Privacy and Cryptocurrency, Part IV: Stablecoins— Blacklists and Traceability
This is the fourth part in an article series by the Human Rights Foundation (HRF) on privacy and cryptocurrency, funded by the Zcash Foundation. To read about the purpose of this article series, see our introductory piece “Privacy and Cryptocurrency, Part I: How Private is Bitcoin?”. The last part in the series will explore private methods for acquiring cryptocurrency and stablecoins in different areas of the world. This series is written by Eric Wall, Privacy Technology Fellow at the HRF.
When promoting cryptocurrencies such as bitcoin for economic freedom around the world, a question is often brought up. Given the volatility of cryptocurrencies, doesn’t it make more sense to use a “stablecoin” instead whose value is pegged to the U.S dollar?
Indeed, the usage of such stablecoins are on the rise. Notably, recent examples of use cases seem to have escaped the interlinked, incestuous circles of cryptocurrency exchanges to also include remittances and capital control evasion, indicating that stablecoins may be ready for a new kind of primetime in the global economy.
However, pitting stablecoins and cryptocurrencies against each other is quite unnecessary; there’s no reason that one must exclude the other. Mariano Conti is an Argentinian who has been receiving his salary in the dollar-pegged stablecoin Dai since 2018, while converting what he can save into the cryptocurrency ether. Cryptocurrencies and stablecoins are tools in a toolbox; anyone can learn and judge for themselves how to best apply the tools available for their own respective needs.
The goal of this article is to make sure that the reader has enough information about the risks associated with these assets so that they can make conscious and responsible decisions. Further, we investigate the privacy landscape these stablecoins operate in to assess their suitability for humanitarian endeavours: what type of traces do we leave when we use stablecoins and how can corporations and governments track us when we use them?
The demand for dollars
Let us first spend a moment to understanding the role stablecoins could serve. The Argentinian peso has lost around 40% of its value compared to the dollar this year to date. It lost 17.6% during one week in August alone. Distressing the situation further, the country has been subject to increasingly tightening capital controls — monthly U.S. dollar spending limits were recently reduced to just $200 per person — and foreign salaries must be converted into pesos within a maximum of 5 days. In effect, Argentinians are currently being forced by their government to hold on to a currency that is rapidly losing its value.
Meanwhile, bitcoin has risen around 150% versus the dollar so far in 2019, and 300% versus the peso. However, such gains come at the price of volatility — bitcoin is considerably more volatile than both the dollar and the peso. Bitcoin’s single-week biggest loss this year so far is -20%. For ether, it’s -26%, and for privacy coins it ranges between -24% and -34%. Such is inescapably the nature of emerging cryptocurrencies.
Despite the fact that the U.S. dollar has lost 93% of its value during the last 100 years, there are currently not many assets that can compete against it in the search for stability in the short- to medium-term. Cryptocurrencies like bitcoin are winning ground within the hearts of many who understand the problems of centrally-issued fiat currencies to be fundamental in nature, but owing to the demand for stability, the dollar is still highest on people’s lists of preferences throughout the countries of Latin America and beyond.
Agreeably, the dollar doesn’t challenge the world order. It doesn’t break the global dollar hegemony, it doesn’t provide humanity with an exit strategy against the fiat money printing presses, and it doesn’t come in any flavor that is immune to being confiscated against your will. But it does give you stability. Stablecoins (at least some of them) democratize access to that stability.
Most digital dollars exist as entries in central databases, where your access to them as a user is at the mercy of the system owners. To provide you with this service, the system owners will almost always demand that you provide identifying information. Examples of such systems include banks, PayPal, Wechat Pay, Venmo, and Skrill. These operator in turn fall under the regulatory purview of the jurisdictions they operate in. As such, they provide little to no help in regions where usage of the dollar is not permitted or blocked by sanctions.
