Tornado Cash Sanctions Are Spiraling Into Compliance Nightmares

·8 min read

Crypto privacy mixer Tornado Cash drew attention last week after the U.S. Treasury Department sanctioned the service. The implications of complying with the sanctions are starting to sink in with the rest of the industry, raising questions about just what compliance looks like.

You’re reading State of Crypto, a CoinDesk newsletter looking at the intersection of cryptocurrency and government. Click here to sign up for future editions.

Tornado.eth

The narrative

Last week, the Treasury Department’s Office of Foreign Asset Control (OFAC) sanctioned Tornado Cash and 40-something Ethereum and USDC wallets associated with the privacy mixer. I wrote about that last week, but there's so much going on with this story that it’s worth spending more time on it.

Why it matters

We’re still grappling with the fallout from the Tornado Cash sanctions. Now that the initial shock has worn off, the crypto world is starting to examine just what the real impact looks like. People are losing – and then regaining – the ability to interact with decentralized-finance (DeFi) project front-ends based on whether they interacted with Tornado at some point in the past. Others are wondering about their locked-up funds they can no longer touch.

Breaking it down

I was browsing Reddit over the weekend when I came across two threads: One on r/buttcoin poking fun at Aave’s official front-end blocking addresses and one on r/ethereum from a user saying he created a “mirror” user interface to bypass this.

Meanwhile, there's a full-blown debate on Twitter about what exactly a company’s obligation is. Should front-ends block any and all addresses that may have ever interacted with a Tornado Cash address? Or should they be more specific, blocking only transactions that can be directly tied to sanctioned addresses? And while we know that the Tornado Cash and its developers’ GitHub accounts were suspended and at least one developer was arrested, are the sanctions having any effect on Tornado Cash itself?

Let’s answer that last question first. I was curious about what the effect the sanctions had on the mixer’s usage, and so I asked the good folks over at Nansen.ai.

Between July 31 and Aug. 6 (i.e. pre-sanction), Tornado’s users sent about 26,000 ETH into the mixer and took about 25,000 ETH out, according to data from Nansen.

Between Aug. 7 and Aug. 13, users sent in about 11,000 ETH (so this figure went down week-over-week) and sent out … 49,852 ETH. Tornado was sanctioned on Aug. 8, meaning the week-over-week figure nearly doubled. And it’s not that Aug. 7 (the night before the sanctions were announced) was particularly busy: According to Nansen, the inflow amounted to 2,738 ETH, and the outflow was about 1,400 ETH, so not a lot (relatively speaking). The outflow on Aug. 8 was 13,800, a full order of magnitude greater than the day before.

It only gets stranger. Between Sunday and 20:00 UTC on Monday, the outflow topped 15,000 ETH. A single (new) wallet alone accounted for around 9,500 ETH, with someone withdrawing about 100 ETH at a time in a series of transactions spanning about six hours on Monday.

And again, this is happening while DeFi front-ends are blocking addresses, although several loosened some of the blocks later on.

This kind of goes to the heart of what’s happening in this whole ecosystem. The argument is that Tornado Cash is a protocol whose developers cannot control and which is able to operate autonomously. While U.S.-based entities, or entities doing business in the U.S., can and should make every effort to avoid engaging with Tornado Cash addresses, it doesn’t seem like anyone can easily force everyone to stop engaging with Tornado Cash right now.

By the same token, those who really cannot access Tornado Cash include people in the U.S. who used Tornado prior to last week for legitimate purposes. Their funds are stuck, possibly forever, unless the Treasury allows them to make withdrawals.

Innocent parties

Miller Whitehouse-Levine, policy director of the DeFi Education Fund, said he intends to ask the Treasury Department to issue some frequently asked questions that address these issues, as well as create a general license that would allow innocent parties who have used Tornado Cash to withdraw their funds.

“People want to be safe rather than sorry, and it's incumbent on Treasury to explain what people need to do to make sure they’re safe,” he said.

“AML/CFT obligations are risk-based,” he added, referring to anti-money laundering and combating the finance of terrorism.

Last week’s “dusting attacks” perhaps highlight the importance of clarity here. I mentioned this last week (and helped write CoinDesk’s article on it), but if you missed it:

“An anonymous user sent a slew of Tornado Cash transactions to high-profile Ethereum addresses on Tuesday in what appears to be a troll implicating them in a potential regulatory mess.”

