Tornado Cash Is One Step Away from Full Censorship (and a Solution)

When Roman Semenov, Alexey Pertsev, and Roman Storm decided to launch a cryptocurrency mixer on Ethereum in 2019, they probably didn’t think they’d have legal issues with it. After all, a cryptocurrency mixer (Tornado Cash, in this case) is just another piece of software, and writing code isn’t established to be illegal. What others do with that code, well, that’s a very different story. And there lies the controversy.

Just as a reminder, what a cryptocurrency mixer or tumbler does is obscure the public transaction trail by mixing the involved coins with others, making it difficult to trace the origin or destination of the funds. In the specific case of Tornado Cash (TC), those transactions must be made in ether (ETH) or any ERC-20 token on Ethereum. Users deposit their funds, wait for a while for the mixing, and then withdraw using a new address and a ‘ticket’ or ‘note’ received at the beginning.

The system achieves privacy by severing the on-chain connection between deposit and withdrawal addresses. Utilizing a smart contract and zero-knowledge proofs (based on pretty advanced math), it enables withdrawals to different addresses from those used for deposits. Additionally, relayers can be employed to withdraw to addresses with no prior ETH balance, ensuring greater anonymity.

Tornado Cash is a privacy tool that can be used by anyone, everywhere. Maybe to protect yourself against surveillance, to keep a business transaction secret, or to safely fund a project or group in a hostile territory. Of course, as the tool it is, it can also be used by malicious parties to launder money, evade taxes, or fund illicit operations. To be fair, USD bills could be used for that too, and no one is blaming the Fed for printing them. Which isn’t the case for the Tornado Cash developers.

The Legal Saga

Things started to look bleak for this mixer and its founders on 8 August 2022, when the US Office of Foreign Assets Control (OFAC) blacklisted Tornado Cash, accusing it of laundering billions in virtual currencies, leading to domain takedowns and developer account suspensions. Being blacklisted by the OFAC is bad news since it often involves asset freeze, banning of transactions, and penalties for the parties who dare to have relationships with the sanctioned one —even outside the US.

Barely two days later, Alexey Pertsev was arrested in Amsterdam for suspected involvement in money laundering through Tornado Cash. He’s been especially signaled as a sort of accomplice of the Lazarus Group, the North Korean hacking group considered responsible for the $625-million robbery on the Ronin Network in 2022. These hackers laundered the stolen funds via Tornado Cash.

One year later, in August 2023, Storm and Semenov were also accused of the same thing in the US, and the former one was arrested in Washington. At least, he was released just a day after by paying a $2-million bond, and he’s pending a trial. In the Netherlands, Pertsev didn’t have that luck, staying in prison for over nine months before being allowed to leave for home arrest until his trial in April 2024. His trial concluded in May 2024 with a sentence of 64 months in prison, which he is currently appealing. Pertsev's legal team is actively working on the appeal, but it may take several months before a new hearing is scheduled.

This is likely the first time ever that an open-source software is blacklisted by the OFAC, which sets a very bad precedent. Several crypto and privacy advocacy groups and organizations, including Coin Center, DeFi Education Fund, and the Electronic Frontier Foundation have pronounced in favor of Tornado Cash developers, and some of them are helping in the legal battle.

The Censorship Saga

For average crypto users and privacy enthusiasts, in practice, all this means that Tornado Cash became illegal to use for all US citizens, residents, and companies, including foreign entities that somehow participate in their market. In case you didn’t know, that includes quite a number from the crypto industry. Therefore, wide censorship against Tornado Cash transactions quickly spread —something that just shouldn’t happen in the decentralized world.

Numerous crypto companies, from exchanges to stablecoin issuers, started to ban or outright freeze any coin that came from this mixer. For instance, the Boston-based Circle, issuer of USD Coin (USD), froze over $75,000 of funds linked to Tornado Cash addresses. Tether Limited, the issuer of the most popular stablecoin so far, USDT, initially refused to do the same, but eventually froze over 161 wallets sanctioned by the OFAC —including some TC-related.

Even decentralized platforms followed suit, given that, beyond the ledgers, they’re led by companies that control their websites and front-end interfaces. That includes dYdX, Aave, Uniswap, Balancer, Oasis, Ren, and more. Some wallets, like MetaMask, don’t allow Tornado Cash transactions in the default setting. The old Tornado Cash website isn’t available anymore, and the accounts of its founders on GitHub were suspended for a while. To sum it up: all centralized services (domains, interfaces, accounts, etc.) related to this platform have been taken down. Does this mean that Tornado Cash was effectively banned and it’s not available anymore? No.

Avoiding Censorship is Still Possible

Being the open-source and decentralized software that it is, Tornado Cash is still very usable by anyone who wants to. It may not be as easy as before, but it’s still there, with a site maintained by its own community. Its smart contract is available on Ethereum, and users can access the platform via the InterPlanetary File System (IPFS) decentralized network. The link is available from the official Twitter (X) account of Tornado Cash (@TornadoCash).

