OFAC’s Actions Tested Ethereum and Decentralization Won — Barely
Privacy is normal, so normal that we often take it for granted. We have a reasonable expectation of privacy in numerous aspects of our lives, but perhaps none more so than in our personal finances. When the U.S. Office of Foreign Assets Control (OFAC) sanctioned key parts of the cryptocurrency privacy tool, Tornado Cash, on August 8, 2022, an attack was launched on our ability to retain financial privacy on the blockchain.
The effects of the sanction against Tornado Cash were far-reaching, impacting people, projects, and international businesses and putting a chilling effect on the entire Web3 ecosystem. This article covers the events of the first two weeks post sanctions, and while you will see that decentralization was stress-tested, it just came out on top. Perhaps more encouragingly, the Ethereum community is rising up against censorship. Stay tuned; we’re just getting started.
- Tornado Cash is laundering nearly 100% of all funds sent to it.
- TC is making no effort to stop illicit activity.
The OFAC press release gives no benefit of the doubt, and paints the picture that the project was a criminal endeavor.
All possible pieces of infrastructure used to support TC that could be attacked were nuked.
- But TC still survives.
This had a chilling effect across the entire Ethereum ecosystem.
A good portion of the community and several thought leaders doubled down on censorship resistance as a core value.
The False Accusations
To understand where we are, let’s first lay out the claims against Tornado Cash. OFAC’s first claim was that Tornado Cash (TC) “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.” They then reference just three instances of stolen funds totaling only 0.56 billion USD:
455 million USD
- Axie Infinity’s Ronin bridge hack, out of a total stolen value of 620 million USD.
96 million USD
- Harmony Bridge hack, an ETH, BSC, and BTC bridging tool.
7.8 million USD
- A fraction of the 200 million USD exploited from the Nomad Bridge hack.
Chainalysis, the premier blockchain analytics company used by many banks and governments, published their own report of TC the same day as the sanctions were announced. According to Chainalysis, TC has received over $7.6 billion equivalent in ETH since inception. Does this mean that 92% of all funds that were ever sent to TC were being laundered? Certainly not.
Money laundering is defined as “The act of engaging in transactions designed to obscure the origin of money that has been obtained illegally.” When OFAC is alleging that more than 7 billion USD has been ‘laundered’ through TC, it’s just citing the entirety of all funds to have ever passed through TC — never mind innocence before guilt. Rather than that being true, it’s entirely more likely that this activity on TC was to take advantage of TC’s core purpose, providing privacy for on-chain financial transactions, to wit:
The Chainalysis breakdown shows us that a total of 28.2% of the funds, about 2 billion USD, sent to TC were known to be stolen funds or from sanctioned addresses. Nice try OFAC. Compared to five other instances of money laundering through traditional banks, the total amount known to have flowed through TC is minuscule:
Even though best estimates indicate TC laundered relatively little money relative to their fiat-based peers, OFAC nonetheless added 38 unique addresses to their Specially Designated Nationals (SDN) list. These addresses are exclusively autonomous smart contracts and not external wallets managed by any individual.
OFAC’s second accusation claims that “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”
With this statement, OFAC is either demonstrating a complete lack of understanding of how smart contracts work, or they are aware and are deliberately framing TC in the worst possible light. TC was built by a collaborative group of volunteers from around the world to provide a level of privacy to a public database of financial transactions. This is not unreasonable, and a far cry from criminal. In fact TC does have a compliance tool built into its protocol, which enables users to obtain a “cryptographically verified proof of transactional history using the Ethereum address you used to deposit or withdraw funds”.
While OFAC misled the public when it cited the amount of money laundered through TC and its lack of compliance tools, its use of deliberately misleading words is perhaps even more troubling.
The U.S. government worked hard to control the narrative from the start. “U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash” read the headline of the OFAC press release.The U.S. government started off with purposeful word choices that for some may sound like propaganda. After all, ‘notorious’ describes something “[k]nown widely and usually unfavorably…”, making it evident that TC and the newly announced sanctions would not be given fair framing from the start.
Instead of referring to TC as a privacy tool, the term ‘mixer’ was nearly the exclusive descriptor used by OFAC, appearing a total of 16 times . A ‘mixer’ is defined as “a service offered to mix potentially identifiable or ‘tainted’ cryptocurrency funds with others, with the intention of confusing the trail back to the fund’s original source.” In stark contrast, the word “privacy” appears only once.
OFAC claims that “While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists.” ‘Purport’ means “[t]o present the often false appearance of being or intending…”. It’s a soft implication, but carries a connotation for the reader. On the last archived snapshot of the TC website it states that TC is “A fully decentralized protocol for private transactions on Ethereum.”
