Sanctioning a Smart Contract

Aug 9, 2022

The SEC released a list of sanctioned Ethereum addresses and the smart contract Tornado Cash, a program that allows users to mix (i.e., launder) crypto. Blockchains make all transactions public (see tradeoffs), so mixers obfuscate the sender, recipient, and values of transactions.

There are legitimate users of these services that value privacy, but there are also bad actors – state-sponsored hackers like the Lazarus Group (North Korea) and other hackers. But can you really prevent people from running code?

A few questions:

What does it mean to sanction a smart contract? GitHub removed the developer's repository and account, but others already have copies of the code and can deploy it. You can identify direct copies of the program, but any small modification would result in a different checksum and therefore be harder to identify.

Will there be a premium for freshly minted tokens? Receiving tokens that can be traced back to some crime or illegal activity can create the risk of government forfeiture. There might soon be a distinction between "clean" tokens – tokens that can be traced back to their origin without being in the hands of bad actors – and "dirty" tokens.

Blockchains are permissionless. That means that, similar to email, anyone can send you tokens, NFTs, or anything else on the blockchain. What happens a bad actor sends you dirty tokens or data with illegal contents, and it's found in your wallet?

What happens to zero-knowledge rollups, which provide another privacy mechanism in public blockchains? They can be used for the same purpose.

Will this limit the blast radius of large hacks if hackers can't launder their stolen tokens? New mixers will emerge, but mixers work best when there's significant liquidity.

I tend to be an optimist. These problems are solvable but require different tradeoffs. Not all laws will get things right the first time around. Especially as the substrate underneath them changes rapidly.