Tornado Cash says it’s using Chainalysis oracles to block access from OFAC sanctioned addresses

A privacy-focused Ethereum mixer, Tornado Cash, has a new way of blocking users from sanctioned countries.

The update comes after a recent report by blockchain analytics firm Chainalysis revealed that an entity associated with the Iranian government transacted over $3 million in bitcoins through Tornado Cash’s privacy tools.

Announced in a press release, the partnership will “help protect against malicious actors that may attempt to use Tornado Cash to launder money.” The oracles will check incoming ETH address on both Ethereum mainnet and Tornado Cash’s Rinkeby and Kovan test networks against the addresses published by OFAC.

Tornado Cash founder Samy K says their platform has always had “a firm stance against the funding of terrorism, human trafficking and other criminal activity.”

Tornado Cash is an open source Ethereum mixer that lets users make transactions completely anonymously. The platform’s interface is built on the Uniswap decentralized cryptocurrency exchange.

Tornado Cash describes itself as a “fully non-custodial, decentralized and trustless privacy protocol.” It uses a smart contract to enable withdrawals from the mixer without any information about the sender or receiver. The protocol then burns the funds to prevent them from being accessed again.

The Ethereum mixer, which launched the first version of its smart contracts in August 2019, is using oracle data provided by Chainalysis to block access from addresses associated with countries under sanctions. Specifically, addresses originating from OFAC-sanctioned countries are blocked from accessing the tool.

Tornado Cash, one of the most successful DeFi protocols, has updated its smart contracts to block access from addresses on the United States’ Office of Foreign Asset Control (OFAC) sanctions list.

Tornado Cash is not the first company to integrate with Chainalysis oracles, but it shows a growing trend in Ethereum and DeFi apps utilizing Chainalysis’ data for compliance purposes.

Tornado Cash is reportedly the first non-custodial decentralized finance (DeFi) project to integrate with Chainalysis’ Know Your Transaction (KYT) solutions.

While Tornado Cash is open-source, the smart contract does not explicitly hold any currency. Instead, Tornado Cash allows users to deposit ETH into a smart contract and then withdraw an equal amount of ETH from another address (that they control). This “mixing” process obscures the source of funds as they move through Tornado Cash’s system and become mixed with other deposits.

Tornado Cash allows users to send tokens between anonymous wallets. Its Mixer feature lets users send ETH and ERC-20 tokens in a way that obscures their origin and final destination, while its Faucet feature lets users claim tokens sent anonymously to its smart contracts. 

Chainalysis Oracles provide real-time information on high-risk addresses to help exchanges and other companies detect bad actors on their platforms. As part of the partnership with Chainalysis, Tornado Cash developers were able to configure the oracle service to block OFAC sanctioned addresses from depositing funds into

into the platform as a preventative measure against money laundering and terrorism financing risks associated with these accounts, while still allowing individuals to transact with their own funds on the network in accordance with relevant KYC/AML guidelines and regulatory requirements under the UIGEA and FATF standards as well as other applicable laws and regulations around the world that govern money services businesses (MSB). The integration allows users to deposit cash directly into the Tornado Wallet via bank transfers, ACH transfers, or even by receiving wire transfers.

In a statement to Cointelegraph, Adam Koltun, business lead at Chainlink said the new integration aims to prevent bad actors from using its platform:

“Through their integration with Chainlink Price Feeds and Chainlink Verifiable Randomness Function (VRF), Tornado Cash ensures that users of their protocol have trustless access to reliable data without having to trust centralized sources. By integrating with our OFAC sanctions list data feed, they can better ensure that no one who shouldn’t be participating in their system ever does.”

Tornado Cash, a popular Ethereum privacy tool, says it’s using Chainalysis oracles to block access from OFAC sanctioned addresses.

In addition to blocking sanctioned addresses from sending funds into Tornado Cash, the project is also purportedly using Chainalysis oracles to prevent those same addresses from withdrawing funds from Tornado Cash’s smart contract.

