8/12/2022: US Treasury Banned Tornado Cash
Crypto's Money Laundering Machine Can be Banned but Cannot be Blocked.
The Treasury Department has banned all Americans from using decentralized crypto-mixing service Tornado Cash. So what is Tornado Cash exactly? I have a personal story to tell. I was unfortunately a victim of the Furucombo Hack. A hacker was able to transfer tokens from my wallet to theirs by exploiting a vulnerability in Furucombo’s smart contract, which my wallet interacted with prior to the hack. In a matter of hours, the hacker stole $14M worth of tokens from dozens of victims, swapped all the tokens into ETHs and laundered the ETHs through Tornado Cash. The incident was reported to the FBI but so far nothing has been done and I assumed the funds are gone forever. According to the Treasury department, Tornado Cash has reportedly laundered more than $7 billion worth of cryptos since 2019.
You can watch the youtube video above to see how to use Tornado Cash. In summary, you deposit ETH into the Tornado Cash contract and obtain a secret string. You can then redeem the ETH with the secret using another wallet. It’s virtually impossible to link between a sender and a recipient when there are a sufficiently large number of transactions interacting with the Tornado Cash contract. Tornado Cash single handedly enabled the smart contract hack industry and almost every single hack on the EVM ecosystem is using Tornado Cash to launder the hacked funds. According to the Treasury Department, Tornado Cash has been a key tool for the Lazarus Group, a North Korean hacking group tied to the $625 million March hack of Axie Infinity’s Ronin Network. In other words, North Korea was able to boost their GDP with crypto hacks. $625M is 3.47% of North Korea’s GDP of $18B in 2019!!!
So how does the Treasury department ban a smart contract exactly? When a smart contract is deployed to the blockchain, it basically runs itself forever on all the blockchain nodes unless the contract deployer puts in some specific mechanism to disable it. As illustrated below, Tornado Cash contract does not have the mechanism to disable deposits/withdrawals as there are only four functions people can call and the changeOperator function no longer works because the operator address was set to zero. To enforce the ban, the Treasury department basically asked all centralized exchanges and stable coin providers like Circle to block all the wallet addresses that have deposited, withdrawn or received funds from Tornado Cash. This means that these sanctioned wallets won’t be able to convert cryptos in their wallets into actual fiat money. Shortly after the announcement, a bunch of wallets that belong to celebrities like Donald Trump or Brian Armstrong started to receive ETH from Tornado Cash and hence are blacklisted. It appears that banning a smart contract is quite complicated. Though that’s precisely the point of decentralization and anti-censorship.
According to a Coin Desk report this morning, the developer for Tornado Cash has been arrested. It’s true that his invention enabled the multi-billion dollar smart contract hack industry. But one can also say there are certain legitimate use cases for sending cryptos around in a privacy preserved way. He created a powerful tool for decentralized money laundering. But if he is not criminally laundering money himself using Tornado Cash, should he be responsible for all the ill-gotten profits other criminals make using his tool? I don’t know. Even if he wants to take down Tornado Cash, he can’t because the smart contract has been deployed and it is immutable. Well, people have argued that the lack of accountability is a feature, not a bug for blockchains. I am very curious to know how the government would respond to this. Now they really know what they have to deal with when the world becomes increasingly decentralized.