Tornado Cash Caught in a Maelstrom, Plus a Step Towards Investor-Friendliness
August 2022 Commentary
The Merge is upon us and excitement around this event continued to build in August. Ethereum continued its strong rally into early August and brought the rest of the digital assets market with it. At one point, ETH broke over $2,000, more than doubling its recent lows of below $900 just about two months ago. More concrete evidence that the Merge would be completed by mid-September, however, could not sustain the enthusiasm as more sobering events began to dominate the investor’s discourse. In early August, U.S. Treasury’s OFAC added Tornado Cash to its Specially Designated Nationals (SDN) list, throwing into question crypto’s promise of permissionless peer-to-peer interactions. The US Federal Reserve’s comments, near the end of August after its Jackson Hole, WY meeting, also underscored their commitment towards taming inflation and that macro uncertainties are not yet behind us. Investors took advantage of the early August rally to take some gains off the table, leaving the broader crypto market down around 14% for the month. August may be considered a short-term reversal after the strong July rally, but the OFAC action will have long-term consequences which are only beginning to play out.
The US Sanction
Tornado Cash is a piece of open-source automated privacy-enabling software on the Ethereum blockchain. This software works by mixing cryptocurrency tokens from multiple transactions to obfuscate the origins and destinations of the transactions. On August 8, the U.S. Treasury's Office of Foreign Assets Control (OFAC) added Tornado Cash to a government list of individuals and entities blacklisted for violating US sanctions. Specifically, the Tornado Cash website and associated Ethereum addresses were added to the blacklist, typically reserved for "persons involved in terrorism, enemy states, or other state-sanctioned activities and ensure that these individuals cannot get the benefit of the US financial system."
In this case, OFAC accused Tornado Cash of laundering more than $7 billion worth of cryptocurrency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a state-sponsored North Korean hacking group that was sanctioned by the U.S. However, according to Chainalysis, only a portion of those $7 billion transactions have come from illicit or high-risk sources. About 18% came from sanctioned entities, almost entirely before those entities were sanctioned, while just under 11% were funds stolen from other cryptocurrency protocols and services.
Once an entity or a person is on OFAC's sanctions list, U.S. persons and businesses must stop dealing with them.
The fallout from the sanction
After the government announced the sanctions against Tornado Cash, Microsoft deleted the accounts of Tornado Cash contributors and the project source code from GitHub, a platform where developers collaboratively create and maintain open-source software. Two major blockchain application programming interface (API) providers, Alchemy and Infura, have blocked API access to Tornado Cash's front-ends. That means users cannot connect to Tornado Cash through these software intermediaries, though skilled users could still gain access to the mixing code on Ethereum directly via their digital wallets.
Several well-known DeFi projects including the decentralized exchange dYdX and the decentralized lending platform Aave have banned the use of their front-end interfaces by crypto wallets that are in any way tied to Tornado Cash, although some of these projects loosened their restrictions later on.
The US sanction had a chilling effect on the users of Tornado Cash. For the week before the sanctioning announcement, there were 775 deposit users (unique addresses) on Tornado Cash. The number of users dropped by two-thirds to 238 during the week after the announcement. Last week Tornado Cash received deposits from only 69 users. (See the chart below from Dune Analytics)
The impact of the sanction on Tornado Cash’s governance token TORN was even more dramatic. The price of TORN has dropped by 70%, from $30 to as low as $9, as shown in the chart below from CoinMarketCap.com. As a result, TORN has lost $33 million in market capitalization.
Innocent users bear collateral damage
It's not unusual for the US government to sanction specific bank accounts or wallet addresses belonging to individuals suspected of sanctionable behaviours like money laundering. What makes this sanction unprecedented is that Tornado Cash is not a "legal person"–as in an individual or corporation–but rather a technology tool used by many people in the US and around the world. The US Treasury didn't sanction any specific bad actor but an entire privacy tool instead. OFAC effectively bans all Americans from using this automated privacy software.
When a blanket sanction is imposed on a neutral technology tool, there are inevitable consequences for innocent users. Seeking anonymity is not a crime and there are plenty of good reasons to remain private in financial transactions. Perhaps some Russians want to donate to a Ukrainian humanitarian group without exposing themselves to potential Russian recriminations, as Ethereum founder Vitalik Buterin, a Russian-Canadian, did. He revealed his donation using Tornado Cash on Twitter. Privacy is particularly important to activists in authoritarian countries where revealing financial transactions could get them jailed or executed.