As for wallets to handle Tornado Cash transactions, the real issue is the RPC (Remote Procedure Call) endpoints. They’re often centralized service providers of node infrastructure for wallets, so it's usually enough to change the provider to one more amenable with this and other mixers. The team behind the IPFS website recommended a list of them and provided instructions for MetaMask users.

One part of  censorship is done at the front-end level. That’s only the part users see first (buttons, forms, text, images, etc.), and not the whole system. In a study by researchers from the Imperial College London, it was proven that, actually, this kind of  censorship is quite ineffective.

“DeFi users can interact with the platform smart contracts through a CLI [Command-Line Interface] or by forking the platform project to create their own front-end interface (...) Another method is to adopt a nontainted address to interact with censoring DeFi platforms. To do so, users need to transfer their assets from their tainted addresses to non-tainted ones. For instance, we observe that a TC user transfers the withdrawn ETH to a non-tainted address via an intermediary address, to swap ETH to renBTC on Uniswap, i.e., TC 49.8 ETH → addr0 25.3 ETH → addr1 16.5 ETH → addr2 11.97 ETH → Uniswap 0.94 renBTC → addr2. In this way, the non-tainted address addr2 is not blocked by Uniswap.”

Does this way of circumventing censorship look a bit complicated? Well, yes. It could be easier if the whole Ethereum network wasn’t that full of middlemen.

Deeper Censorship

Front-end censorship isn’t the only challenge, though. In the consensus layer of a blockchain, “validators” and miners play crucial roles in approving or disapproving operations, and they do have the technical ability to exclude certain transactions, effectively censoring them. Therefore, if a transaction originates from or is destined for a sanctioned address (like a Tornado Cash address), “validators” and miners might choose to exclude it to comply with sanctions and avoid legal repercussions.

For instance, Ethereum’s system for creating blocks and enabling transactions uses three layers: builders, relayers, and proposers. Builders are responsible for assembling transactions into blocks, relayers help pass those blocks to proposers, and the proposers are the “validators” who add them to the chain.

Censorship can happen at any one of these layers. For example, builders can refuse to include certain "bad" transactions (like those involving Tornado Cash) in their blocks. Even if a builder includes a sanctioned transaction, relayers might obstruct the block from being sent to the proposers. Finally, if the block somehow reaches the proposers, they could refuse to propose it to the blockchain.

Now, even if 90% of builders refuse to include Tornado Cash transactions in their blocks but are still willing to build on top of blocks containing those transactions (from the remaining 10%), then Tornado Cash transactions can still make it through. However, if block producers not only refuse to include those transactions but also reject building on top of any block that contains them, then Tornado Cash transactions would be fully censored.

This means that no new blocks with those transactions would be added to the blockchain, effectively blocking them entirely. Currently, there are about 50% of Post-Merge OFAC Compliant Blocks on Ethereum, which means there’s a half of the whole network that doesn’t want to deal with Tornado Cash transactions. For now, they only block such transactions from their own blocks but are still okay to build on top of blocks that include them. However, if pressed to do so by governments or out of an abundance of caution, they might adopt stricter censorship and start refusing to build on top of such blocks as well. That’s the one step needed for Tornado Cash to be fully censored.

Beyond Ethereum

Why is this level of censorship even possible in a decentralized network? One may ask. The short answer is that, on Ethereum and similar ecosystems, transaction generation isn’t the same as transaction approval. There are several steps (and parties) in the middle, which isn’t exactly ideal for a decentralized network.

All those middlemen (builders, relayers, proposers) are usually formed by companies that could be forced to or decide to comply with the OFAC sanctions for their own convenience, and thus ban Tornado Cash and other transactions. To potentially worsen centralization even more, the US SEC__approved__ eight spot Ether ETF applications in May 2024, which means more ETH in the hands of strictly regulated parties, more ETH being staked in the US jurisdiction, and larger likelihood of censorship for Tornado Cash transactions.

Truth be told, Ethereum isn’t the most censorship-resistant or decentralized network nowadays. No blockchain is, since they tend to always have middlemen between transaction generation and transaction approval. On the other hand, a Directed-Acyclic Graph (DAG) ledger like Obyte, where transactions don’t need to be approved by anyone and instead are added to the DAG by the users themselves, offers a higher level of decentralization and freedom.

There are no miners, ‘validators’, or other centralized services between users and their transactions in Obyte. Every time a user conducts a transaction referencing past ones, it becomes part of the DAG, immutable and beyond alteration. The DAG partially provides some order for transactions, and the work is completed by Order Providers (OPs). They’re prominent entities or organizations that post their own “guiding transactions” to help order the rest, yet (most importantly!) lack the ability to alter the DAG history or refuse transactions —as it does happen on Ethereum and other blockchain networks.

Privacy-centered services like Tornado Cash could work more seamlessly in such a network without middlemen. This way, Obyte presents a compelling alternative to blockchain networks like Ethereum, and it stands as a beacon for decentralized systems while providing a platform where users can transact with confidence and autonomy.