A little privacy, please.
Tornado Cash, a coin mixing tool for the Ethereum blockchain, said today that it uses a tool from blockchain tracking firm Chainalysis to prevent addresses sanctioned by the U.S. government from using the privacy app.
"Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance," the firm wrote.
Tornado Cash works by "breaking the on-chain link between source and destination addresses." Deposits go into a smart contract, where they are mixed around with other deposits, and then can be withdrawn by a new address. In short, it's more private.
Tornado Cash uses @chainalysis oracle contract to block OFAC sanctioned addresses from accessing the dapp.
Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.https://t.co/tzZe7bVjZt— 🌪️ Tornado.cash 🌪️ (@TornadoCash) April 15, 2022
Though the announcement is from today, the policy may not be new. CoinDesk reported back in January—before the Russian invasion of Ukraine sent sanctions into high gear—that Tornado Cash was complying with the Office of Foreign Assets Controls, which has a blacklist of crypto wallets from suspected terrorists, criminals, and individuals linked to certain authoritarian governments.
To understand how the whole process works, imagine a club that you want to get into. Let's call it…"Tornado." To comply with a government mandate prohibiting anyone underage from accessing clubs, it puts a bouncer at the door and searches IDs—blocking anyone under 21 from entering. What it doesn't do is change anything about the club itself. The club, in blockchain parlance, is immutable.
The Chainalysis oracle in this case is the bouncer. It's a smart contract that works on Ethereum and several other networks—including BNB Smart Chain, Avalanche, and sidechain and layer-two networks such as Polygon and Optimism. It essentially is a piece of code that scans a cryptocurrency address and determines if it's the subject of sanctions from the U.S. or other governments. If so, that wallet is blocked from entering.
The Chainalysis API, which pulls straight from government notices, saves Tornado Cash and other decentralized apps the hassle of trying to maintain compliance on their own. As long as that ETH address is on the OFAC sanctions list, any protocol using that service won’t process their transactions.
But—just like an 18-year-old can buy a fake ID, sanctioned users can make another wallet. Alternatively, they can go to a club, er, service that doesn't use Chainalysis' API to process transactions from non-sanctioned addresses.
At first blush, this is something of an about-face for Tornado Cash. The mixer contributed to the moral panic in March over whether cryptocurrencies—and, in particular, decentralized protocols designed to run without an intermediary—were helping Russia avert sanctions.
Bloomberg quoted the firm as saying that enforcing sanctions against it and other decentralized protocols was "technically impossible." The site quoted co-founder Roman Semenov saying developers didn't have more access to the protocol than other users: "There's not much we can do." Semenov, however, claimed that the subject of sanctions had not come up during the interview.
Tornado Cash declined to speak to Decrypt for this article, saying in response to an inquiry that it "does not answer to journalists and writers since the Bloomberg incident.”
Stacy Elliott contributed reporting for this article.