A unique feature of blockchain transactions also makes compliance difficult for innocent users. It's possible to send funds through Tornado Cash to any Ethereum wallet without the wallet owner's permission. An anonymous person did just that after the sanctioning announcement, sending small amounts of ETH to public figures—like Coinbase CEO Armstrong, and TV host Jimmy Fallon—with publicly known wallet addresses. These U.S. persons who receive unsolicited funds from a Tornado Cash address may have violated the sanction. It is unclear what actionable steps Americans can take in this situation to comply with the sanction.
An assault on developers’ right to free speech?
Sanctioning a neutral technology tool could also stifle technology development. Taking OFAC's rationales to the extreme, the US government could potentially crack down on any software used for illegal activities. Such a sanction is inconsistent with past practices. After all, we don't sanction the Internet when terrorists use email; we don't sanction Apple's operating system when an iPhone is used in money laundering.
The sanction on Tornado Cash may also conflict with the position of the US Treasury's Financial Crimes Enforcement Network (FinCEN). In 2019, FinCEN distinguished between "providers of anonymizing services"(including mixers) and "anonymizing software providers," making it clear that service providers are subject to Bank Secrecy Act Obligations, but software providers are not. Coin Center, a crypto research and advocacy society based in Washington DC, argued that the Tornado Cash entity (the developer team) has no control over which users can use the mixing service after the code has been deployed on the Ethereum chain. Therefore, the entity is "an anonymizing software provider", rather than a "provider of anonymizing services."
On August 12, two days after the U.S. Treasury blacklisted Tornado Cash, Dutch authorities arrested a 29-year-old developer of Tornado Cash. He was suspected of “involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralised Ethereum mixing service Tornado Cash” according to the Dutch authority FIOD. This arrest raises concerns on whether coin mixing tool developers should be held accountable for illegal activities on mixers.
U.S. courts have long recognized that code is speech and protected by the First Amendment. The precedent was established in the 1996 case of Bernstein v. U.S. Department of State. Judge Patel in this case stated that the First Amendment protects code because "no meaningful difference between computer language, particularly high-level languages …, and German or French … Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it. ... source code is speech."
By adding specific autonomous software addresses on a blockchain to the sanction list, OFAC is effectively blocking the publication and use of open-source codes. This restriction could be interpreted as violating Americans' constitutional rights to free speech, and Coin Centre may launch a legal challenge based on this perspective.
Looking Forward
Privacy on public blockchains is an essential feature required for any meaningful commercial or personal adoption of this technology. We’ve long expected this contentious issue to be a flashpoint for government intervention and arguably overreach. To date anonymity services on blockchain have operated largely unimpeded, most likely due to the lack of widescale usage rather than any sort of acceptance on the part of governments or exchanges. If left unchallenged this precedent raises the possibility of a bifurcation of blockchains between whitelisted and blacklisted addresses, threatening the fungibility of cryptoassets.
Whilst it is important that law enforcement is properly equipped to function effectively, we need to ask at what expense? For those who cannot see the value in self-sovereign assets, the answer is obvious – the downsides outweigh the benefits, and the technology should simply be banned or neutered to the point that there is nothing interesting or novel left to explore. For those who truly understand why crypto is revolutionary, there is an acceptance that if a technology is at all useful then it will be useful for those who wish to use it both to good and bad ends and it is the price that must be paid for progress.
One Small Step for Investor-Friendliness …
In other industry-related news, we’d like to highlight the announcement of Galaxy Digital Holdings’ new fund, the Galaxy Liquid Alpha Fund: https://www.coindesk.com/business/2022/08/18/new-galaxy-fund-on-path-to-raise-100-million-by-year-end/
Normally we don’t make it our business to call attention to other funds in our space, but we’ll make an exception in this case. We’re excited that they have chosen to use a benchmark and only assess incentive fees if they beat their benchmark. This alignment of incentives is very much a part of our ethos here at a Firinne and this approach to fee structure was one of the cornerstones of our founding discussions in 2021. We knew the industry would be moving in this direction and we’re gratified to see it taking place. So, kudos to them for adopting this structure.
Still, we have a quibble with their choice of benchmark. According to the news, they chose BTC as the benchmark. Yes, BTC currently dominates the size rankings and can be considered a simple and rough proxy for “the market”, but most people in this space think it will have a reduced size and dominance in the future. As such, it’s probably the easiest benchmark to beat with a diversified portfolio. We at Firinne have no insight into the discussions that led to their selection of BTC as the benchmark, but we strongly believe that a more diversified benchmark that reflects the broader market is a fairer benchmark for a client (and harder to beat!). Interestingly, Galaxy does offer, in partnership with Bloomberg, more diversified indexes for both crypto and DeFi! Of course, they can’t select their own index as a benchmark, so perhaps the reason for BTC as a benchmark is simply that they didn’t want to use a competitor’s index. Still, we don’t think it is optimal for the end investor.
The evolution of the digital assets investment management space continues apace!