protocol for Know Your Customer (KYC) purposes.
A pseudonymous user, @0xemirsoyturk, disclosed that Aleo erroneously forwarded KYC documents to his email.
These documents contained selfies and ID card photos of another individual, prompting concerns about the safeguarding of his own details.
Another user, @Selim_jpeg, corroborated the assertion, revealing that he also received KYC documents of a different person in his email.
To be eligible for a reward on Aleo, users must fulfil KYC/AML requirements and clear the Office of Foreign Assets Control (OFAC) screening, as stipulated by Aleo’s internal regulations.
This process is mandatory upon registration with HackerOne – a third-party protocol for gathering users’ unencrypted KYC data.
Zero-knowledge layer-1 blockchain platforms concentrate on furnishing heightened privacy and security for users.
They employ zero-knowledge proof cryptographic techniques to enable transactions without disclosing specific details, thereby ensuring confidentiality.
READ MORE: Coinbase Advocates for Ether ETP Approval Amid SEC Scrutiny
This privacy-oriented strategy renders it arduous for external entities to track or access sensitive information, furnishing users with greater control over their data.
These platforms strive to enhance privacy in blockchain transactions, rendering them more secure and confidential for participants.
Mike Sarvodaya, the founder of Galactica, a layer-1 blockchain infrastructure, highlighted that theoretically, such a protocol should never allow access to user data. He remarked:
“It’s ironic that a protocol for programmable privacy uses a third party to collect users’ unencrypted KYC data after that leaks to the public.
Apparently, when your zk stack is so advanced, you might just forget how to practice basic opsec.”
According to Sarvodaya, the Aleo incident ironically underscores the importance of developing storage and proof systems for sensitive data, such as Personally Identifiable Information (PII), based on zero knowledge or fully homomorphic encryption (FHE). In such systems, protocol rules must ensure that no single party can disclose stored data.
Aleo Foundation executive director Alex Pruden mentioned in an interview with The Block that the Aleo mainnet is slated for launch in the coming weeks, once final bugs are addressed, aiming to introduce privacy to crypto transactions.
Read the latest crypto news today