OFAC’s strong, seemingly intentional, de-emphasis of privacy as a function of TC leads readers to question if privacy was even intended to be a goal of the TC project at all. Whether or not sanctioning TC falls in line with OFAC’s purported mission statement, or is pursuing a separate agenda, is up to you. OFAC’s mission is:
The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
Regardless, OFAC’s semantics have further twisted the public’s perception of the utility of the blockchain and ossified the false narrative perpetuated in most legacy media. Because legacy media outlets like the NYT are technically correct when they report what OFAC said, they are under no obligation to correct OFAC’s misstatements and it’s up to crypto-native outlets, with far smaller audiences, to counter the misinformation.
Dominos Start Falling
Following the OFAC announcement on August 8, the dominos started falling fast and almost everything TC-related on the internet was nuked.
First to fall was the primary domain used as the landing page: tornado.cash. This is interesting, considering that the notorious Pirate Bay is still operational and the same accusation of failing “to impose effective controls” for illicit activity could also be aimed at that famous torrent site. Between TC and the Pirate Bay, arguably a stronger case could be made against the latter, whose centralized service requires servers and people to operate, whereas TC’s code runs on a decentralized Ethereum Virtual Machine.
Next to fall was the default IPFS public gateway linked from tornado.cash which would bring users to the actual user interface (UI), provided by the eth.limo domain, although the UI can still be reached by other means. Shortly afterwards, TC’s GitHub account was taken down, including all repositories owned by the TC account, as well as the accounts of three associated developers.
The final domino to fall on August 8 was the action taken by Circle to invoke the “blacklist” function built into their USDC stablecoin contract. When OFAC added seven addresses to their SDN list, Circle blocked access to all users’ funds in those pools, again assuming guilt before innocence.
On August 9, Jeremy Allaire, the CEO of Circle, wrote a Twitter thread stating their position. A few days later, Allaire responded to a request for comment made by Chris Blec, a MakerDAO recognized delegate, “on what legal action Circle took to fight this sanction of an open source protocol before you chose to enforce it?”
“…we’ll have more to say on this, but the short answer is that we are directly engaging with the government, but there is no clear legal basis available to us to refuse a wartime power under the International Emergency Economic Powers Act. 1/…”
More dominos continued falling in the following days as public RPC nodes run by Infura and Alchemy, two of the main blockchain infrastructure providers and defaults built into TC’s UI, began blocking transactions sent to the sanctioned contracts.
On Friday, TC lost its access to most of Web3, as its Discord server and Snapshot space were taken down. The last piece was the TC Gnosis Safe multi-sig on Sunday, August 14, as signatories left, leaving one remaining owner, appearing to be the DAO itself. All funds were withdrawn by Friday and are now managed by the DAO governance contract.
Decentralization Stress Tested
The Tornado Cash sanctions put the effectiveness of Web3’s decentralization principle under its greatest stress test yet. Every single point of failure was attacked, and very few were left standing.
Of the infrastructure still supporting TC, there are only the already-deployed but now-sanctioned smart contracts, which are immutable; the Ethereum Name Service (ENS); IPFS; and other independent relayers operating outside the U.S. Almost everything else failed, all of the centralized pieces of infrastructure anyway. It was a revealing moment to many who might have previously thought we had sufficient layers of decentralization, to see just how vulnerable these protocols still were.
GitHub’s decision to take down the source repositories of the project, while not clear that it was requested to do so by OFAC, was perhaps taken to minimize risk to itself or its parent company, Microsoft. A viable Web3 counterpart to fulfill the role GitHub doesn’t yet exist, and switching to another service like GitLab poses the same problem because it is similarly centralized and headquartered in the US. Radicle spoke up as a possible solution but they are an early project; still, keep your eyes on them for future development as tools like theirs could become increasingly important.
It wasn’t until Wednesday, August 17, that a replacement for the community’s Discord server went live. Matrix is a tool similar to Discord and functions as a decentralized chat room protocol for communities. For four days, communications for TC’s DAO and the general community were severely restricted.
Thanks to the valiant efforts of ENS, a copy of the front end has been kept alive via IPFS after TC’s regular provider blocked access. OFAC omitted from their SDN list the content identifier (CID) used to request the UI over the IPFS network, allowing you to load, look at, and monitor the status of the Tornado Cash pools. But don’t interact with the contracts by sending a transaction. It’s probably safer for U.S. citizens to not even load the UI over IPFS, just in case, as this can be monitored the same way torrents can.
