Aave, Uniswap, and Balancer Prohibit Tornado Cash-Related Wallets After OFAC Sanction

Multiple decentralised apps on the Ethereum network have modified their source code to deny access to “sanctioned” addresses. The protocols include Aave, Uniswap, Ren, Oasis, and balancer. Banteg from Yearn found the problematic GitHub repositories in an early Saturday morning Tweet.

when defi apps started snitching on you, with links

2021-10-25 uniswap https://t.co/ym0wdNPJS6
2022-05-10 ren https://t.co/9588mTitKe
2022-06-29 balancer https://t.co/5V1FaxPUOn
2022-08-11 oasis https://t.co/GzkOQXXPb9
2022-08-12 aave https://t.co/vYY8MjqZ1p
(never) yearn, curve pic.twitter.com/1FkgVPnUqb

— banteg (@bantg) August 12, 2022

Sanctioning “screened” addresses

The “address filtering” implemented centres on TRM Labs, a compliance organisation that provides API services to dApps. A website page for TRM Labs describes the tool as relevant to “new Russia-related designations.”

Nonetheless, due to OFAC’s decision to punish all addresses associated with Tornado Cash, individuals who have interacted with Tornado Cash are now being classified as “sanctioned” and hence barred from platforms utilising TRM Labs API.

Sanctions are not applied to Russian-related addresses but to any users, including US residents, who have received funds from a Tornado Cash address in the past.

Given the recent dusting assault on prominent addresses, such as those of Brian Armstrong, Justin Sun, and other VC companies, it appears that they have been barred from Aave, Uniswap, and other TRM Labs-using programmes.

Dusting attacks cause high-profile bans

The issue has been brought to light by a tweet from the founder of Tron, Justin Sun, who claims to be unable to communicate with Aave. Sun reported that Aave had disabled his account after receiving 0.1 ETH through Tornado Cash from a random account.

The text in the accompanying screenshot states, “This address is blocked on app.aave.com because it is associated with one or more blocked activities.”

#PeckShieldAlert Over 600 addresses received 0.1 $ETH from https://t.co/LLczi0PVvh: 0.1 ETH contract which was added to the OFAC sanction list, including Big Names and Centralized exchanges.
Some users claimed that they were blocked by @AaveAave due to the “airdrop”. https://t.co/WeXfpiSi7N pic.twitter.com/cB4M5T29Ya

— PeckShieldAlert (@PeckShieldAlert) August 13, 2022

According to PeckShieldAlert, more than 600 ENS addresses received 0.1 ETH from Tornado Cash, and Aave blocked several of those addresses.

Aave’s blocking of these accounts is in response to the Office of Foreign Assets Control’s (OFAC) decision to prohibit Tornado Cash. The OFAC banned Tornado Cash because it was utilised by the North Korean hacking organisation Lazarus, citing many associated addresses.

Following the ban, GitHub terminated the Tornado Cash creator’s account. The website and Discord server of the crypto mixer also went offline—the arrest of one of its developers in the Netherlands.

While many have condemned GitHub’s decision, no one anticipated that a decentralised network not directly subject to US rules would restrict any Tornado Cash addresses.

However, Aave appears not the only one to adhere to the prohibition. Defi exchange, dYdX further blocked addresses that had previously dealt with Tornado Cash.

Several accounts were affected by the change, including those belonging to users who had never interacted with Tornado Cash or were unaware of the origin of the monies they received in different earlier transactions.

DeFi KYC platform Assure’s founder said: “We’ve unlocked Pandora’s box. Where will it conclude? He further said that:

“The recent OFAC sanctions on Tornado Cash and arrest of the developer are gravely concerning. The concept of banning & sanctioning open source code on the internet with a real use case is completely counter to the WEB3 ethos.

This is Silk Road all over again, and we know how that played out. Ross Ulbricht is still rotting in prison since he was sentenced in 2015.”

Further Contagion

As illustrated below, in response to Justin Sun’s tweet, Alex and Omega presented a potential process that might propagate rapidly within the DeFi community. Given the present functionality, a bad actor might transmit Ethereum via Tornado Cash to wallets with substantial debts to cause a liquidation event.

I’m officially blocked by @AaveAave since someone sent 0.1 eth randomly from @TornadoCash to me. @StaniKulechov pic.twitter.com/tNXNLNYZha

— H.E. Justin Sun🌞🇬🇩 (@justinsuntron) August 13, 2022

If wallets with current loans are prohibited from Aave, they would be unable to control their LTV with extra funds. Consequently, a big liquidation event occurs if the price of the underlying assets decreases, as users would be unable to access their accounts.

This is improbable in practice since protocols owe it to their users to grant them access to their funds. According to the error message displayed on Sun’s tweet, just the application’s front end appears to be disabled.

Users can interact with the protocols via the command line interface (CLI) or by forking the project to construct their front-end user interface (UI). This is out of the reach of most people, but individuals with enough resources should access banned assets using this approach.

A check of Sun’s prohibited wallet address reveals that he has more than $100 million worth of Aave tokens. He has $91 million aTUSD, $58 million aUSDC, and $19 million aDAI. These funds look currently unrecoverable using the Aave front-end user interface.

TRM Labs approach

However, the greatest worry is how TRM Labs determines what constitutes a sanctioned address. A direct relationship exists when a wallet gets funds directly from Tornado Cash. However, what happens if a user transfers money to a DEX and exchanges them for a different token? Will the wallet that participates in the exchange be authorised? It’s possible if the wallet contains ETH that has already passed via Tornado Cash.

According to a chart by ElBarto Crypto, an analyst at Block119, 90% of Ethereum addresses are within four degrees of Tornado Cash, and 41% are within two degrees.

Six degrees of tornado cash is a thing. Even crazier, while only 0.03% of addresses received ETH from tornado cash, almost half the entire ETH network is only two hops from a tornado cash receiver. pic.twitter.com/LDU9g0r7tQ

— ElBarto_Crypto (@ElBarto_Crypto) August 13, 2022

The potential for billions of ETH to be “blacklisted” due to OFAC penalties is a severe possibility. Head of Regulatory & Policy at Baincap Crypto, TuongVy Le, said that was an issue. There must be norms and clarity around how to comply with this innovative and unprecedented regulation of TC smart contracts and wallets.

Ex-SEC member TuongVy Le then commented on TRM Labs’ solution to the OFAC compliance issue.

“It seems like TRM is taking an expansive approach, which is understandable because sanctions violations are severe and there is a lot of uncertainty about how it applies here. At the same time, I think we need to ask whether there is an inherent conflict of interest when these compliance providers are doing work for both private sector and the government.”

In response to worries that the in question DeFi protocols may transmit user data to OFAC, Balancer verified that only “user addresses” would be sent to “the government” and “nothing else.”

Balancer joins Uniswap and Oasis in sending all your data to the feds. Be careful.

Also their discord is full of people who couldn’t connect because the SanctionsAPI doesn’t function properly.https://t.co/wh8D9ptNRthttps://t.co/jC1qY3PzKt pic.twitter.com/XPBVg1VKIA

— banteg (@bantg) August 12, 2022

Tim Robinson, a balancer developer, added that all data is delivered via lambda so that user IP addresses are not transmitted to TRM.

https://t.co/O7yPUFrIvD pic.twitter.com/nwHfmKvrLT

— Carlos Guimarães (@XCodeCarlos) August 12, 2022

At the time of writing, it does not appear that the occurrences have affected the price of Ethereum or the larger cryptocurrency markets. After breaking through the psychological barrier overnight, Ethereum trades slightly around $2.00.

ETH price chart. Source: TradingView