Stablecoins, by virtue of existing on cryptocurrency ledgers, are — perhaps to some amount of surprise — different. The entire purpose of cryptocurrency ledgers is to be without central system owners. As such, these coins can to varying extent slip through the cracks and into the hands of people who can use them without the blessing of their government. Because cryptocurrency ledgers do not typically embed the notion of people’s real-world identities in them, stablecoins can often be held by completely unknown users.
Before getting further into this topic, it’s good to recognize that stablecoin designs come in a wide variety of flavors and configurations:
For the purpose of this article, we’re going to focus on the two primary categories of stablecoins currently in circulation:
$5.5 billion in circulation: The first and largest category of stablecoins (in purple color) are of the simplest design possible. An issuer custodies U.S. dollars using the traditional banking system, and for each dollar in deposit, they mint a redeemedable token (stablecoin) on a cryptocurrency ledger, for example, ontop of Bitcoin or Ethereum.
$103 million in circulation: The second category (in strawberry color), Dai, is more complex. It custodies the cryptocurrency ether (and from Nov 18 and onwards, it will include also other collateral types), and achieves its $1 price peg using an experimental financial design operating as a smart contract on Ethereum.
An optimistic perspective
Interestingly, stablecoins from both categories can be held pseudonymously using nothing but public-private cryptographic key-pairs. This means you can receive them from anywhere in the world and hoard them without owning a bank account or even a passport.
It also means that they can’t easily be taken from you. Similarly to when you acquire cryptocurrency, there won’t necessarily (depending on your acquisition method) be a record anywhere that proves that you are the owner of these stablecoins, and a government official or a thief who searches your house won’t necessarily find anything. Just like with cryptocurrencies, all you need to restore access to your stablecoins is a private key, which can be produced from scratch using 12 easily-memorizable words.
A pessimistic perspective
To understand stablecoins, as opposed to keeping physical U.S. dollars in the mattress, there are three major concerns one needs to bear in mind:
- Stablecoins have specific risks to them which could render them worthless, or at least make them lose a significant portion of their value, in ways that couldn’t happen to physical currency.
- Stablecoin acceptance as a means of payment is currently extremely limited in all areas of the world. You will have to exchange your stablecoins for domestic currency before you can spend them (alternatively, exchange the stablecoins for a cryptocurrency like bitcoin first).
- Like on any cryptocurrency ledger, you might be leaving traces that reveal information of your stablecoin use; how much of it you own, how much you’ve transferred in the past and who’ve you’ve been transacting with.
Stablecoins are subject to a flurry of different gotchas, risks and caveats. There are a number of ways in which you could lose access to them or ways in which they could lose their value. Below is a cheat sheet which provides a rough overview of how these stablecoins vary from each other.
While each of these tokens are rather successfully trading at around $1 today, it’s important to understand which types of risks there are that could undermine that property.
Risks that may render USDT, USDC, TUSD, PAX, and BUSD worthless
In order to remain compliant with regulators, many stablecoin issuers have introduced blacklists so that they can freeze the stablecoins held at specific addresses. This ability is also particular useful in the case of hacks, but it means that the trust we must place in the issuer to not act maliciously is that much greater. Examples:
A stablecoin from a single issuer may exist on multiple different blockchains, and their properties are not always uniform across different variants (although almost all dollar-backed stablecoins today implement some freeze functionality). Tether’s USDT, for instance, is available on 5 different blockchains:
Even USDT on Bitcoin can be frozen by Tether, as this functionality was added into the Omni Core v0.3.0 release on Dec 11, 2017 (tokenization layer on Bitcoin), after Tether nearly lost $30 million from a hack.
