The Overreach of Centralized Power in Open Source Protocol
On August 8, the Office of Foreign Assets Control (OFAC) announced a sanction to this mixing service, claiming that Tornado Cash has been used for virtual currency crimes and enacting a list of wallet addresses that are associated with the service. That means the protocol and its associated smart contracts are now blacklisted, making them illegal for Americans to use. Only within a week, the founder of Tornado Cash was taken into federal custody, shocking the whole space. These sanctions had come to the crypto industry rather than sanctioning some specific actors who were accused of illicit behavior, they applied to an entire protocol and smart contracts. Let’s learn more about what has happened to Tornado Cash, and how it would be significant to the whole development of the crypto space.
Tornado cash is a privacy tool that provides a mixing service for confiscating transactions so users can obfuscate where their funds are going or have been. This has been a convenient and effective protocol for DeFi to preserve more transactional privacy. This protocol provides an anonymity tool for numerous blockchain users, including Ethereum, Binance Smart Chain, Avalanche, Optimism, and Polygon to enhance their financial privacy. However, allowing all participants to hide crypto activity in a black box, becomes highly attractive to some bad actors to misuse this function to conduct crimes including some of the cybercriminals and state-backed hacking groups
In March 2022, hackers from Lazarus Group exploited Ronin Bridge and stole more than $455 million from Axie Infinity developer Sky Mavis’s treasury. Only after less than three months, the same hacker group has stolen around a third of the $100 million from Horizon Bridge, a cross-chain interoperability platform between Binance Smart Chain, Ethereum, and Harmony blockchain networks, and transferred it to an address in Tornado Cash protocol. This Lazarus group is a notorious hacking group that is claimed to be tied with the North Korean government and made up of an unknown number of individuals. The state-sponsored hackers took advantage of Tornado Cash and used the service to launder stolen crypto funds into unknown places, which became untraceable. More than $1.54 billion in proceeds of crime such as hacking, phishing, and fraud have been passing through Tornado Cash and over $7 million in hacked funds have been laundered to this platform, which brought it into the spotlight.
The OFAC sanctions are not something completely new and have been used to identify specific people involved in illicit activities. Nonetheless, the new sanctions stated that 38 Ethereum-based addresses that are holding Ether (ETH) and USD Coin (USDC) are now banned. All virtual asset services in the US, which range from crypto-asset exchanges to NFT marketplaces, need to ensure that they do not process any funds originating from Tornado Cash, or else they could be heavily fined or even put in jail. After the sanction was announced, Circle, the entity behind the USDC stablecoin, blacklisted two USDC contracts included in the sanctions, freezing around 75,000 USDC belonging to Tornado users holding funds in those contracts. Circle CEO Jeremy Allaire also wrote a thread saying “as a US regulated FI subject to Bank Secrecy Act (BSA) requirements, Circle, together with our partner Coinbase, restricted the movement of USDC funds in these sanctioned addresses". GitHub also responded that they would be delighted to comply with the government instruction which requires them to delete repositories. Several developers who worked on software associated with the Tornado Cash protocol have had their GitHub accounts shut down. Moreover, FTX exchange stated that the industry-leading third-party transaction monitoring tools ensure that users do not interact with high-risk addresses and recommended not to use the mixing service in the future. It further said violating the instruction would endanger the FTX account, showing a strong attitude to abide by the sanctions. Nearly all responsible registered virtual asset service providers also react quickly to block their customers from transacting these addresses, avoiding the charges of disobeying the US sanctions compliance obligations, which could bring up to 30 years in prison.
These sanctions instantly triggered a strong backlash and many are complaining that this regulatory intervention has overreached the threshold in the history of the internet and open blockchain finance, which would be seriously harmful to the privacy and security of the internet, and the future of public internet digital currency. People could easily breach the OFAC sanctions if a minor validator produces or validates an Ethereum block that contains the transaction including one of the Ethereum addresses on the SDN list. The attack is on the type of technology that by its nature is neutral, and people are worrying that even using open source code could become illegal now. What is more, authority only enacted the restricted wallet addresses while how it will be enforced is still unclear. This is a critical moment for the crypto industry to sharpen its focus on major policy issues tied to financial privacy.
Currently, there is a lack of clarity about how these sanctions compliance is going to work in the context of individual addresses. The open nature of crypto is designed to cut out intermediaries, allowing crypto to be sent to any publicly known addresses even if they do not want, or did not request for. Unlike a traditional financial sector that would use banks and other financial institutions to act as gatekeepers against such transactions, there are no designs that allow users to refuse funds or reject funds from certain addresses. People are concerned that such sanctions on certain addresses with all their related transactions would put anyone with a publicly known address at risk of non-compliance. Within a day of this announcement, an anonymous user had sent a few transactions from Tornado Cash to some high-profile addresses including Jimmy Fallon, Coinbase CEO Brian Armstrong, or even crypto figures like Sassal, Beeple, and Dave Chapelle, causing their accounts to be temporarily suspended. Some have seen it as a troll of the celebrities but I think it's quite clearly not. Such pranks have proved these sanctions were unclear to be defined and difficult to be correctly applied. It's pointing out the particular ridiculousness of the compliance of these sanctions in the first place. As it is (still) impossible to block an incoming transfer on-chain, does that mean a person would simply lose access to services even if they cannot actively accept or decline a Tornado Cash transfer? In this connection, there is still significant ambiguity regarding the extent of these sanctions towards an automated protocol not under anyone’s control, rather than infringing upon a person, or a person’s property.
