The Chainalysis Sanctions Oracle — When should you be concerned it’s late?
Hopefully whoever relies on the Chainalysis “Sanctions Oracle” to make “critical decisions” doesn’t equate “critical” to mean “timely”.
Chainalysis is a blockchain analysis company that claims to be the “standard in blockchain analysis” that “businesses, banks, and governments” use to “make critical decisions.”
As part of its business, Chainalysis maintains a “Sanctions Oracle” at 0x40C57923924B5c5c5455c48D93317139ADDaC8fb on the Ethereum blockchain.
The Chainalysis Sanctions Oracle is a publicly-available service that is “maintained by Chainalysis on a variety of popular blockchains and will be regularly updated to reflect the latest sanctions designations listed on economic/trade embargo lists from organizations including the US, EU, or UN.”
Here we will look at what Chainalysis means by “regularly”.
Spoiler alert, you may not want to lean too heavily on the Chainalysis Sanctions Oracle, because when it comes to the definition of “regularly”, individual results may vary significantly.
The Chainalysis Sanctions Oracle Contract
Here is the code for the Chainalysis Sanctions Oracle contract on Etherscan.
The Chainalysis Sanctions Oracle contract has an admin address (called “owner” in the code) currently set to 0xDF900dC8991474ab9d69F2c3b9C900c055fb36CD.
The Chainalysis Sanctions Oracle “owner” was first funded off Coinbase on March 10, 2022.
A press release about the Chainalysis Sanctions Oracle service was issued the same day and that’s before confirming the address matches their documentation.
So the Chainalysis Sanctions Oracle contract belongs to Chainalysis and they’ve used the same admin address as the “owner” since launch.
The relevant part of the API of the Chainalysis Sanctions Oracle contract is straightforward:
If you don’t want to work through the code, the functions above simply add new addresses to the list of sanctioned addresses, or remove them if they have been removed, and broadcasts these lists from the Chainalysis Sanctions Oracle contract.
So far so good.
Again, as previously discussed, you cannot see usage of smart contracts such as the Chainalysis Sanctions Oracle contract reliably on etherscan.
But usage of the Chainalysis Sanctions Oracle is publicly visible elsewhere, and the Chainalysis Sanctions Oracle is (for better or worse) used heavily:
We aren’t going to talk about which services rely on the Chainalysis Sanctions Oracle here, in part because anyone can do a read-only call to the Chainalysis Sanctions Oracle from their own node and leave no public trace.
But that also means there could be many services which depend on the Chainalysis Sanctions Oracle that you as a user may know absolutely nothing about — that’s the beauty of constantly handing off responsibility and having zero accountability, an elegant want to exploit ignorance.
It’s likely the list of users relying on the Chainalysis Sanctions Oracle is large and not extractable from public data, which is why this public service announcement is (unlike the Chainalysis Sanctions Oracle) timely.
Depends on what you mean by “regularly”?
There are many things in life where something happening “regularly” is not just appreciated, but critical — like going to the bathroom (failing which you may want to see a doctor), or having your trash collected.
And perhaps knowing when a blockchain address has been added to an OFAC sanctions list also qualifies as one of those things you’d like to know about “regularly” enough to avoid inadvertently dealing with someone the US government isn’t going to be pleased about you having transactions with.
Perhaps Chainalysis’ Sanctions Oracle has a different definition of “regularly” because the last time Chainalysis’ Sanctions Oracle made a call (per Etherscan) to update its sanctions list was May 2, 2024, or 92 days ago (so presumably no OFAC sanctions have occurred between then and August 2, 2024):
Except that a blockchain address was sanctioned by OFAC, on May 28, 2024, and as of August 2, 2024, had yet to be updated by the Chainalysis Sanctions Oracle (that’s 66 days!).
But the Chainalysis Sanctions Oracle does update its sanctions list, just maybe not as often or as “regularly” as you would like to believe.
Take for instance 0xed6e0a7e4ac94d976eebfb82ccf777a3c6bad921 (“the 0xed6 Address”), a blockchain address which is correctly listed as sanctioned by the Chainalysis Sanctions Oracle:
Except the date when the 0xed6 Address was updated to the Chainalysis Sanctions Oracle was September 1, 2023, about a week after OFAC sanctioned the address on August 23, 2023:
Interestingly, Chainalysis actually blogged about the 0xed6 Address being sanctioned on the day OFAC sanctioned it, without updating the Chainalysis Sanctions Oracle.
Perhaps the way an oracle works is that it can see all of the things some of the time, or some of the things all of the time, or a random assortment of things, from time to time?
In fact, someone did try to send USDC to the 0xed6 Address between the time it was sanctioned by OFAC to the time it was added to the Chainalysis Sanctions Oracle but fortunately it was blocked by Circle’s blacklisting (looks to be that Circle may not rely on the Chainalysis Sanctions Oracle alone):
But wait, there’s more.
0x5f6c97c6ad7bdd0ae7e0dd4ca33a4ed3fdabd4d7 was another blockchain address sanctioned by OFAC on November 8, 2022, but the Chainalysis Sanctions Oracle only “stumbled upon it” 6 days later on November 14, 2022:
We could go on because after all, the Chainalysis Sanctions Oracle covers a lot of blockchain networks.
Everyone’s a little late sometimes?
The real question is, did anyone relying on the Chainalysis Sanctions Oracle transact with an OFAC-designated blockchain address in the time between it was sanctioned by OFAC and the time it took the Chainalysis Sanctions Oracle to “realize” it?
And if so, who’s liable?
Cutting Some Slack
To be fair, keeping up-to-date with OFAC-sanctioned blockchain addresses on a publicly-available resource is hard, especially because OFAC sometimes publishes non-machine readable documents when removing a blockchain address from the OFAC list.
And a process requiring the manual copying of dates and addresses off a Treasury.gov public statement might have a typo or two, and well, good interns are hard to come by.
Given how OFAC does seem to reliably update its machine-readable list of blockchain addresses, it’s nice to see that AI isn’t taking away all the jobs just yet.
Better late than never right?
