14 October 2022

US Treasury OFAC’s Tornado Cash action leaves open questions

After the Office of Foreign Assets Control recently added cryptocurrency mixer Tornado Cash to its Specially Designated Nationals sanctions list, questions remain on the effect this policy decision has on smart contracts and other protocols generally, say Liz Boison and Aleksandar Dukic, Hogan Lovells global regulatory practice partners. They discuss lessons for the decentralized finance industry.

   

The Office of Foreign Assets Control added Tornado Cash to the Specially Designated Nationals list on 8 August, giving rise to several questions about "secondary" sanctions/designation risk, and the effect this policy decision has on smart contracts and other protocols, generally.

More clarity is needed on whether non-U.S. persons would face SDN designation if OFAC were to find that their transacting with Tornado Cash represents "material" support for activities or parties targeted by Executive Order 13694.

We also need to know whether the same logic that OFAC applied here – by designating a protocol rather than an individual or entity – could also be used to disrupt other blockchain or money-movement protocols.

Nonetheless, the action suggests some lessons for the decentralized finance industry.

   

OFAC sanctions smart contract addresses

OFAC based its decision to forbid U.S. persons from transacting with Tornado Cash on Executive Order 13694, which permits sanctions against "persons" responsible for or complicit in cyber-enabled activities that harm the U.S., and those who provide material, financial or technological support for such persons or for targeted activities.

Section 6(a) of the EO defines the term "person" to mean an "individual" or "entity" and defines the term "entity" as a "partnership, association, trust, joint venture, corporation, group, subgroup, or other organization."

Consequently, sanctioned "persons" can include an entity or even a loose confederation such as a group or other organization, such as a decentralized autonomous organization or DAO.

In identifying Tornado Cash, OFAC referred to the service’s former front-end website, tornado.cash, as well as more than 40 Ethereum network wallets. Some of the sanctioned wallets were smart contract addresses, which are computer programs or transaction protocols able to automatically execute transactions or terms of a legally binding contract.

As a mixing or privacy-enhancing service, a Tornado Cash wallet receives cryptocurrency and pools it together with other users' cryptocurrency and permits a user to withdraw the same amount as was deposited, minus a small service fee.

As long as there are other users whose funds are in the pool, the smart contract is mixing, and the longer a user keeps funds in the pool, the more mixed it gets. Tornado Cash differs from past mixing services that OFAC has designated on the SDN list or the Department of Justice has prosecuted. Past cases, including mixer.io and Helix, involved services run by a centralized entity or single person.

The developers of Tornado Cash, by contrast, deliberately surrendered the management of the service's wallets via a smart contract update referred to as a Trusted Setup Ceremony, according to a May 2020 blog post.

In this ceremony, the founders ceded control of Tornado Cash, making it a completely decentralized protocol that would be "completely immutable and unstoppable."

   

Scope of those affected is still unclear

The decentralized finance industry has remained puzzled about several issues following OFAC's 6 August designation of Tornado Cash as an SDN.

In addition to wondering who was receiving the service fee charged on Tornado Cash transactions and whether hosted-wallet exchanges ought to be scrutinizing the accounts of users who receive funds from mixers, the crypto community is left wondering which entities or protocols could be next up for regulatory action.

The community also wonders whether OFAC has considered the potential unintended consequences of naming a software protocol to the SDN list, rather than an individual or an entity.

OFAC offered little additional clarity when it issued FAQs on 13 September. It gave some guidance on whether the open-source software code that fuels Tornado Cash may be published for academic and other non-use scenarios, perhaps setting up a time, place, and manner argument in response to a lawsuit filed by a group of plaintiffs claiming First Amendment and other violations.

OFAC also reiterated that any funds received from Tornado Cash by a U.S. person should be segregated into an interest-bearing, blocked account maintained at a U.S. financial institution.

But it did not address whether a transaction to segregate those funds – which would have to be written to the blockchain as a new transaction after passing through the validator layer – could lead to additional legal exposure in the absence of an OFAC general license that would permit such blockchain activity.

Whether non-U.S. persons continuing to use Tornado Cash are potentially subject to sanctions under the executive order themselves is another question.

Recall that Tornado Cash's smart contracts need input from multiple multiplicity of users so that cryptocurrency placed in a pool has other crypto to mix with before withdrawal.

Accordingly, in light of the broad designation authority set forth in the executive order, OFAC could add to the SDN list even non-U.S. persons who are users of Tornado Cash to the extent that they keep the service functioning.

Finally, the industry has wondered about the logical conclusion of an action against a smart contract such as this. If a smart contract – which after all is just a software protocol that carries out a pre-ordained set of instructions – can be sanctioned, then how can that smart contract exercise the due process right to seek removal from the SDN list?

  

Lessons learned

OFAC's decision to include Tornado Cash, as a protocol but not necessarily as a legal entity, and several of its wallet and smart-contract addresses on the SDN list make it clear that the US regulators appear to be approaching decentralized finance with an "act first, figure out who is accountable later" approach in order to protect U.S. national security and foreign policy interests.

One tactic that attracts negative attention from regulators is when services intentionally place themselves outside of the reach of U.S. regulators, or advertise their service to the public as a regulatory workaround.

This was also a factor in the CFTC’s recent action against Ooki DAO, which touted to its membership that its decentralized structure made it enforcement-proof. 

   

Reproduced with permission. Published [October 11, 2022]. Copyright 2022 The Bureau of National Affairs, Inc. 800-372-1033. For further use, please visit http://www.bna.com/copyright-permission-request/.