The U.S. Department of the Treasury’s sanction of Tornado Cash on Aug. 8 was a remarkable development. It wasn’t just the sweeping scope of the action. Pulling the plug on an entire crypto platform isn’t something you see everyday. It was the fact that the authorities blacklisted a piece of code — not a person or a corporate entity.
This is just the latest event demonstrating the long reach of regulators, even in the decentralized precincts of the internet.
We at Swarm, a decentralized exchange based in Berlin, agree with other leaders in crypto that sanctioning Tornado Cash is unconstitutional and a startling act of overreach from regulators.
In a 1996 case “Bernstein v. U.S.,” a U.S. federal court established “source code as speech,” which means it’s protected by the First Amendment of the U.S. Constitution. It is the leading case that applies this hallowed standard to encryption issues.
The U.S. Ninth Circuit Court of Appeals ruled that government regulations preventing the publication of code were unlawful. So we would argue that the Office of Foreign Assets Control (OFAC) disregarded this precedent by clamping down on Tornado’s code.
There are multiple layers to unpack here.
The authorities said Tornado laundered $7B worth of cryptocurrencies since its inception. That’s why they placed Tornado on OFAC’s sanctions list. According to Elliptic, approximately $1.5B of those tokens were laundered proceeds from criminal activity.
Mixing services can be a legitimate part of cybersecurity architecture. In TradFi, we use privacy tools to hide the balances in our current accounts. Similarly, legal privacy mechanisms are necessary for the development of DeFi.
Privacy is a fundamental right in almost every nation, enshrined in a constitution, statute or rule. Even though bad actors may use code unlawfully, the code itself is not inherently unlawful. Tornado Cash differs from other mixing services because it is decentralized, operating via smart contracts. As a result, it’s difficult to control who uses it.
Github took action less than 24 hours after the Tornado sanction by removing the so-called mixers code from its platform, which it previously hosted. The move can be seen as more symbolic than anything as the code is still available on the Ethereum Blockchain and could be copied to create an identical service.
According to the U.S. Treasury, Tornado Cash flouted an array of financial regulations, including links to nefarious hacker groups in North Korea. But while the service was outlawed in the U.S. by the Treasury Department, the Dutch authorities tracked down one of the developers.
The arrest of Alexey Pertsev who is allegedly involved with Tornado Cash raises even thornier questions for DeFi platforms. That Pertsev, who has not been charged with a crime, may potentially be held criminally liable for writing code is striking. Under freedom of speech — aka code — Pertsev’s arrest would not hold up in a European court of law.
Permissionless decentralized protocols do not have the adequate architecture to react to the Tornado Cash sanctions. As a result, such protocols are being forced to inadvertently penalize and block law abiding users from their services.
Third party APIs used to determine if a wallet should be blocked or not are too simple. They only return a true or false result on whether a wallet has interacted with a Tornado Cash address. Consequently, users who are actually victims of hacks, whose coins were sent to Tornado Cash to hide the illicitly-gained funds, are being grouped with bad actors and blocked by DeFi platforms. Bans are being implemented by the user interface (UI) because the backend infrastructure has not been appropriately built.
By failing to properly identify users, protocols have limited information on wallet addresses to consider them blacklisted or ‘tainted’, and their smart contracts are not designed to block users. Any interpretation of a wallet or user, despite the degree of separation between them and Tornado Cash, can have serious repercussions in the future.
Adding identification layers to permissionless infrastructure benefits positive screening as much as it keeps harmful players out. When appropriate, it provides clarity on who is participating in transactions, revealing their right to do so to relevant authorities and market participants. That being said, it should not lead to a blanket banning of privacy tools and permissionless structures. Nor should authorities have carte blanche on access to user information.
DeFi infrastructure must be built along regulatory lines. As long as people need to convert back to fiat currency, sanctions like these are an effective way for lawmakers to control the development and spread of DeFi. Some crypto ventures, including Swarm, have been built by being fully compliant from day one, applying know-your-customer (KYC) and anti-money laundering (AML) checks to all counterparties wishing to use their contracts.
Regulatory enforcement — on a global level — is becoming a reality for the DeFi space. There is a clear global, coordinated approach developing. Robust, transparent architecture is key to providing a trustworthy and safe platform for users and investors.
Regulatory approval will serve to give confidence back to the DeFi sector at a critical time in its progression. Institutional players continue to adopt, invest and include DeFi in their future planning, but the transition toward that unified future will only proceed once the sector engages with regulation in a positive way.