Original title: "Huawei incident in the currency circle: From the perspective of US supervision, why Tornado Cash will usher in sanctions and follow-up speculation", "From the perspective of Tornado users to view US sanctions"
text
Original Author: David, Xiang
Regulatory Events:August 8,U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) Announces Sanctions on Encrypted Mixer Tornado Cash
So far, the affected parts are:
Some Ethereum and USDC addresses and USDC assets that interact with Tornado Cash are included in SDN
Some Ethereum and USDC addresses and USDC assets that interact with Tornado Cash are included in SDN
Tornado Cash's Github code base and front-end official website are no longer accessible
Regulatory Background Analysis:
Background 1: The more motivation of this sanctions is that the US officials ensure that the financial sanctions against encryption hackers are effective
The sanctions imposed this time are OFAC, an agency under the U.S. Department of the Treasury that specializes in implementing financial sanctions against overseas institutions or individuals. Its daily work does not directly involve the supervision of the encryption industry, but monitors sensitive overseas capital flows while ensuring that its sanctions can be implemented. OFAC has been active in the US government's sanctions against Iran, North Korea, Russia and even China's Huawei before. It regularly publishes the well-known Special Sanctions List (SDN), where assets of individuals or organizations are frozen and U.S. citizens are generally prohibited from dealing with them.
The sanctions against Tornado Cash follow OFAC's listing of Lazarus as an SDN under North Korea sanctions regulations on April 14. North Korea's hacking program dates back to at least the mid-1990s and has grown into a 6,000-strong cyber warfare force, according to a 2020 U.S. government military report. Lazarus stole nearly $400 million worth of digital assets in at least seven attacks on crypto platforms in 2021, blockchain analysis firm Chainalysis said. In 2022, the organization also launched an attack on Axie Infinity, obtaining 173,600 Ethereum (approximately US$597 million) and USDC worth US$25.5 million, with a total of 625 million assets. This is the largest decentralized hack to date. According to BEOSIN statistics, in the first half of this year, $1.14 billion in stolen assets was transferred to Tornado Cash by hackers, accounting for about 60% of all stolen assets during the same period.
As shown in the figure below, in the "troika" of encryption regulation in the United States, the SEC and CFTC mainly determine the asset attributes (belonging to commodities or securities?), and carry out corresponding supervision on the tokens that they consider to be securities or commodities; while the United States The agencies under the Ministry of Finance are more diversified. The Internal Revenue Service mainly looks at whether encrypted transactions are taxable. FinCEN focuses on money laundering and anti-terrorism in the United States, while OFAC is mainly responsible for implementing financial sanctions against overseas blacklisted institutions or individuals. All three require long-term tracking chains. Online transaction data, analysis and judgment, and precise law enforcement.
Background 2: Encrypted capital flow supervision and penalties have begun to be placed in the same position as traditional capital flow supervisionIn 2021, OFAC published a report on theHandbook on Virtual Currency Sanctions Compliance Guidelines
, indicating that OFAC sanctions compliance obligations also apply to holders of virtual assets involving US citizens.
If a U.S. person believes that it holds sanctioned encrypted assets, it must report to OFAC within ten working days.
Members of the cryptoasset industry have a responsibility to ensure that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, such as dealing with sanctioned persons or property, or engaging in prohibited trade or investment-related transactions. OFAC has the authority to impose civil OFAC sanctions requirements for failure to comply.
Background 3: Penalties for privacy-enhancing technologies in encrypted transactions have already occurred many times, and the regulation of privacy technologies is expected to continue
A growing trend is for criminals to use privacy-enhancing technologies, or operate on opaque blockchains. These privacy-enhancing assets or business services (mixers) help criminals conceal the movement and origin of funds.
Privacy-enhancing technologies pose challenges for investigators trying to track illicit proceeds. OFAC has pointed out that Monero adopts:
Ring signature technology, used to hide the identity of the transaction initiator;
Ring secrecy technology is used to conceal the transaction amount;
At the same time, these transactions are not broadcast to the Monero blockchain, but are covered with one-time generated addresses.
