• Michael Bacina

Tornado Cash: can Smart Contracts weather a sanction storm?

Updated: Aug 9

The US Treasury has announced it has sanctioned the collection of smart contracts known as Tornado Cash. In 2018, the Office of Foreign Asset Control (OFAC) indicated they were considering sanctioning digital wallet addresses and now 4 years later OFAC have moved to include the Tornado Cash wallet addresses in the Specially Designated Nationals (SDN) list.

The list names both the Tornado Cash website and a raft of wallet addresses, meaning that US citizens and residents will be breaking the law should they interact with those addresses. Disturbingly, some of the addresses were those accepting donations for ongoing development of Tornado Cash and would appear to have no possible connection whatsoever with illicit activity. As one researcher put it seems to include "every (Tornado Cash)-related wallet they could find".

Transactions on the Ethereum public blockchain are pseudonymous, and transactions are entirely traceable, but it is not easy to identify the owner of an individual wallet. As more wallet addresses are connected to identities through services such as Chainalysis and Elliptic, and technology such as soulbound tokens bring more identification to wallets, that traceability becomes greater.

Tornado Cash is a mixing service which enables the law-abiding and criminals alike to enjoy privacy over their transactions. It is non-custodial, meaning no third party takes control over funds, but rather transfers are placed into a pool and payments are made from that pool, breaking the link between any specific transfers of digital currency.

Tornado Cash smart contracts (known collectively as a Dapp, or decentralised application) have been used by a number of high profile ransomware and hacking groups to obscure the trail of stolen funds and ransoms. That usage is reportedly in excess of US$7BN, including the North Korean state-sponsored hacking group Lazarus putting over USD$96M through Tornado Cash after hacking the Harmony Bridge in June of this year, and criminals allegedly used Tornado Cash to obscure the destination of US$7.8M from the Noman Bridge hack last week. It is possible to see this because of the traceable nature of digital currency transactions on public ledgers, and not due to any particular investigatory powers of any regulators.

The developers of Tornado Cash announced in April that there were using a Chainalysis oracle to block OFAC sanctioned addresses from accessing the Dapp, saying:

Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.

This seems to not be enough, but the move by OFAC raises a series of questions (many of which were raised in 2018 when the announcement first was made) such as:

  • Can OFAC even sanction a piece of code? Some in the US are already arguing code is "speech" and protected under the US Bill of Rights;

  • If an address is improperly added to the list, a review process exists, but requires the applicant to disclose their identity, and will likely lead to the applicant being investigated.

  • How will the sanctions be enforced in a permissionless blockchain world where OFAC isn't able to turn off smart contracts or block at a technology level specific wallet addresses?

  • What level of association with the sanctioned addresses will amount to dealing with 'tainted' digital currency?

  • How will DeFi addresses which interact with Tornado Cash be dealt with?

  • If tainted ETH or an ERC-20 is deposited into a liquidity pool with billions of dollars of other coins - are those coins or any associated pairs now tainted as well?

  • what about a spray attack where tainted ETH is sent to addresses (which can't refuse the transactions) and create unintended breaches?

  • Do miners and node operators now have obligations (in the US at least) to block these addresses?

  • Could crypto which once touched Tornado Cash be forever marked as dirty?

  • What does this mean for other privacy enabling tools and entirely legitimate privacy protection?

Increasing regulation over crypto-assets will lead to more collisions between fundamental blockchain features like unstoppable smart contracts, and regulation designed for a centralised world being applied to a decentralised world. Blockchain businesses in the meantime need to be carefully advised to meet their compliance obligations. The broader debate of privacy as a human right should be taken up by the legislature or courts to give clarity on the matter.