Tornado Cash Saga

oracle.e (Christabel U)
5 min readAug 9, 2022

TORNADO CASH SAGA AND VIEWS

Looking at the entrance of Satoshi’s white paper in 2008 to integrate anonymity and privacy through a trust less service, we all knew over the years, there would be a controversy with conventional finance because of the need to ensure and albeit illegal transactions.

For a while it looked like it was a dream come through, with the open ledger viewable to anyone on the blockchain, even though the sender’s & receiver’s identities are hidden, instead replaced by addresses that look like a toddler typed them while scrawling around your keyboard. This is because, if everyone deposited and withdrew in regular exchanges, the government could subpoena for everyone’s real world identities.

But over the years, more technology and cryptography methods have been used in building protocols on the blockchain, leading us to explore new territories across the ecosystem. Some of which include bridges used to swap tokens between different blockchains.

The number of bridge hacks over the past months have been constant, and questions have been asked about the safety and security of cryptocurrency. Cross-chain bridges have enabled the proliferation of new blockchains, but failure of bridges could be devastating for smaller chains that rely on them for a large portion of their overall liquidity.

We had the Wormhole bridge hack of $300million, Harmony bridge hack of $100 million, and the biggest hack of all time, the Ronin bridge Hack of over $600 million in March 2022, that has been discovered by the US to be linked to the Lazarus Group, a set of North Korean hackers.

Proceeds from the bridge hacks mentioned above, even the recent Nomad bridge failure, were all deposited into a decentralized “crypto currency mixer”, Tornado Cash.

Tornado Cash is a decentralized crypto mixing service that takes in 3 specified amounts of Ethereum (1 ETH, 10 ETH, 100ETH), then gives out the same equivalent number of ETH but not the same Ethereum tokens. So in other words, even if the tokens have been blacklisted, you can send them to Tornado Cash to be mixed, and after a few days, can be withdrawn.

What’s the problem? You don’t know who’s collecting what because everyone withdraws the same categorized amount.

Tornado Cash uses Merkle tree and zero knowledge proof (Zk Proof). It uses Merkle tree for data verification & synchronization because of the large amounts of data taken in and Zk proof for security.

How merkle tree mechanism looks like
Merkle tree

The zero knowledge proof is compared to a password used to access an online network. The user submits the password, and the network itself checks the contents of the password to verify that it is correct. In order to do this, the network must also have access to the contents of the password.

Now Tornado Cash offers a proof that looks like a hash that has been encrypted, to the user, when they deposit funds. It is later entered into Tornado Cash, then used to verify if the transaction really exists, using the Merkle tree. Once the system verifies the proof, the amount is paid out to whatever address entered by the user. This inability to trace who collects what at what time is the bottle neck that led to the sanctioning of Tornado Cash by the United States treasury and banning of all American citizens from using the said service. The Office of Foreign Assets Control (OFAC) effectively added Tornado Cash to the Specially Designated Nationals list, meaning that you could face jail time for interacting with Tornado Cash.

They also blacklisted all the Ethereum addresses associated with Tornado Cash or its protocol. This was done as they said Tornado Cash failed to increase the amount of control they had on the service and checkmate laundering.

“ Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks,”

Undersecretary of the Treasury Department’s Terrorism and Financial Intelligence agency, Brian E. Nelson said in a statement Monday.

Crypto data aggregator Dune Analytics said that, on Monday, Circle, the issuer of the USD Coin (USDC) stablecoin, froze over 75,000 USDC worth of funds linked to the 44 Tornado Cash addresses sanctioned by the U.S. Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons (SDN) list.

Tornado Cash’s Co-founder Roman Semenov earlier spoke about control over the protocol saying,

“ Sanctions may not impede the functioning of Tornado Cash itself. He iterated that the privacy service was designed to operate without central control ”.

As he and his team create and publish code, a decentralized autonomous organization (DAO) must approve all changes before they are made.

“ The protocol is specifically designed to be unstoppable because it makes no sense if a third party (such as a developer) controls it. It’s the same as one person having control over Bitcoin or Ethereum ”

he told Coin Desk at the time.

The developers have open sourced the entire user interface to allow anyone to influence the code and design of the mixer. When you deposit funds into Tornado Cash, they are put into a “pool” of other users’ tokens. From here, users can withdraw funds to another address while hiding their original origin.

According to Tornado Cash, it is non-custodial and users always have full control over their funds. Even though those funds are technically in his one of Tornado’s pools.

The sanctioning and blacklisting follow after the spike in the amount of Ethereum deposited into Tornado Cash between May and June 2022 . The analysis compiled by Nansen, showed that the amount of ETH deposited into the protocol soared to 220,000 ETH, that is, $220 million to $660 million.

Data analysis from Nansen

Overall, 18% of Ethereum floating through Tornado Cash is said to come from the Ronin attack.

Understandably, rules and regulations are lacking within the blockchain space as it is a relatively really new ecosystem, therefore, prone to attacks. The problem blockchain enthusiasts have with this move is that this affects the regular people who use the services to remain anonymous in their transactions. It also questions the freedom of open source as Semenov has his GitHub account suspended after the sanction.

In conventional finance, cash stolen cannot be traced especially when handed over from hand to hand. This particular reason has led to people asking why they don’t follow the usual processes of hunting down the culprits personally instead of the entire protocol and its users.

This doesn’t silence the call of enthusiasts and users who want to maintain their privacy. The crypto think tank Coin Center, has condemned the actions taken against Tornado Coin.

“It is not any specific bad actor who is being sanctioned, but instead it is all Americans who may wish to use this automated tool in order to protect their own privacy while transacting online who are having their liberty curtailed without the benefit of any due process,”

it wrote in the aftermath of the announcement.

--

--