The team noted that it has already taken steps in the past to make it impossible for people to deanonymize their funds on Tornado Cash “without their consent,” and now it believes that it has successfully made it even more difficult for sanctioned persons to use its platform without being detected by authorities.

The project’s Twitter account said Thursday that the oracle “monitors ERC20 token transfers and executes transfers only if the sending address is not on the list of addresses provided by the oracle.”

Chainalysis announced Tuesday that it had partnered with Oracle platform Chainlink to provide its Know Your Transaction (KYT) tool as an oracle service. The Tornado Cash integration appears to be live already.

The partnership allows Chainlink’s decentralized network of nodes to access data from Chainalysis’ blockchain analytics platform. This enables real-time updates of “any type” of data and gives users flexibility in terms of which data they pull, according to a blog post published Tuesday.

The Chainalysis oracle contract was created by Chainalysis and is used by other DeFi protocols, including Compound, in order to comply with U.S. sanctions. The contract was audited by Trail of Bits, another security firm hired by Tornado Cash to audit its smart contracts.

The U.S.-based software company’s Reactor API provides real-time alerts when cryptocurrency is sent from or received by addresses that are associated with illicit activities.

As Cointelegraph reported yesterday, Chainalysis recently introduced its new set of monitoring tools for cryptocurrency exchanges that could prevent fraudsters from using stolen funds on these platforms.

This is a big deal for Tornado Cash. While it’s easy to argue that it should be up to every person to ensure they are not breaking any laws by using privacy tools on Ethereum, the reality is that governments have a history of going after privacy projects with legal action and fines (sometimes for seemingly arbitrary reasons).

It’s not common for projects to use Chainalysis oracles in this sort of way, but given how much money has been flowing into DeFi this year, it’s understandable why Tornado Cash is taking extra precautions with its users’ funds.

Chainalysis chief legal officer Jason Bonds told The Wall Street Journal (WSJ) in an interview published yesterday that it has been pushing other countries to put North Korea on their own sanctions lists. Bonds told WSJ:

“We have been working with governments around the world to ensure they can properly screen for North Korean activity within their borders.”

Tornado Cash says it’s using Chainalysis oracles to block access from addresses on the Office of Foreign Assets Control (OFAC), a U.S. Treasury Department blacklist, to prevent them from withdrawing funds.

The firm said that in the future it plans to expand its offering so that users who have been blocked by Tornado Cash can apply to be “whitelisted” by Chainalysis and continue using the service, provided they declare their identity.

“Tornado is not an entity and can’t be sanctioned,” said Tornado spokesperson, Alex Svanevik. “But we want to make sure that our platform doesn’t get used for money laundering.”

ZK-rollup privacy protocol Tornado Cash put out a tweet as well today that it would block access to its service for users on the OFAC’s Specially Designated Nationals list. The company said it had already blocked access for a number of addresses identified by the oracles as sanctioned.

“We have enabled Chainalysis Oracles that monitor and detect transactions from OFAC blacklisted addresses,” the message reads. “Any transactions from these addresses will be blocked.”

While Tornado Cash has long been used by criminals to launder cryptocurrency, it has grown in popularity thanks to its ability to protect users’ privacy by obscuring their transactions on public blockchains. This can be especially beneficial for individuals in countries where freedom of speech is limited or criminalized.

In the past few months, Chainalysis has been busy adding more and more address lists into its Reactor product, which it says can be used by crypto projects to comply with regulatory requirements. In March last year, it added a list of addresses associated with terrorist financing; in April as well, it added addresses associated with child exploitation; in May, it added a list of addresses associated with criminal activity; and in July, it added a list of sanctioned addresses.

Tornado Cash joins other projects like Coinbase and Gemini, both of which were also confirmed to be using Chainalysis oracles as of this year.

One big thing: For now, just one Ethereum block will contain the data fed to Tornado Cash’s smart contract, but the developers are already discussing scaling solutions that would allow more data to be processed on-chain while keeping gas costs low.

The bottom line: With this new functionality, Tornado Cash is able to remove any addresses that pose a legal risk for its users and stay compliant with local AML/KYC regulations.