Sanctioning Tornado Cash — A war-on-drugs vibe ?

Tom Shnaider
Blockchain Biz
Published in
5 min readAug 29, 2022

In the last week Tornado Cash has made the news after the Office of Foreign Asset Control (OFAC) decided to ban its use and sanction its American users.

Ash Hayes — https://unsplash.com/@ashley_hayes

We’ve seen how trying to forcefully shut down organisations that are out of reach is akin to flogging a dead horse.

It’s hard enough when corruption is involved, so let’s see how hard it is when it comes to a decentralised protocol.

The decision

Sanctioning Tornado Cash for having supported the laundering of $7 Billion worth of cryptocurrencies is understandable. In their press release, the US treasury accuses “them” to “repeatedly [failing] to impose effective controls designed to stop it from laundering funds” without addressing the impossibility of such measures.

While acknowledging that “most virtual currency activity is licit” they add that “it can be used for illicit activity”, failing yet again to mention how impossible it is, for a decentralised protocol, to identify the legality of a transaction.

Their solution is to consider any mixing protocol as a high-risk threat except if “they have appropriate controls in place to prevent mixers from being used to launder illicit proceeds”. The only way of doing so would be to KYC users and/or gather information about prior transactions, defeating the whole objective in the process.

Privacy vs Law

But to close the discussion on the use of blockchain for illegal activities, before we open it — and in the hope that we’ll stop using criminal activities as an argument against privacy — the tool isn’t the problem.

Even though the idea that « the gun doesn’t kill, it’s the shooter » isn’t a valid argument against ridiculous gun laws, the idea is still valid.

The use people make of something cannot be a good enough argument: money was always laundered with fiat through common businesses and cars are used as weapons on a daily basis.

Tornado Cash

Ethereum is a public blockchain. Meaning that every transaction can be seen and scrutinised.

It’s easy to imagine why people would like to hide their financial activities. You wouldn’t want anyone gaining access to your bank account, even if you don’t have anything to hide.

And since everything is forever recorded on a blockchain, you might have to make a transaction that would link your address to your identity, linking it to all your past transactions in the process — on the same address at first but it’s possible to link it to other addresses by inference.

To avoid that, different protocols exists. They use smart contracts to bundle transactions and make it difficult or impossible to retrace the transaction path that could link an identity to a transaction.

Tornado Cash uses smart contracts and zero knowledge proofs to do exactly that. After depositing funds, you can withdraw them to a different address without leaving a trail.

Without the protocol, an intuitive idea would be to make a lot of transactions and try to blur the link, but that is still easily retraced. Or you could break the total amount into thousands of fractions and send them all into different addresses than back to a few ones, but this too can still be traced. Finally you could use bridges and other protocols to hop through different blockchains or just go for a privacy coins. More on that in this Blockchain Forensics article.

Instead of all of these techniques, tornado cash used zero knowledge proofs. These smart contract can Hash an information and use the Hash to present an immutable proof without having to share the actual information.

Here is an example of how you could prove you’re over 21 without sharing your age of date of birth, using a zero-knowledge proof from https://www.coincenter.org/education/advanced-topics/how-does-tornado-cash-work/

Tornado cash only lets you withdraw the funds you deposited, there is no bundling of funds, only of transactions. But by using the ZK approach you can prove that your funds are actually yours without having to use your address to prove it.

To go back to the absurdity of the decision, Tornado Cash is not a company. It’s a decentralised protocol made of several smart contracts. Hence, the impossibility of shutting it down.

Without even thinking about blockchain-level decentralisation, think about how the famous Pirate Bay is still up and running despite all the efforts different government agencies make to close it.

Sanctioned addresses

Since everything is public, you could see if an address interacted with a Tornado Cash smart contract. You won’t be able to see where the funds went but you can see if it was used, either to send or receive. Again, the idea is to move funds from an identity-linked address to an unknown one.

Meaning that if an address is linked to your identity, it’s possible to infer that you used the protocol and proceed to punish your for it.

The same goes for receiving funds from one of the sanctioned contract addressed. And that is were the major problem resides.

Dust attacks

This kind of attack is used to link an address to a sanctioned protocol. Let’s say that I use Tornado Cash to deposit funds and then withdraw them to an address owned by you.

As a protest against the sanctioning of Tornado Cash’s address, someone thought that a practical joke or a rebellious action was worth more than any article. This person or entity used Tornado Cash to send ETH to celebrity linked ETH addresses, making them punishable by law and thus proving the inefficiency of the sanctions. It’s fairly easy to find the address of someone, if they publicly claim to own a famous NFT for example.

You might get sanctioned for interacting with the protocol, without being able to prove it wasn’t you who did it in the first place.

How can a government enforce laws that could be incriminating to anyone, anywhere…?

A dust attack is like ordering illicit drugs from the darknet and using the physical address of someone else as the destination. You cannot be held accountable for receiving something illegal. Same goes for illegal files being sent to your e-mail address.

Let alone the codes being open source, which enables virtually anyone to recreate a tornado cash 2.0 with addresses that aren’t sanctioned…

The War on Code

As for any uncontrollable and potentially harmful things, the best policy seems to be education and good sense.

If we have learned anything from the war on drugs and piracy, it’s that you can’t win by repressing it blindly. We’re obviously failing to provide any alternatives to blind repression, but that’s kind of the point.

Fear not, for hope is not needed for Tornado Cash’s future since, as a concept, it cannot be stopped.

Unfortunately, real people will be used as scapegoats to nourish and justify an impossible battle. Alexey Pertsev, a dutch developer who supposedly participated in developing Tornado Cash, faces charges for having helped North Korea launder money…by creating the tool that was used.

Needless to say that arresting someone because his creation was used for something illegal is extremely unfair and even more useless.

We still have to acknowledge that we can’t expect the US treasury and other governments to sit there and do nothing… They’re might just trying not to lose face.

Thank you for reading,

Take care.

--

--