[Note: this is a non-exhaustive post on a trending topic. For a more in-depth view, be sure to read OFAC Sanctions & Ethereum PoS – Some Technical Nuances from BitMEX Research and The Case for Social Slashing by Eric Wall]
Last week I was interviewed in a Twitter Spaces hosted by Taariq Lewis at Paloma. The other guest was Ameen Soleimani, co-founder of Reflexer Labs, which created Rai (an unpegged, stabilized asset on Ethereum).
The primary topic of the conversation started with “stablecoins” in relationship to OFAC. OFAC is a governmental organization that we have discussed in some previous posts.
What is OFAC?
The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
Why is OFAC is in the news and why have we written about it before?1
OFAC has previously sanctioned cryptocurrency-related assets and addresses before, most notably, starting with proceeds of ransomware operated by several Iranian nationals.
OFAC maintains and updates a list of SDNs, or Specially Designated Nationals and Blocked Persons. Nearly four years ago, they added several Bitcoin addresses, not just human beings.2
Over the past four years, other cryptocurrency addresses have been added to the list. The Block recently put together an easy-to-read guide chronicling these actions.
So what is the big deal this time? After all, we have written about this potential scenario several times in the past including in mid-2015, dubbing one gated flavor “permissioned-on-permissionless” — it is a weird hydra that combines the worst of both worlds (e.g. no legal recourse).
Two weeks ago, OFAC went beyond sanctioning specific addresses and sanctioned a smart contract called Tornado Cash. What is Tornado Cash?
Recall that by default, all activity on public chains (and private chains) is unshielded. While there are several zero-knowledge-based proposals in the works, on-chain privacy only exists through mixing or tumbling coins together. In contrast, centralized applications (and intermediaries) such as Venmo, users can often shield their activity from 3rd parties.
Tornado Cash is a free, open-source protocol that was implemented first on Ethereum. The implementation that was sanctioned, could in theory, be deployed to virtually every EVM-compatible chain, public or private.
Yes, code was sanctioned which is arguably beyond the scope of what OFAC was intended to monitor and police.
Administrators of centrally issued pegged coins went different directions. The operators of USDC quickly blacklisted the ~$750,000 in USDC held by addresses linked to the 45 address OFAC had sanctioned.3 In contrast, Tether LTD announced it would only do so if explicitly requested by U.S. authorities.
But Gerard’s take is bad because the sanctions go beyond hitting SDNs (humans) to instead contracts and code, creating a chilling effect downstream by creating sanctions exposure for innocent people.4
For example, within 24 hours: the public repository for Tornado Cash was removed by Microsoft (owners of Github) and several developers who had contributed to the Tornado Cash, had their github accounts shut down. Infrastructure providers such as Alchemy and Infura blocked access to Tornado Cash. The Tornado Cash Discord server also was shut down.5
While the protocol still exists on Ethereum, activity on it has dwindled and some miners have stopped including TC-related transactions.
At least one other example of the unintended consequence of sanctioning code is the direct impact on researchers at both for-profit and non-profit organizations. For instance, if Matthew, a cryptographer, conjures up some code to help users retain privacy while transacting on-chain, yet does not implement or deploy the code — and someone else does — is Matthew now a target for sanctioning? This actually isn’t a hypothetical because Matthew Green, a tenured cryptographer at Johns Hopkins just did that yesterday.6
Are the people who develop the libraries that Matthew used also a viable target? Anti-coiner responses, such as Gerard’s 1,500 word post, do not delve into these real downstream effects.
What is another reason Gerard’s take is bad?
Because Bitcoin miners, and other cryptocurrency infrastructure operators, have included transactions from sanctioned addresses into blocks for about four years. While it may be a matter of “national security,” it is not consistent. For instance, in spring 2021, Marathon Digital – a U.S. based mining operator – announced that it would provide “OFAC-compliant” bitcoin mining. A month later it reversed this policy amid angst from Bitcoiners. Thus the question that Gerard and others who danced on Tornado Cash’s grave must ask: what about consistency?7
And Tim, what are your bonafides on this matter?
Above is a (mostly) one-way interaction between a coin lobbyist from Coin Center in 2015. What was Peter complaining about then and what does it have to do with OFAC’s recent actions?
The paper in question is “Watermarked tokens and pseudonymity on public blockchains.” Rather than re-litigating it, let’s pull out two small nuggets:
(1) A compendium: Integrating, Mining and Attacking: Analyzing the Colored Coin “Game” by Ernie Teo.8
This was a strawman cited throughout the paper that describes what later evolved into miner extractable value (MEV). MEV is a friendly acronym that describes what a number of lobbyists – and their think tank supporters – used to claim never would happen: proof-of-work miners (and other participants adjacent a miner) using discretion to (re)order transactions in a block. For more on MEV, highly recommend listening to episode 455 from Epicenter.
According to the Flashbots project, about $673 million in profits has been extracted by MEV over the past two-and-a-half years.
Okay, so at least in mid-2022 no one is arguing that MEV is non-existent nor are proof-of-work miners necessarily neutral parties (see Ethermine and Marathon Digital above).9.
So what was the other nugget?
(2) The story about Symbiont using Bitcoin (which they would later reverse):
Scrolling back through the 2015 archives is a blast from the past. “Enterprise blockchain” startups such as Chain, Digital Asset, and Symbiont first attempted to tokenize real-world assets (RWA) and embed them into the Bitcoin blockchain. Yet early on in each of their approaches, they were told by regulators that this probably would not fly due to sanctions. Don’t shoot the messenger!
