A recent post alleges that Aleo mistakenly sent Know Your Customer (KYC) documents to its users, raising privacy concerns. Aleo, a blockchain platform specializing in zero-knowledge (zk) applications, inadvertently disclosed user information, prompting users to voice their concerns on social media and notify the platform about the issue.
Emir Soytürk, a developer affiliated with the Ethereum Foundation’s Devconnect workshops in Istanbul, reported through a private post on X that Aleo sent KYC documents, including selfies and ID card photos of another user, to his email. This incident has raised worries about the security of users’ information, highlighting an irony as zero-knowledge layer-1 blockchain platforms like Aleo focus on offering enhanced privacy and security. These platforms utilize zero-knowledge proof cryptographic techniques to facilitate transactions without revealing specific details, thereby ensuring confidentiality.
Despite Aleo’s privacy-centric approach, which aims to make it difficult for external parties to trace or access sensitive information, the platform appears to be grappling with its own data privacy issue. This development coincides with the imminent launch of Aleo’s mainnet in the coming weeks, as the project addresses remaining bugs. Analyst Selim C from crypto dashboard Alphaday confirmed that the issue was not isolated, and on-chain investigator ZachXBT amplified the discussion within the crypto community on X.
To claim rewards on Aleo, users must undergo KYC/AML verification and pass the Office of Foreign Assets Control (OFAC) screening, as per the platform’s internal policies. This verification process is required when signing up for HackerOne, a third-party protocol for collecting unencrypted KYC data.
Mike Sarvodaya, founder of L1 blockchain infrastructure Galactica, emphasized in an interview with crypto news platform Cointelegraph that a protocol design like Aleo’s theoretically should not have access to user data. He remarked on the irony of a protocol focused on programmable privacy using a third party to collect unencrypted KYC data, which subsequently leaked to the public. Sarvodaya stressed the importance of zero-knowledge or fully homomorphic encryption for storing and proving sensitive data, especially personally identifiable information (PII), to prevent such incidents.
In response to the issue, Aleo has initiated the implementation of a new set of long-term technical controls for its KYC confirmation practices, aiming to enhance user data security.