With infrastructure providers like Infura and Alchemy blocking interactions with the sanctioned contracts, we are reminded of the second most common piece of advice offered in crypto: run your own node (second to “not your keys, not your coins”.) By running your own node, you will have your own endpoint available — there’s never been a better time to set up your own service provider.
But even if you run your own node, there is one more step your transaction has to take before it’s confirmed: a miner must accept it. On Friday August 19 it was pointed out by Twitter user @takenstheorem that “Ethermine, the largest Ethereum miner, stopped including Tornado router transactions…” shortly after the sanctions were announced.
At every link in the chain required for users to access the most widely used privacy tool on Ethereum, we were shown that having a few centralized elements has made our ‘decentralized network’ so fragile. The stress test passed, but barely.
A range of DeFi protocols all began blocking transactions with addresses that had been associated with TC. It’s important to note that these blocked addresses may not have directly transacted with the sanctioned addresses. The ‘dusting’ attack in which dozens of wallet addresses, owned by both notable Ethereans and well-known celebrities who have ENS names, were sent small amounts of ETH by an anonymous user via TC, caused unexpected problems, as many people who likely had done nothing wrong were blocked from interacting with these DeFi protocols, even non-US citizens.
Do you have a Maker vault that is at risk of being liquidated? Too bad, because you can’t use Oasis to top up your collateral. There are ways to interact with these DeFi contracts without a front end, but this is by no means common knowledge, or within many users’ abilities.
These sanctions and the subsequent blocking of addresses also brought up a larger concern over the stability of entire protocols, specifically any that relied on large deposits of the stablecoins USDC and USDT. Given the large USDC deposits in Maker vaults, MakerDAO was immediately put in the spotlight. What if vaults with large amounts of USDC deposits were now at risk of being made inaccessible?
Censorship at the app level is one thing, as there are ways around it even if those paths are difficult to find and navigate. What happens when block producers start censoring at the protocol level? We have already seen how this is happening with Ethermine censoring TC transactions — not adding them to their blocks. In the current proof-of-work Ethereum, there is nothing that can be done about this.
Ethereum Community Rises to the Challenge
Just around the corner we have Ethereum’s Merge to proof-of-stake (PoS), currently scheduled for mid-September. Once this happens, we’ll have a tool at our disposal to prevent such censorship from happening, called a user activated soft fork (UASF). In short, a UASF allows node operators to vote on a fork of the chain, in this case a fork that penalizes censorship. Using a UASF in this way will disincentivize validators from censoring transactions by threatening their staked ETH to various degrees. According to the degree of severity, this could mean imposing the absentee penalty, the same penalty if the validator was offline, slashing their stake as if they had produced an invalid block, or straight up booting them from the network.
Coinbase’s CEO, Brian Armstrong, responded:
In response to LefterisJP’s question, another regular user of crypto Twitter, Erica Wall, posted a follow-up poll for the community:
These indications are a victory for one of the core tenets of blockchains: censorship resistance. Not surprising, but it was good to see that Vitalik also voted to maintain this as a fundamental value for Ethereum. This is just crypto Twitter speaking of course, but to have people as prominent as Vitalik and Brian Armstrong speaking in support of censorship resistance is reassuring to the rest of the community. But they can’t win the fight alone.
The Fight to Come
And that’s a wrap of the first two weeks. Setting the precedent of smart contract sanctions could open up a can of worms that may even surprise the U.S. government. By extension, the uncertainty it has created within our ecosystem has led to a chilling effect that touches all projects. We’re all in this together and it’s important that we, the community, continue to both enforce censorship resistance by social consensus and fight for our ability to utilize privacy tools like Tornado Cash. This is a fight for our fundamental sovereignty. Stay tuned, friends.
PS: For those closely following the events since August 8, there is the glaring omission of TC developer Alexey Pertsev. His story is still developing but is outside the scope of this piece.
Austin Foss is a lifelong technology enthusiast with a passion for single board computers, micro-controllers, self-hosted software solutions, and distributed public technologies. He writes on these topics with the goal of promoting use of such technologies and the value they bring to each individual when paired with a free exchange of information.
BanklessDAO is an education and media engine dedicated to helping individuals achieve financial independence.
This post does not contain financial advice, only educational information. By reading this article, you agree and affirm the above, as well as that you are not being solicited to make a financial decision, and that you in no way are receiving any fiduciary projection, promise, or tacit inference of your ability to achieve financial gains
More Like This
Our Decentralized Selves by Jake and Stake and Austin Foss
It’s Not 1995 for Crypto, It’s 1739 by Zero Mass
Distributed Ledger Technology 101 by The Crypto Barista