Tornado Cash Sanctions Reveal the Need for Decentralization Tools

Updated by Nicole Buckler
In Brief
  • The Tornado Cash saga has still got some more drama to throw into the world
  • US Department of the Treasury says Tornado Cash was used to launder more than $7 billion worth of virtual currency
  • Crypto will continue to develop new tools to protect users, and even Tornado itself cannot actually be shut down
  • promo

    The Only Mobile-Native Layer 1 Blockchain Read Now

Tornado Cash saga: The story wrapped around the US Treasury Department’s actions to shut down Tornado Cash still has legs and probably still a few twists and turns to take, according to John Shutt and Mhairi McAlpine of UMA.

The dust has yet to settle on the measurable impacts the sanctions will have on the crypto-mixing service accused of providing crypto laundering services.

Tornado Cash was used to launder more than $7 billion worth of virtual currency since its creation in 2019, alleges the US Department of the Treasury. The department said over $455 million of those laundered assets was stolen by the Lazarus Group.

Lazarus Group is a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group. It was sanctioned by the U.S. in 2019 in the largest known virtual currency heist to date.

The department did not explain why they believed $7 billion in assets were sourced from criminal activity. Nor why their estimate is much higher than independent third-party estimates.

For now, uncertainty looms over this unprecedented foray by authorities into the DeFi ecosystem. Following this event, actors in the space will continue to test the consequences and limitations of the sanctions. 

Tornado Cash and the effect on DeFi

Participants in DeFi will try to figure out the answers to questions like: will interactions with Tornado Cash blackball wallets or compromise other involvement in DeFi? To what extent does the idea of compliance apply to decentralized projects? Will this event lead to censorship within DeFi and accelerate the invasion of privacy in crypto? 

We can be fairly certain that sanctioning DeFi protocols will do little to improve overall crypto security. Its effectiveness at discouraging hackers also remains questionable. This is because of the ease with which code can be forked and the original protocol still used directly on-chain. 

But this situation certainly does reveal the need for more, stronger tools and protocols that promote and improve decentralization – a key pillar in the protection of privacy. 

Clouds of fear and uncertainty

Centralized asset managers are probably feeling clouded with fear and uncertainty due to these sanctions. DeFi developers have gotten a reminder why censorship resistance is important. 

If you build a global system where blocking users is possible, you could be forced to decide whether or not to block users for arbitrary and capricious reasons. This could be purely based on nation-state intervention.

The Tornado Cash sanctions can be seen as a challenge toward financial privacy and freedom. This could have unintended consequences of hurting anyone who wants to protect their financial history. 

The sanctions unfolding now could set precedent elsewhere, putting well-meaning actors into the crosshairs of various authorities. 

For the sake of argument, let’s envision a scenario where a person makes a crypto donation to a Ukrainian charity or organization that has been targeted by Russia. This could potentially lead to grave consequences.

Department of Treasury Publishes Guidelines on How to Withdraw Assets From Now-Banned Tornado Cash - beincrypto.com

Feeling gaze of regulators

This event intensifies the gaze of the regulator, with many now looking a little more desperately over their shoulder. We find ourselves a little deeper in a cloud of legal fuzziness. 

The sanctions pose an unknown where transactions can be sent to any wallet without prior consent or knowledge; leading to that address being banned from services. 

We saw right after the ban announcement that someone sent 0.1 ETH from Tornado to publicly known people – highlighting that this action may have negative implications for any crypto user.

This means these addresses could be blacklisted from regulated services like Coinbase without them even engaging with the sanctioned address. This creates an issue for any crypto users as their on-chain funds are now at risk from being blacklisted.

Tornado Cash: Clear rules

Without clear rules on how to manage this risk or disclose transactions, centrally managed funds are in jeopardy. Some services like DYDX have taken a cautious approach, protecting themselves from any potential liabilities at this time as the rules are not clear enough to work through the nuances.

Crypto transactions are by default open and transparent, in contrast to the opaque traditional system. However, having your entire transaction history open to everyone is a privacy and security concern. 

Privacy tools like Tornado allowed people to protect their transactions and net worth from their identity. Imagine paying $10 for a service online with crypto and exposing everything you ever did on-chain. 

U.S. citizens are now deemed to be sanctions breakers for attempting to add some privacy to their activity.

It remains unclear where we go from here. It’s possible the sanctions could be challenged and struck down via constitutional challenges. 

Just recently, we saw that Coinbase is backing a group of Tornado Cash users to pursue legal action against the U.S. Treasury Department. Echoing the rest of the industry, Coinbase saw the sanctions as a dangerous precedent to set. The outcome of the proceedings, eagerly awaited, will crucially shape the future of financial privacy and freedom in web3.

The importance of optimism in treasury security and privacy 

Situations like this with Tornado Cash highlight vulnerabilities around how DAOs govern themselves and manage their funds. 

For instance, say your DAO treasury is controlled by a multisig. If a key holder has their wallets compromised due to activity past or present with a sanctioned entity like Tornado Cash, those wallets could end up frozen. 

More significantly, given the arrest of a Tornado Cash developer in Amsterdam, signatories may even be facing long jail sentences with no access to their private key.

This emphasizes the importance of continued innovation in DAO tools and services. 

We’re on the brink of producing and accessing more optimistic-oriented tools and services that can reduce or eliminate reliance on multisigs. 

For instance, optimistic oracles are increasingly and more flexibly empowering and securing DAO tools. 

It allows anyone to execute a transaction from any wallet, based on the concept of proceed-unless-disputed. This can smooth out logistical wrinkles in our communities and teams. 

Tornado Cash and decentralization

We need more decentralization within our teams, projects and DAOs and the Tornado situation shows us why. 

For now, we can generally assess the U.S. sanctions as – at the very least – a sloppy intervention that’s too broad and interfering. 

However, Tornado Cash is only one of many privacy protocols. Crypto will continue to develop new tools to protect users, and even Tornado itself can not actually be “shut down,” and remains usable today. 

The sanctions may be found to be unconstitutional and the U.S. government could be on shaky ground with impending legal battles. 

Governments that pursue surveillance and control are failing to respect the right to autonomy, privacy and liberty. 

At its foundation, cryptography is just fancy math and we’re dubious that governments will succeed at banning math. 

About the authors

John Shutt is a smart contract engineer at UMA. He has been working on cryptocurrency and encrypted messaging systems for over a decade.

Mhairi McAlpine is a community manager at UMA. Mhairi is interested in governance, DAOs, privacy, real world applications of crypto technology and community engagement with UMA’s optimistic oracle.

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.