It’s possible to inspect the source code of many of the different stablecoin contracts, but not all:
We’ve located the contracts for the each of the mentioned dollar-pegged stablecoins here:
USDT-Bitcoin (issuer can freeze: yes, contract open source: yes)
USDT-Ethereum (issuer can freeze: yes: open source: yes)
USDT-EOS (issuer can freeze: yes, open source: no)
USDT-Tron (issuer can freeze: yes, open source: no)
USDT-Liquid (issuer can freeze: no, open source: yes)
USDC-Ethereum (issuer can freeze: yes, open source: yes)
PAX-Ethereum (issuer can freeze: yes, open source: yes)
TUSD-Ethereum (issuer can freeze: yes, open source: yes)
TUSD-Binance (issuer can freeze: yes, open source: no)
BUSD-Ethereum (issuer can freeze: yes, open source: yes)
Note: With open source, we mean whether the full blockchain and smart contract logic that controls the stablecoins are inspectable. For many smart contract platforms, this is contingent on whether the contract creator has willingly uploaded the human-readable contracts used to compile the smart contract bytecode.
It’s good to know which technical capabilities the issuers have over their stablecoins, but it’s also important to understand how often they exercise that power. With a bit of blockchain “archaeology”, we can explore the event histories for these coins. We discover that while blacklist functionality exists for most stablecoins, we can only find it having been used on USDT for 16 different addresses.
We don’t know the exact reason why these funds were frozen, however, it’s somewhat telling that many freezes occurred shortly after an exchange withdrawal occurred, implying that many were the responses to users of cryptocurrency exchanges getting hacked.
List of frozen addresses for USDT-Bitcoin:16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r $30,950,000
13TASu2eYYRn9PfrMZyfwBJFryoV2oqj7m $3,100,000Total USDT frozen on Bitcoin: $39,404,629
List of frozen addresses for USDT-Ethereum:0xb7944bfe170986fd6230b4c18bc7072cb485686e (freeze) $250,000
0x20d99ca2c88b20e34f5d7f7e5fdc61c9181c6732 (freeze) $301.9
0x0763fa09cc7d60e734c670d327d11b3a8a3f7776 (freeze) $1
0xf192f9cd28aa0e268eed28078a432dd4abfe8269 (freeze) $19,556.8
0xda66146ec41690ed8392869b0238dae5774f2314 (freeze) $14,077.5
0xbdaf3e422d2cfa10f34c59f7151dd31499a426b5 (freeze) $1,670,001
0x8faff11fde21191e7fd50806dcbcdd49265d51a0 (freeze) $4,750
0x008fe40574e881e7247b50b991c0cc057d66647f (freeze) $467.9
0x9faf5515f177f3a8a845d48c19032b33cc54c09c (freeze)(unfreeze)Total USDT frozen on Ethereum: $1,959,156.1Total USDT frozen: $41,363,785.1
We can’t state anything for certain about whether USDT-Tron, USDT-EOS or TUSD-Binance have ever been frozen since these stablecoin variants are not fully open-sourced. We also note that USDT on Liquid (Blockstream’s federated sidechain to Bitcoin) sticks out here, as Tether has not configured any blacklisting capabilities for this variant.
It’s good to take into account, however, that an asset is only as unfreezeable as its underlying ledger. While Tether may not be able to freeze the USDT circulating on Liquid, it currently only takes the ill-will of five companies (⅓ of the Liquid blockchain operators) for an asset to be frozen.
The second threat which should be of concern to when you hold these stablecoins (USDT, USDC, TUSD, PAX, BUSD) comes from the fact that you need to trust the issuer to back these tokens 1:1. An illustrative example of how this could go wrong is the history of Tether (USDT).
In a unfortunate series of events, roughly $850 million of Tether’s real-world dollars were frozen in a debacle involving their Panamanian payment processing firm Crypto Capital Corp. whom to this day still has not been able to reclaim them from the authorities. For a considerable amount of time there were 1.35 circulating USDT for every dollar Tether actually had in reserves. While this was happening, before it was known by the broader public, Tether changed their terms of the backing to include also the debt they were owed by Crypto Capital.
That’s just one example of what could go wrong. Stablecoins occupy a market segment that regulators aren’t quite sure with how to deal with yet. There’s always a risk that the stablecoin issuer embezzles the assets, has their assets seized, or has their underlying bank partner fail.
“We’re not criminals, but now we have to learn to bank like criminals.”