Whitehouse-Levine pointed out that the owners of these wallets are obligated to report those transactions to the OFAC within 10 days, and we still don’t know how OFAC will respond – my educated guess is Treasury won’t care too much about the recipients, though the senders are another matter entirely.

Coin Center’s Jerry Brito and Peter Van Valkenburgh said in a blog post that Americans could try to challenge the action if a general license isn’t issued. One concern is that Americans’ property was frozen unilaterally and without due process.

The fact that Tornado Cash is a protocol and not an entity like Blender.io or a person raises other complications.

On Twitter, the Electronic Frontier Foundation (EFF), a digital rights and privacy organization, said it was “concerned” about the move, pointing to Tornado being an open-source software project.

Coin Center, a crypto think tank, went a step further, saying it may file a legal challenge.

“By conflating the Tornado Cash Entity and the Tornado Cash Application and adding both to the SDN List, the government has essentially accomplished a ban on Americans using a particular internet tool without any clear prospect that the restriction will ever be lifted,” Van Valkenburgh and Brito wrote. The SDN List is the “specially designated nationals and blocked persons” list, a determination made by the Treasury.

Biden’s rule

Changing of the guard

Key: (nom.) = nominee, (rum.) = rumored, (act.) = acting, (inc.) = incumbent (no replacement anticipated)
Key: (nom.) = nominee, (rum.) = rumored, (act.) = acting, (inc.) = incumbent (no replacement anticipated)

We continue with the status quo.

Elsewhere:

  • US Sens. Warren, Sanders Ask Key Bank Regulator to Rescind Crypto Guidance: U.S Sens. Elizabeth Warren (D-Mass.), Bernie Sanders (I-Vt.), Richard Durbin (D-Ill.) and Sheldon Whitehouse (D-R.I.) wrote an open letter to the Office of the Comptroller of the Currency asking Acting Comptroller Michael Hsu to withdraw guidance issued in 2020 and 2021 that allows banks to offer crypto-related services. Also, interestingly enough, an article my colleague Ian Allison and I wrote in 2020 is quoted. To the staffer(s) reading this: Hi! Hit me up sometime.

  • Crypto Custody Firm BitGo to Sue Galaxy Digital for Abandoning $1.2B Merger Agreement: Galaxy Digital filed Monday to terminate its planned merger with crypto custodian BitGo. Galaxy claims BitGo didn’t provide necessary information. BitGo claims Galaxy owes it a $100 million termination fee.

Outside CoinDesk:

  • (New York Magazine) We all know the story: Three Arrows Capital borrowed billions of dollars’ worth of crypto, and it’s unclear just where those funds are now. New York Magazine’s Jen Wieczner has an excellent and thorough report on the whole situation, including details about Three Arrows Capital founders Su Zhu and Kyle Davies’ yacht.

  • (Grid News) The Federal Trade Commission is looking into “how businesses track and use consumer data and whether it should create rules to govern them,” reports Ben Powers of Grid News (formerly CoinDesk’s privacy specialist). This feels like a pretty significant step – we’ve all seen reports about how companies collect data about how people behave online, aggregate it, sell it and otherwise use it.

  • (Business Insider) An early OlympusDAO investor is suing the project’s founders on allegations they tanked his tokens’ value by taking “away his ability to convert investment tokens to OHM tokens.” The investor, Jason Liang, also claims to identify one of the pseudonymous founders of the project Timothy Troxell as “Zeus” (Liang previously claimed the other pseudonymous founder, “Apollo” was an individual named Daniel Bara.)

  • (The New York Times) Venture capital firm Andreessen Horowitz is backing WeWork founder Adam Neumann’s new real estate firm Flow, with Marc Andreessen, who opposes multi-family homes being built in his town, expected to join the company’s board. And interestingly enough, in May Andreessen Horowitz also invested in Neumann’s other project called Flow, which wanted to tokenize carbon credits and was “paused indefinitely” in June. That this was the other Flow didn’t stop the crypto project’s price from briefly spiking.

If you’ve got thoughts or questions on what I should discuss next week or any other feedback you’d like to share, feel free to email me at nik@coindesk.com or find me on Twitter @nikhileshde.

You can also join the group conversation on Telegram.

See ya’ll next week!