Pranker sending 0.1 ETH to a bunch of high-profile wallet addresses
The larger industry questions what it means in terms of freedom, privacy, and decentralization. On August 10, the 29-year-old developer Alexey Pertsev was arrested in Amsterdam and suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralized Ethereum mixing service Tornado Cash. This instantly aroused the attention of all that writing code became an illegal action and people argue that the banning of software publication is banning of speech. It is unclear if there are other charges and allegations of illicit conduct unrelated to writing code, or else this address is a direct assault on free speech and insane government overreach. The banning of legal transactions made to maintain one's own privacy and engaging in anonymous speech for political purposes is also a violation under the money is speech doctrines. Everyone is entitled to the right to freedom of expression, which holding opinions and receiving impart ideas and information should not be interfered with by public authorities. People use privacy tools on a daily basis online because the internet is an unsafe place without privacy or encryption and those developers are doing public good to allow the mass public to adopt such benefits.
Ironically, the arrest of the developer on an open source protocol is similar to the case that the gun-making company workers are responsible for facilitating public shootings. Such centralized control, interference, and restriction on speech will make developers worried about whether they would be sanctioned merely because they are creating an open-source code or adding a Tornado Cash transaction to a block. With a major government obliging parties to outright block or limit the functioning of open source software on the internet, it raises extraordinary questions about further intense enforcement and control in the future and the collateral consequences would be people stop publishing interesting ideas. We have mentioned in previous articles that the authorities have shown enormous efforts in the supervision of stablecoins, and within a short period of time, they are showing the ambition to take control of the digital assets operators and intermediaries. The rapid growth of open source self-running protocols was, unfortunately, seen as a challenge and threat to policymakers and there will be only even more blunt force enforcement actions provided that we don't take action to protect the DeFi in the future of public internet digital currency. At scale, this could jeopardize the whole ecosystem.
The blockchain and crypto infrastructure holds the value of open internet of value exchange that challenges the centralized regulatory frameworks, including the control of payment systems, market structure, fundamental privacy, and security, you name it. Decentralization is central to the core value proposition for cryptocurrencies and enables censorship resistance for tokens so funds can be sent peer to peer. That’s also why so many donors worldwide are sending economic aid to Ukraine's military without the Putin government or another central authority intervening, while securely hiding their identities. It's also a necessary condition to attain the programmability with which DeFi protocols can automatically execute settlement and collateral contracts. If a third party has control over the system it has the power to intervene, which means there's no guarantee of authenticity and programmability will be lost. Crypto is providing everyone with an open, fluid, and equitably accessible financial system that is not subject to political and economic manipulation, thus decentralization is a worthy goal. How decentralized these protocols could still be if they are all going to comply with sanctions and what are the underlying principles of privacy that we want to build into our future systems are worth discussing. Crypto is not against regulation but it is important that regulation is implemented in ways that pursue the right goals and sustainable manner. The automated blocking of users with large open positions in Defi applications can be hugely problematic. OFAC has overstepped its legal authority, by adding certain Tornado Cash smart contracts into the sanction list that this action is violating constitutional rights, and the process of free speech, and it neglects its effect would pose to innocent DeFi users. What makes people most worried about is the speed at which everyone is falling aligned will embolden the government to continue down this path, in an increasingly heavy manner and the decentralized protocols are tripping over themselves to over comply. There will be no legal way to stop OFAC from simply adding new nonproperty, nonentity destinations beyond the Tornado Cash application to the OFAC list in the future, despite there being questionable statutory grounds for such unprecedented sanctions. It created a de facto licensing regime selectively allowing users to participate in an open-source tool, and it also has the power to add all manner of nonproprietary software tools to the list. Whether the costs of criminals being able to use technologies for nefarious purposes is worth undermining that privacy in fundamental ways is controversial. What could be sure is that the enhancement in trackable and traceable footprints regarding digital technologies creates an unbelievable surveillance honeypot for governments, turning into a very powerful tool for social control.
In short, Tornado Cash addresses sanctions as the biggest stretches of the existing legal system that the US government has tried with regard to cryptocurrencies and their related activities, also seen as one of the most egregious instances of overreach since Bitcoin was invented. In the wake of the sanctions, the secretary of state will continue to aggressively pursue actions against currency mixers laundering virtual currency for criminals. Besides raising significant amounts of questions on the status of the developers, the right of users to participate and contribute to the open source protocol, how far would be sanctioned be reached, and privacy in the digital world, it is important for all of us to rethink what decentralization really means, and why decentralization is needed the crypto industry. Decentralization doesn't matter until it does.