- Giancarlo Devasini, Bitfinex CFO and Tether shareholder
Further, as Bob McElrath argues in “On The (In)Stability of Stablecoins”:
Financial firms don’t like large amounts of capital sitting on their balance sheet, often called “trapped capital”, since it is perceived that this capital could be more productive if loaned out.
To squash some of these qualms, nearly all major stablecoin issuers (with the unsurprising exception of Tether) have contracted top accounting firms to produce monthly attestations of their reserves (see attestations: USDC, PAX, TUSD, BUSD).
Note: Redeeming stablecoins for dollars in the traditional banking system requires you to identify yourself and pass KYC/AML procedures, however, redemption is typically avoided by exchanging stablecoins for other goods, fiat currency, or cryptocurrency at their face value.
Risks that may render Dai worthless
The Dai stablecoin is a product of the Ethereum smart contract system MakerDAO. What’s special about Dai is that it doesn’t strictly rely on a 1:1 backing of underlying dollars in a bank somewhere (from Nov 18 it custodies multiple different asset types, mainly the cryptocurrency ether) and there’s no blacklist that can restrict its movements.
Instead, Dai is kept stable ($1 per token) through a series of relatively complex — albeit technically transparent — moving components that interact with each other. These components include:
- A leveraged loan mechanism, called “vaults”, which allows users to deposit a collateral type (e.g. ether (ETH)) and mint Dai to themselves
- A network of 14 price oracles
- A second token called MKR used for manual voting on certain system parameters such as interest rates
- An automated liquidation and auctioning mechanism
- Emergency oracles that can trigger emergency shutdown
For the purpose of this article, you don’t need to understand exactly how the Dai system works, you only need to be aware of the ways in which it could fail. For a short and concise explainer of the system, see the “Leveraged loans” section (p. 10) from ”A Classification of Stablecoin Designs” .
The main points of concern for Dai stability are the following:
- The economic model: maintaining the $1 peg regardless of the value fluctuations of the value of the collateral
- Technical failures: software flaws and bugs at the protocol level
- Governance quality: corruption of oracles or MKR holders
The economic model
The economic model is new and experimental, but appears to have been working rather well even under significant pressure in the past. It can theoretically tolerate flash crashes up to 33% of the value of its collateral, and has proven to be able to withstand price collapses of 90% over longer time frames.
All blockchain assets carry some inescapable technical risk from the software, and complex smart contract systems such as MakerDAO are exceptionally susceptible to this risk. A simple multi-signature wallet error on Ethereum led to the loss of 306,276 ether (~$90 million at the time) for Ethereum co-founder Gavin Wood’s project Polkadot.
The MakerDAO software has undergone a software audit by security firm Trail of Bits, with no medium or high severity issues found (link).
The value of Dai ultimately rests in the hands of the governing system MakerDAO, involving the MKR token holders, the oracles they elect, and the incentives at play. While MakerDAO has been rather thoughtfully conceived, it is difficult to reason about how well it would perform under various threats. The distribution of MKR play a significant role in this, and there’s been indications of it not being that great (source: 1, 2).
Systems based on voting are generally exposed to a multitude of known attack vectors, e.g. voting coercion. Blockchain-based voting systems carry additional problems, since they can enable advanced vote buying and bribery schemes, also known as Dark DAOs. The extent to which such schemes may threaten MakerDAO in the future is unknown.
Dai transitioned from a single-collateral-based model to a multi-collateral-based model on November 18, 2019. We don’t know yet which collateral types will be included in this version of Dai moving forward. Centralized asset-backed tokens, for example, would introduce the risks inherent to those assets in the Dai system. In general, it is important to understand that Dai is not a static thing, but something where the underlying assurances are in a state of morphing.
During the transition from single-collateral to multi-collateral Dai, holders of the old Dai will need to transfer them to the new contract within a migration window, or eventually be refunded with a portion of cryptocurrency (ETH) after the window closes. The development effort of this system is being undertaken and funded by the Maker Foundation, which in conjunction with the Cayman-based Maker Ecosystem Growth Group (MEGG) and Maker Ecosystem Growth Foundation (MEGF) operate under non-negligible legal risk. These points are something to keep in mind when hoarding Dai as if it were cash in the mattress.