For example,
For example,
At the end of 2020, FinCEN fined Larry Harmon, the founder of the mixer Helix, $60 million on the grounds that he was not legally registered and participated in assisting the conversion of dark web drug-related funds into cryptocurrencies.
In late 2021, OFAC, in cooperation with the FBI, announced restrictions on a crypto exchange called SUEX, saying it was intentionally "facilitating illegal activities" and saying it would strengthen oversight of mixers.Blender.ioIn May, OFAC slapped another cryptocurrency mixing service
In fact, TORNADO.CASH tweeted in April this year that it would use Chainanalysis’s oracle protocol to prevent addresses sanctioned by OFAC from accessing the platform. But Roman Semenov, co-founder of Tornado Cash, once said in an interview that imposing sanctions on decentralized protocols is "technically impossible" because of the way decentralized protocols are designed. Because Tornado itself uses smart contract deployment + zero-knowledge proof technology. Even though Github is blocked, smart contracts still run on Ethereum, and the contract code itself is public on the Ethereum browser.
summary:
summary:
OFAC is not ignorant of the uncontrollable technical background of decentralized smart contracts at some levels, but combined with OFAC's law enforcement requirements and the current damage to the encryption ecosystem caused by Lazarus, I am afraid that taking relatively extreme measures is a last resort. The follow-up impact on the privacy track still needs to be continuously observed.
secondary title
From the perspective of Tornado users on the US sanctions
Tornado is known as the most severe sanctions in history, very serious. But as one of the Tornado users, being blocked doesn't seem to have that much impact on the individual.
Parts that have been found to be limited so far:
Sanctions on Ethereum addresses partially connected to or related to the Tornado Cash protocol
USDC Issuer Circle Has Blacklisted Addresses From US Sanctions List
Github delists Toranado's codebase
Toranado front-end official website is banned
The reason why the experience feels little affected:
Although it was sanctioned by the United States, it did not affect everyone's use, mainly because Tornado itself uses smart contract deployment + zero-knowledge proof technology. Even though Github is blocked, smart contracts still run on Ethereum, and the contract code itself is public on the Ethereum browser.
Access to the front end is prohibited, and those who understand technology can call it directly through the smart contract interface. Those who don't know the technology can also access it through IPNS or directly through the CID of IPFS. IPFS is a P2P network, which is basically endlessly blocked.https://bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri.ipfs.dweb.link/
Attach a CID link:
Users can use the above link to continue to visit the Toranado page and interact. The link is converted to the http protocol through the gateway, so it can be opened and used with any browser, and there is also a direct access method based on the ipfs protocol.
Example: ipfs://bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri/
The premise is to use a browser that supports IPFS resolution, such as Brave, Opera, etc.https://docs.tornado.cash/It's worth mentioning that the Toranado documentation page (
) has not been blocked so far, and the tutorials on how to use Toranado interaction and its principles are still there.
Moreover, Tornado only needs to prove that it can be withdrawn from any address. For example, a brand new address does not have any interactive address. As long as the withdrawal is ETH, the address can still be used normally with any contract. This is why various Most of the initial funds for hacking and flash loan attacks were withdrawn from Tornado.
There are mainly 3 categories affected:
Addresses added to the sanctions list by the United States will be prohibited from interacting with the United States, but this will not affect the use of the funds on the Ethereum chain.
The addresses that have been added to the blacklist by Circle, the USDC issuer, may no longer be used normally because USDC is centrally controlled.
Ordinary users who don't know much about technology may give up using the official website if they can't open it.
Finally, the reflection on Web3 caused by the Tornado incident, how to avoid being sanctioned by a certain authority:
Web3 needs a decentralized code hosting platform (to avoid Github being blocked)
Web3 needs a more decentralized stablecoin (USDC is easily controlled by sanctions due to centralization)
More IPFS needs to be adopted. After decentralizing the back-end like smart contracts, the decentralized front-end still needs to be popularized (to avoid the front-end being blocked)
The popularity of decentralized domain names as the front-end access portal for accessing the centralization
