In this issue:
The Tornado in the Room
The merge is scheduled
Iran uses crypto to bypass sanctions
The Tornado in the Room
On Monday morning the Office of Foreign Assets Control (OFAC) announced they were sanctioning the cryptocurrency privacy tool Tornado Cash because it had been used by North Korea (DPRK) to launder money stolen in the Axie Infinity hack. I wrote on Tuesday about why I think that was the wrong decision, but today Iโm going to focus more on the possible consequences. OFAC is the organization charged with enforcing U.S. sanctions on individuals like terrorists, drug kingpins and countries like Iran, Cuba and North Korea. OFAC regulations donโt tend to come up all that often in the life of ordinary people but they are absolutely no joke:
Violating U.S. sanctions is punishable by up to 30 years in prison and millions of dollars in fines โ but more importantly it is a strict liability crime, meaning there is no way to plead ignorance or accident. The law does not care whether you had criminal intent. Anyone who interacts with Tornado Cash for any reason from Monday onwards is now guilty of violating U.S. sanctions. Arguably even loading the tornado.cash website might be a violation?1 Both the website and the GitHub hosting the open source code have already been taken down and Dutch authorities have already arrested a developer who worked for the Tornado Cash DAO.2
This is the first time that OFAC has sanctioned a tool (as opposed to a person, company or country) and the implications are not at all clear. The Tornado Cash smart contract has been migrated to new addresses and the code has been uploaded to new repositories. Should those be considered extensions of the original Tornado Cash entity (and hence sanctioned) or entirely new? Here is the Tornado Cash smart contract reconstituted as pixel art. Should that be illegal?
One thing that is definitely illegal now is handling any of the ETH or USDC stored at the Tornado Cash addresses. Circle immediately froze the ~$75k worth of USDC held by Tornado but the ~$400M worth of ETH can still be freely withdrawn and used throughout the DeFi ecosystem. On Tuesday I wrote:
The people whose ETH has suddenly become 'tainted' have every reason to spread the 'taint' everywhere they can until it becomes effectively unenforceable.
Even before I finished writing that sentence someone was already sending tainted ETH to every famous address they could find, including Snoop Dogg, Jimmy Fallon, Shaquille OโNeal, Logan Paul, Randi Zuckerberg, Dave Chappelle, the design company PUMA and the country of Ukraine. Since there is no way to refuse payment on Ethereum and OFAC violations are strict liability crimes, there also is no easy way to legally distinguish between Jimmy Fallon and a North Korean operative.
The spreading contagion of tainted ETH is a bit of crisis for the DeFi ecosystem. The open secret of DeFi is that most applications are not actually all that decentralized. Some have ambitions about how they intend to get more decentralized over time and others have delusions about how decentralized they already are โ but most DeFi projects are de facto controlled by the developer teams that built them. Those developers are being forced to choose between financial freedom (for their users) and personal freedom (for themselves).
Infura and Alchemy (the companies that power the majority of Ethereum applications so people donโt have to run their own nodes) are already blocking Tornado Cash. Uniswap, Oasis, Aave and dYdX are all doing the same. The combination of strict liability plus ambiguous interpretation are incredibly chilling, but that may be (at least in part) the point. Many applications are going even further than the law requires and banning addresses for ever having used Tornado in the past.
This isnโt really new โ many of these applications were quietly banning OFAC sanctioned addresses already โ but it is a lot more difficult to ignore. The majority of users never interacted with an address that belonged to Iran or North Korea but Tornado Cash was a much more commonplace privacy tool. Even Ethereum founder Vitalik Buterin acknowledged using it to hide a donation he made to Ukraine (Buterin is a Russian citizen). Many, many more users are affected.
Tornado Cash is also a much more sympathetic target than previously sanctioned entities, but that doesnโt mean that other DeFi developers will be willing to face down decades in prison to defend them. In theory DeFi users could demand privacy and censorship resistance but in practice neither have been a priority for users so far. Most of the major DeFi applications have centralized dev teams that are clearly in control of their projects โ which is both why they are compelled to enforce the sanctions and also how they are able to. Many of them are also critically dependent on centralized stablecoins like USDC and USDT.
I think we are reaching the end game for decentralization theater in DeFi but it isnโt entirely clear to me whether that means the end of theatrics or the end of trying to decentralize. If DeFi users are content with a mostly decentralized casino that bans privacy but allows gambling and ponzis, that is likely what they will get.
One particularly interesting case study in the impact of the OFAC sanctions is MakerDAO, the organization behind the collateralized stablecoin DAI. Iโll be writing in greater detail about the implications of the Tornado Cash sanctions for DAI and MakerDAO in an upcoming issue for paid subscribers.
Other things happening now:
The Ethereum Merge (most notable for switching the network to proof-of-stake validation) has been officially scheduled for TTD 58750000000000000000000 (probably on September 15th).
Iran has started using cryptocurrencies to bypass international sanctions:
A brief history of DeFi, h/t Casey Caruso:
I am not a lawyer and nothing I ever write is legal advice. Donโt take legal advice from anyone who asks you to like and subscribe. Please like and subscribe.
In case you were wondering why Satoshi stayed anonymous.