Stablecoins and Privacy
An often overlooked dilemma with stablecoins in the context of evading national monetary controls is that it’s not going to work at scale if it’s trivial for nation states to surveil the activities occurring in the cryptocurrency ledger. If dollar usage is restricted by law, and stablecoins are used to circumvent that law, governments will equip themselves with the necessary tools to track and punish the offenders.
“The Venezuelan government has been very selective about how they police the Internet, so a lot of people think they can use it freely.”
- Alejandro Machado, the Open Money Initiative
An increasing number of ledgers are, however, being surveilled by blockchain analysis firms such as Chainalysis, who licenses their tools to various government’s law enforcement units.
The coins Chainalysis covers today represent 90% of all cryptocurrency trading volume in aggregate. It can be expected that any ledger or stablecoin that attracts non-negligible usage will eventually attract surveillance companies too, if surveillance there is possible.
But Chainalysis is only one part of the privacy puzzle to be solved in order to asses one’s privacy prospects when using a stablecoin. The second part is to consider the privacy functionality and tooling available, and to which extent it can protect against the type of analysis that surveillers are likely to be capable of doing.
Sadly, privacy tooling for stablecoins appears to be extremely lackluster, while Chainalysis’ offering on the other hand is rather advanced (sources: 1, 2). Unfortunately, getting around that fact isn’t necessarily solved by just using a stablecoin that isn’t yet being surveilled by blockchain analysis companies, since many of the same tracing techniques can still be performed by an adversary just using some basic tinkering.
Further, because the traces we leave on blockchains are permanent, our activities can often be mapped retroactively, so privacy tooling really is critical from the get-go.
Summarizing the comparison above, we identify three primary “buckets” one could choose from, with different advantages:
USDT on Liquid
✗ Monthly attestations
✓ Privacy tooling
USDT on Liquid seems like an unlikely contender seeing as it’s from the trouble-ridden issuer Tether, with no regular attestations of reserves to show for it, and on a permissioned sidechain. It is, however, the only stablecoin from our list except Dai that can’t currently be frozen, and the only one with decent privacy tooling. Liquid‘s’ Confidential Transactions feature hides which type of assets are being transferred to outside observers along with the amounts transferred in each transaction.
There’s also a swap tool that allows for trust-minimized exchanges of USDT for tokenized BTC (L-BTC) without the need for in-person meetups, which leave just a small on-chain footprint (example of a USDT <> L-BTC swap in a block explorer).
Liquid can be accessed via the mobile wallet Blockstream Green which can connect to the Liquid network over Tor via Green’s servers, or via your own full node (which can be configured to run on Tor by setting proxy=127.0.0.1:9050 in the config). The mobile wallet currently comes with a specific 2FA scheme though, that shares some information with Green servers regardless if you use your own full node or not:
"The only information available to Green servers is the list of the confidential outputs you own. These outputs are served to your wallet, and only the client on your device is able to unblind these outputs and to compute the total balances of your assets, or to create transactions."
Liquid’s Confidential Transactions have one major privacy flaw, which is that while amounts and asset types are hidden, the transaction graph is not hidden (see Part I: How Private is Bitcoin?). This means that it is possible for analyses to at least try to map out who is transacting with whom. If an adversary is able to connect your identity to one transaction, it could be possible using the blockchain history to possibly connect it to your other transactions (e.g. via address reuse or the common-input-ownership-heuristic), including other users, even if the transacted amounts and asset types remain hidden.
The 2FA information leak in Green exacerbates that problem, as it ties all your transactions to each other (although these links are only shared with Green). Removal of the 2FA requirement is on the Green roadmap. Until then, one can use a Liquid full node without Green, although classical transaction graph analysis will still be possible even then.
