Keep up with the digital identity landscape.
The United States Treasury Department has sanctioned ETH based privacy service Tornado.Cash, prohibiting U.S. persons and entities from interacting or transacting with the privacy tool.
The externalities from these sanctions have already rocked web3, forcing large institutions – like USDC provider Circle and Github – to delete or freeze any assets associated with sanctioned members and putting everyone who has interacted with Tornado in legal jeopardy.
Not only does this sanction challenge the strength of our decentralized systems, or question a developer’s liability in regards to open source code, it opens the argument on whether the government can sanction a smart contract – which is an independent piece of code – like they would an individual or entity.
This sanction is a watershed moment for web3 and open source technology at large. It calls into question our Freedom of Speech and Right to Privacy in the digital age. The legal battles, and subsequent precedents that are set, will be monumental for the future of decentralized technology.
On August 9th, 2022, The United States Treasury Department sanctioned ETH based transaction privacy service Tornado.Cash, and added tornado cash url and smart contract addresses to its OFAC Specially Designated Nationals List (SDN), blacklisting the entire tool.
Tornado is a smart contract based currency mixer that allows anyone to deposit ETH and anonymously withdraw it from another address, allowing for complete financial privacy. For example, you can deposit 10 ETH from address A, and withdraw that ETH with address B, C, or D without anyone knowing the 10 ETH came from address A. We go deeper into how this works later.
The Treasury Department justified its decision by arguing that Tornado was used for money laundering, including the recent $625 million March hack of Axie Infinity’s Ronin Network, which was carried out by hackers with known ties to the DPRK. “Since its creation back in 2019, Tornado Cash has reportedly laundered more than $7 billion worth of virtual currency”, said a Treasury Representative. In that same time, Nearly 3.8mm ETH was deposited, and developers from around the world contributed to improving Tornado’s code.
In simple terms, the sanction mandates that no individual or organization can transact on Tornado, or do business with any addresses that have used Tornado to receive or deposit funds – no matter the size. However, there is a huge difference between this OFAC sanction and others made in the past.
While OFAC Sanctions are meant to target an individual or organization, this sanction names a set of smart contracts directly. Tornado is powered by these smart contracts who have no one owner, individual custodian, or organizational management. These are independent pieces of code that are run on the Ethereum blockchain, many of which are immutable.
The very nature of blockchains allow for this type of decentralization. The authors and contributors of the Tornado smart contract could disappear tomorrow, and the code would still be running, hosted on the Ethereum Virtual Machine.
In 2019, the first sanctions were levied against two Bitcoin addresses whose owners were suspected of funding Iran, a sanctioned nation. Their names and emails were provided alongside the addresses, which made sense, as there was a ban on all means of transacting with these individuals.
In May of 2022, OFAC sanctioned Blender.IO, another virtual currency mixer. However, Blender was an incorporated entity that took custody of users’ funds, and thus had individuals who could control the service. This was still a sanction delivered to individuals.
This Tornado sanction is different, as it directly targets immutable, non-custodial smart contracts controlled by no one. (Most of the Smart Contracts had their operator power revoked, meaning that no one can control user funds). Aside from Tornado’s URLs and some 45 smart contract addresses, no guidance was given on whether or not the authors behind those smart contracts, contributors to the open source code, or other involved parties were also sanctioned.
Thus, this sanction could be interpreted as a ban on a piece of technology, not a person or organization. To draw an extreme comparison, it would be “Like the U.S. Government said ‘well, we know the North Koreans terrorists use linux, so Americans shouldn’t use linux.” said Peter Van Valkenburgh of CoinCenter, an independent nonprofit that defends the rights of those using independent blockchain networks, “This is the beginning of a very real attempt to ban open sourced software.”
Since OFAC has only ever been able to sanction individuals or entities, regulators have entered uncharted territory.
This sanction and how it has since been enforced has opened new questions around free speech and our right to privacy:
While the direct implications of United States OFAC sanctions are massive, the externalities can have a major impact on individuals with no involvement in illegal activity.
To understand these ramifications, we must first dive into how Tornado Cash actually works.
Tornado Cash is an Ethereum based fully decentralized non-custodial protocol allowing private transactions in the crypto-space. To achieve this privacy, Tornado breaks the on chain link between the sender’s address and the ethereum address.
Tornado is powered by pools of funds that mix user’s assets together, and Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (ZK-Snark) hashing to hide the information of deposits and withdrawals.
Put simply, you can deposit your funds (ETH or other tokens) into a large pool, and assign any other address the permission to claim those funds. Users interact with Tornado’s smart contracts using a website hosted by a centralized service, but anyone is free to interact directly with the contract which is hosted on the blockchain.
Suppose “Sarah.eth” wants to send 100 ETH to a new wallet, but doesn’t want anyone else to know that the new wallet is actually her. She would deposit 100 ETH into the Tornado pool using her main wallet, and then designate her new address to claim that 100 ETH at another time. She’d then come to Tornado, and withdraw her 100 ETH without any links back to her. This happens thousands of times, with Tornado Pools holding hundreds of millions in assets.
All of this is done through smart contracts hosted on Ethereum. Therefore, according to the Tornado Documentation, “nobody – including the original developers – can modify or shut [Tornado Smart Contracts] down.” It’s also important to note that users can send funds to any address through Tornado, even if the receiving address doesn’t want to accept those funds.
This has led to many users sending doxxed wallets, like those owned by Shaq, Coinbase’s Brian Armstrong, and Jimmy Fallon ETH from Tornado exchange, technically implicating them in the sanctions.
