REGULATION

Elliptic Analysis: What Should Exchanges and DeFi Developers Do When Users Utilize Tornado Cash?

share
Elliptic Analysis: What Should Exchanges and DeFi Developers Do When Users Utilize Tornado Cash?

After the U.S. Department of the Treasury imposed sanctions on the privacy protocol Tornado Cash, many have been wondering about the consequences and implications: Does interacting with Tornado Cash constitute a crime? How should exchanges and crypto financial service providers respond? Based on the perspective of the on-chain data analysis company Elliptic, they explain key questions and offer advice on how compliance institutions should handle the situation.

What should exchanges do if users utilize Tornado Cash?

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) measures prohibit Americans, financial institutions in the U.S., and cryptocurrency companies from directly or indirectly engaging in transactions through Tornado Cash or providing services or benefits to Tornado Cash. Therefore, exchanges and crypto financial service providers must ensure that users do not transfer funds to Tornado Cash or related addresses, and also should not receive any funds from Tornado Cash or related addresses.

Elliptic recommends using on-chain analysis tools to screen wallet addresses, and OFAC also provides a reporting mechanism when anomalies are detected.

Can users use Tornado Cash-related addresses that are not listed in sanctions?

Elliptic states that it is not allowed.

OFAC has clarified that the list of cryptocurrency addresses is not comprehensive, and sanctioned entities may benefit from addresses not listed. Americans are obligated not to engage with those addresses.

How can compliant companies determine whether users receiving funds from Tornado Cash do so intentionally or unintentionally?

Elliptic believes that the blockchain offers high transparency and transaction intent. By tracing the trajectory of encrypted funds, it is easier to discern intent compared to analyzing cash and bank transfer transactions. This means that exchanges and crypto financial service providers can identify user transactions; although Tornado Cash poses a particular challenge as there may be cross-contamination of transactions and wallets within the entire ecosystem.

Exchanges may face the question of whether users' funds are intentionally or unintentionally linked to Tornado Cash. Therefore, it is crucial to establish prudent regulatory policies and robust on-chain analysis capabilities. Elliptic recommends its analysis tools and suggests that when analyzing, there should be no limit set on the number of intermediary wallets in fund transfers, but rather attention should be paid to transaction volume, proximity, and speed for judgment.

Are stablecoin issuers obligated to block Tornado Cash?

Yes.

What is the impact of sanctioning Tornado Cash?

Elliptic states that in the short term, there will be an effect as North Korean hacker groups often use Tornado Cash, so OFAC's actions will reduce the feasibility of criminals cashing in on their proceeds. However, in the long term, it is uncertain as criminals will quickly find new money laundering methods.

The case of Tornado Cash is unique as it is a decentralized protocol operated by smart contracts, and anyone can fork its open-source code. However, this does not mean that anyone can trust the same code, and replicating its success requires significant effort. Deploying this protocol again now would require a lot of effort to achieve a scale sufficient for illicit actors to use.

What does sanctioning decentralized projects represent?

It is not just targeting individuals and organizations; this time, the protocol itself has been sanctioned for the first time. Decentralized applications (Dapps) like Tornado Cash, being open-source and decentralized, similar to other Dapps, generally do not have clear ownership or control information, or know where their users are located.

This case poses challenges for compliance units:

  • How many of the addresses associated with the decentralized protocol Tornado Cash are owned or controlled by Tornado Cash?
  • If the code of Tornado Cash is redeployed, will it be subject to sanctions?
  • Would it be illegal if the same group of people deploy this code? What if it is executed by a different group?
  • Should transactions be prohibited if someone claims to be associated with Tornado Cash's operation, regardless of whether they are related to the team or domain name owner of Tornado Cash?
  • Do sanctions apply to transactions involving intermediaries, TORN governance token holders, or other transactions belonging to the Tornado Cash network infrastructure? How should compliance teams handle interactions with these entities?

Elliptic indicates that OFAC has not provided answers to these questions, but over time, they may be confirmed through individual lawsuits.

Do all DeFi protocols need to ensure compliance with sanctions?

Elliptic believes that the regulatory environment involving DeFi is complex, and most countries cannot clearly explain how to practice in this area. However, it is evident that the U.S. Department of the Treasury has zero tolerance for any type of activities that threaten bad actors. DeFi developers should understand these developments and possible consequences, as besides legal liability, they may also face potential damage to their reputation.