On the horizon
- CoinJoin-wallets for Liquid (which are designed to break transaction graph heuristics) are rumored to be a work-in-progress
- Lightning Network support for Liquid tokens like USDT, enabling the privacy benefits on Lightning
DAI on Ethereum
✓ No attestations needed
✗ Privacy tooling
As mentioned, although Dai does come with elevated risks in some areas due to its experimental design, it also comes with several interesting advantages in other areas. But one of the largest problem with Dai, as it currently stands, is that has very little to offer in terms of privacy. Ethereum’s account-based design encourages address reuse, which means that most Ethereum users will connect all their transactions (including Dai) to a single identifiable address on a public ledger. This is a goldmine for a company like Chainalysis, which offers support for many of the tokens on Ethereum, including Dai.
That doesn’t mean that it’s necessarily impossible to use Dai (or any other stablecoin mentioned in this article) without revealing your identity if you’re a bit careful. Consider the following setup:
- You have an employer who pays you in Dai
- You generate a new Ethereum address to receive the Dai
Because of the pseudonymous nature of blockchains, if this is all that happens, it’s not going to be possible for an outside observer to look at the blockchain alone and know that you own any number of Dai. They’ll just see a transaction from your (possibly deanonymized) employer sending a transaction to some account. To obfuscate this further, you can ask your employer to send each payment to a new address each time.
The privacy considerations of pseudonymous stablecoins only starts to break down once you link your addresses to more types of activities, such as purchasing them from a centralized service who knows who you are, or from a decentralized exchange using previously-tainted personal funds, and when you’re the one creating transactions.
On the horizon
Here’s a short list of technologies that are being developed, which, if finished with support for Dai, could help alleviate many of Dai’s privacy concerns:
- AZTEC protocol — zero-knowledge privacy system for Ethereum
- Tornado.cash — a non-custodial mixing service on Ethereum
- Meson — a mix network for network-layer privacy Ethereum
- ZkDai — Private DAI transactions on Ethereum using zk-SNARKs
USDC/TUSD/PAX/BUSD on Ethereum
✓ Monthly attestations
✗ Privacy tooling
Each of these stablecoins are issued with inspectable smart contract code published from a centralized issuer with monthly attestations of their real-world U.S. dollar reserves. The stablecoins follow the ERC-20 standard, which makes them identical to Dai above in terms of their privacy attributes.
A general note on privacy:
Remaining perfectly private while you’re on the Internet is extremely difficult. There are many ways in which a sophisticated adversary could still be able to track your activities, and it matters a great deal how omniscient we assume our adversary to be.
Perhaps you search for your addresses in a blockchain explorer from your home IP address at one point — now the web admin can potentially tie your IP to that address. Perhaps you post your stablecoin addresses into Slack and Evernote — now Slack and Evernote can tie you to those addresses. Perhaps you download a wallet on your smart phone — now Google/Apple and your Telecom operator could learn that you’re using that wallet.
Blockchain privacy techniques can really only help to obscure transaction information and the links between them. For a more wholistic understanding of online privacy, see e.g. A Modest Privacy Protection Proposal by Jameson Lopp.
Other emerging stablecoin projects on HRF’s radar:
- xUSD — an algorithmic stablecoin pegged to the U.S. dollar on its own Monero-based blockchain called Haven
- CUSD — 1:1 U.S. dollar-backed private Ethereum stablecoin using the AZTEC protocol
Special thanks to Matt Odell for his thoughts and feedback to this article.
*The essays in this series will form the basis for a report to be published by Coin Center, the leading cryptocurrency policy research and advocacy group based in Washington, DC.
**The Zcash Foundation contributed funding for the project. The Zcash Foundation exists to build and support tools that enable privacy and autonomy, particularly with respect to people’s transactions and financial information. Privacy is important for numerous reasons — personal, medical, political, and more. For this reason, Zcash pioneers the use of zk-SNARKs, a novel form of zero-knowledge cryptography with strong privacy guarantees. Ultimately, the Zcash Foundation’s impact will come from serving the needs and workflows of real people, including those from many backgrounds and locations.