What does that mean in the 2015-era? Recall that at the time, (incumbent) regulated financial institutions (typically banks) were already hesitant at doing something blockchain-related because of the negative connection with Mt. Gox and Silk Road. Adding sanctions screening to the list was a doozy.
What did sanctions actually have to do with tokenizing RWAs and Bitcoin mining?
At the time, the scenario was pretty straightforward: if tokenized interest rates swaps (IRS) or tokenized syndicated loans were mined by a pool based in a sanctioned country, such as North Korea or Iran, knowingly paying a transaction fee to that pool would likely be falling afoul of some sanction. So rather than having to deal with that headache (among others, such as, what happens to stolen tokenized assets on a public chain), regulated financial institutions punted on that and headed down into the sterilized world of permissioned chains, where every counterparty was known and screened ahead of time.
Obviously that does not mean sanctions violations do not occur — in aggregate the largest money laundering and violation of anti-money laundering laws still occur through banks — but the justification at the time was that block producers for permissioned chains would not be operating out of a sanctioned country. Yet as I mentioned on the Twitter Spaces interview: this approach kills composability. Why? Because all contracts would have to be whitelisted which is one of the reasons why the bulk of “enterprise blockchain” projects pivoted or shut down. But again, a topic for another day.
This post could continue on, discussing hypothetical scenarios in which U.S. based intermediaries involved in staking – such as centralized exchanges – are required by OFAC (or other regulatory / enforcement bodies) to censor sanctioned transactions. But there are already a lot of good twitter threads on that. Especially from Gabriel Shapiro.
Instead I think the most concise argument opposed to sanctioning contracts and code is from an attorney, Nelson Rosario:
We could have ended this post by discussing the 2013 guidance from FinCEN regarding administrators and how miners were not included. And how FinCEN / OFAC have had inconsistent enforcement toward North Korean – and other “bad” state actors – when it comes to mining. For instance, hardware manufacturers such as Bitmain sell equipment (first and second hand) to parties that commercially interact with miners in sanctioned countries.10 Or U.S. based miners and pools process Bitcoin transactions that involve proceeds of malware.11
But that would detract from Rosario’s excellent point about code. Code in public repositories. Code implemented by independent 3rd parties. The sanctioned Tornado Cash contract should highlight the need for privacy-by-default, not as a bolt-on afterwards.
And who better to describe this mantra than the coiner of Fedcoin, J.P. Koning:
You do not have to like blockchains or be an industry lobbyist at all to see the core issues at hand — on privacy — are reminiscent to the legal fights over PGP nearly three decades ago. To galvanize hoi polloi, worth listening to the reflections from Phil Zimmermann, who spearheaded the fight (and defense) of code during that time.
- We would be remiss if we did not highlight that Angela Walch was the first academic to argue that “miners are intermediaries” in a vetted long form paper. You do not have to agree with her conclusions to recognize that she blazed a trail during a time period in which lobbyists tried to spin any and all examples of transaction discretion by miners. [↩]
- Note: this post is partially based on a presentation I gave over two years ago: “Regtech and Blockchains” for MIT Horizon. [↩]
- In the U.S., sanctions are usually enforced by a centralized payment system or some entity that provides a service. [↩]
- One common way transactional “tracing” occurs today is through contracting 3rd party vendors such as Chainalysis, Elliptic, and TRM Labs. We have discussed analytics providers in the past but worth highlighting how in the instance of Tornado Cash, it is unclear how many “hops” away funds that touched Tornado Cash are perceived as clean versus dirty. And the methodology varies from vendor to vendor (Maya Zehavi rightly points out the abuse of user metadata that “Web2” companies like Facebook were involved in and how compliance around Tornado Cash resurfaces some of the same thorny issues.). This then ties in with nemo dat, a principal we have covered many times. E.g., in the real world, physical cash is exempted from encumbrances because commerce would grind to a halt if holders had to trace the chain of custody each time they did a cash-based transaction. [↩]
- A dusting attack also took place in which 0.1 ETH from Tornado Cash was sent to publicly identifiable Ethereum addresses, the owners of whom were unable to use the frontend of popular DeFi dapps. [↩]
- Not a coincidence that the EFF is assisting Matthew Green in his effort, just as they formed to defend Internet civil liberties during the ‘cypher wars‘ in the early ’90s. [↩]
- One argument law enforcement might make is that Tornado Cash – via the DAO and fees around the protocol – is providing a service for sanctions evaders. A counterargument could be that the Tornado Cash frontend used the Chainalysis API to block sanctioned wallets and the TORN governance token did not capture those fees for holders. [↩]
- According to a guest in episode 372 of Unchained (at around the 51m mark), “PMCGoohan” independently described MEV in 2014. [↩]
- Earlier examples of discretionary transaction selection include: (1) Slush mining pool manually helping Tone Vays win a bet against Roger Ver; (2) Luke-Jr, a developer and mining pool operator, threatening to censor Satoshi Dice transactions from Eligius pool; (3) during the ICO boom of 2017, certain Ethereum mining pool operators such as F2Pool would accept pre-payment in order to guarantee investors a spot in a block for Status, Brave, and other offerings [↩]
- A mid-2017 article hypothesized a scenario that an advisor to the company explicitly told me was occurring. [↩]
- Why now, why Tornado Cash, what about other TC deployed on chains, miners, dapps? For instance, Tornado Cash that was cloned and deployed on BSC and Arbitrum was not sanctioned. As a former regulator explained: On the other hand, uneven enforcement is an inevitability in part because organizations like FinCEN have ~30 people and only half a dozen or so are lawyers. The equivalent in the MAS is about 2 people, thus principals in Terra and Anchor still quietly reside in Singapore. The only entity with the manpower, probably, were the PRC and they gave up after less than a year. [↩]