While it is impossible to know why every user would interact with Tornado, privacy is a core tenant of web3 – and of life in the United States. It could be that someone gets paid in ETH and doesn’t want their employer to know their financial transactions, or a user could want to make a donation to a political cause without the knowledge of their peers.
However, justifying privacy erodes the larger point that privacy is an inherent human right. Wanting to remain anonymous should not be synonymous with hiding criminal activity. While it has its downsides, privacy has allowed people to spread democracy, justice, and truth despite authoritarian censorship. It has allowed for permissionless innovation across sectors. It will continue to benefit society if it is baked into the systems we design.
The Treasury Department demands complete compliance with OFAC sanctions no matter the circumstance, and has been quick to levy criminal charges with those who refuse. Although the sanctions were applied to a piece of software that cannot be deleted, the externalities have sent shockwaves to developers, domain hosts, and even the bank that issues USDC, Circle.
Immediately after sanctions were announced, Tornado.Cash’s publicly hosted website was taken down. Even copies of the website hosted on Eth Limo, a “decentralized” (not really) hosting service were removed, returning an error 405 “Removed for Legal Reasons”.
The sanctions also required that every large financial institution with exposure to Tornado take measures to immediately freeze blacklisted assets. Circle, the bank that controls USDC, froze over 75,000 USDC in Tornado pools, by blacklisting the sanctioned addresses. This means whoever deposited the USDC can no longer withdraw their funds.
“Blacklist” is a function built into the USDC smart contract, allowing a circle to freeze the USDC that is held by any wallet. Not only has this led to fears that Circle would freeze all USDC that had previously been in Tornado, but has opened up conversations about how truly decentralized a stablecoin is, if it can be frozen in a users account by an outside entity.
However, not all entities that are forced to comply can as easily as Circle. Take BitGo, who are based in South Carolina and New York, issue Wrapped BTC (WBTC).
WBTC is essentially a claim receipt for one BTC that is custodied by BitGo. There is no freeze functionality in the WBTC contract, so all BitGo can do is deny the sanctioned addresses the ability to claim their WBTC for BTC. Unfortunately, they cannot stop this WBTC from being traded or leveraged in DeFi and spread to different addresses from the original sanctioned address. This potentially puts them at risk of a criminal OFAC violation, and taints WBTC lending markets across web3.
All told, a total of $437m of stablecoins, ETH and WBTC are under sanction.
All of Tornado Cash is blocked (can't be used by US persons), including their @Gitcoin grants wallet. We scraped the wallet info from Etherscan – it is all of their addresses totaling $437m of stablecoins, ETH and WBTC. pic.twitter.com/xfqCDTbFOI
— BowTiedIguana (@BowTiedIguana) August 8, 2022
Github, a public code repository owned by Microsoft, deleted the accounts and repositories of Tornado’s core developers. This code was meant to be “open sourced”, allowing developers anywhere to iterate and improve the code permissionless. Open source software like this has been used to build Uniswap, Wikipedia, and even Ethereum itself.
Even users who contributed to small parts of the code years ago have received notice that unless they fill out financial disclosures, their accounts too will be deleted.
Deleting the code associated with Tornado represents a larger attack on Freedom of Speech and the question: Is a developer responsible for the actions others take using open source software they release?
Tornado itself isn’t “good” nor “bad”, it is just a tool that allows for privacy in financial transactions. Setting the precedent that individual developers are liable for the actions other’s take using open source software is dangerous. It stifles innovation by making creators fearful of what might happen should they push the boundaries or invent something new.
The good news is that there is legal precedent protecting web3 here. In Bernstein v. United States, the Ninth Circuit Court of Appeals ruled that “software source code was speech protected by the First Amendment and that the government’s regulations preventing its publication were unconstitutional.”
Coin Center has been quick to respond, with Research Director Peter Van Valkenburgh delivering an emergency press conference at ZCon and outlining avenues of legal recourse that could be taken.
First, they discuss the possibility that OFAC has overstepped their International Emergency Economic Powers Act mandate, sanctioning a tool and depriving American’s of their first amendment rights. Typically the IEEPA is used against businesses and their associated property, and has never been used to sanction property outside of anyone’s control.
However, challenging the sanctions on statutory grounds may be hard, because according to Van Valkenburgh, “Courts tend to give very strong deference to the executive branch’s interpretation of congress’s laws in the case of national security.”
The real fight must be brought on Constitutional grounds – specifically the First and Fourteenth amendments. They argue that legal precedent set in Buckley v. Valeo and Citizens United v. FEC protects private financial transactions and the freedom of speech associated with those transactions. However, it’s worth noting that in Buckley the court recognized that “compelled disclosure, in itself, can seriously infringe on privacy of association and belief guaranteed by the First Amendment.”
Lastly, they also point out that any OFAC sanctioned person has the right to challenge the sanctions. The only problem is, a smart contract isn’t a person and can’t challenge the sanction. So who will?
This is uncharted territory for regulators, web3 legal experts, and the internet at large. Never has the law imagined a piece of technology that is immutable and owned by no one. Furthermore, there is weak legal precedent protecting online financial privacy in the United States.
All of this will be quick to change. The decisions that regulators and courts make now will greatly influence how Americans live online and how the brightest minds of our generation build the tools of the future.
ABOUT THE WRITER
Thanasi is a co-founder at Gotham Labs, an impact focused web3 lab, and Dream DAO, the first youth-led philanthropic initiative in web3. He is also a Co-Founder of Civics Unplugged, a National Geographic Young Explorer, and General Partner at Aera Force.
Keep up with the digital identity landscape.
Bringing together key partners, platforms and providers to build the future of identity.Apply