While OFAC makes its difficult decision, Coinbase continues to process Tornado Cash transactions without interruption.
Written by JP Koning
Compiled by: Luffy, Foresight News
Coinbase, the largest cryptocurrency exchange in the United States, is publicly processing Ethereum transactions involving Tornado Cash, a blockchain infrastructure that was sanctioned by the U.S. government last year for providing currency mixing services to North Korea. According to Tornado's reminder, Coinbase has verified 686 transactions related to Tornado in the past two weeks.
Included is a table showing the number of blocks proposed by each validator, with all transactions interacting with the Tornado Cash contract or TORN tokens (deposits or withdrawals). Source: Toni Wahrstätter
This is embarrassing for everyone involved.
First, this is embarrassing for the regulator, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). OFAC explicitly states that individuals within the United States may not transact with sanctioned entities unless they have a license. Yet, the largest cryptocurrency exchange in the United States was interacting with a sanctioned entity, Tornado Cash, without a license.
OFAC can look away and pretend nothing out of the ordinary happened, which is pretty much what it has done so far. But because these interactions are clearly recorded on the blockchain, everyone can see that violations occurred. Eventually, OFAC will have to confront this issue and make some hard decisions, some of which could end up hurting companies like Coinbase and the Ethereum network.
The whole incident is also embarrassing for the crypto industry. In 2022, after much of the ecosystem was destroyed by fraud and bankruptcy scams, crypto finds itself in the crosshairs of culture wars and widespread bans. It desperately needs social license, but the leading companies in the crypto space have chosen to go against one of the key pillars of the United States' national defense.
Meanwhile, Coinbase’s main U.S. competitor, Kraken, has taken a very different approach to Tornado Cash. As shown in the table above, Kraken processed 0 Tornado Cash-related transactions in the past two weeks, compared to Coinbase’s 686 transactions. These different approaches to handling sanctioned transactions only highlight the awkward nature of cryptocurrency “compliance” with sanctions laws.
Before we dive in, we need to cover some basics. For those of you confused about cryptocurrencies, here’s a quick explanation of why Coinbase interacts with Tornado Cash and Kraken does not.
What is Validation?
First, Coinbase and Kraken operate many different businesses. They are best known for providing a trading venue where people can deposit funds to buy and sell crypto tokens.
I suspect both companies were very careful to ensure their trading venues avoided any interaction with Tornado Cash. For example, if someone tried to deposit Tornado-related funds into the Coinbase exchange, I’m sure Coinbase would quickly freeze those transactions, which is exactly what OFAC requires it to do. Crypto trading venues have gotten in trouble before for dealing with sanctioned entities: last year, Kraken was fined by OFAC for processing 826 transactions for an individual Iranian user.
But the problem here isn’t with these companies’ trading platforms. Coinbase’s interaction with Tornado Cash occurs in adjacent business areas. Let’s look at how Coinbase and Kraken’s verification services businesses work.
Let’s say Sunil lives in India and wants to make a transaction on the Ethereum network, such as depositing some ETH into Tornado Cash. He starts by entering the instruction into his MetaMask wallet. The order is broadcast to the Ethereum network for verification, and a small fee, or tip, is paid. Validators are responsible for taking large batches of outstanding transactions, one of which is Sunil’s Tornado Cash deposit, and proposing them for confirmation to the Ethereum network in the form of a “block.” As a reward, validators receive tips left by traders.
The largest validators are those who hold large amounts of ETH, the Ethereum network’s native token. Because Kraken and Coinbase hold millions of customer ETH, they have become the two most important providers of Ethereum validation services. According to the Ethereum Staking Dashboard, Coinbase accounts for 14% of validated transactions worldwide, while Kraken accounts for 3%. So while Sunil hasn’t actually deposited any cryptocurrency into Coinbase’s trading venue, he may end up interacting with Coinbase through his block proposal and validation operations.
Validators can choose which transactions to include in their blocks. This explains the difference between the two exchanges, with Kraken choosing to exclude transactions such as Sunil’s Tornado Cash deposit, while Coinbase included all transactions related to Tornado Cash in its proposed blocks, earning the associated transaction fees in the process.
In summary, Coinbase operates its exchange in a manner that complies with OFAC regulations, but its verification service operates differently than Kraken. Now, we need to fill in another important part of the story. What is OFAC going to do?
OFAC searches for answers
For those who don’t know how the US sanctions regime works, a big part of OFAC’s job is to blacklist foreign individuals and organizations that are believed to be undermining US national security or foreign policy objectives. These blacklisted entities are called SDNs (specially designated nationals). US citizens and companies cannot deal with SDNs without a license.
OFAC also imposes sweeping sanctions. These prevent U.S. persons or businesses from interacting with countries like Iran.
OFAC discloses a range of useful information for each individual or entity it designates, including the SDN’s name, alias, address, nationality, passport, tax ID number, place of birth, and date of birth. U.S. individuals and companies should take steps to check this information for each counterparty with whom they transact to ensure they are not dealing with an SDN. They must also be aware of comprehensive U.S. sanctions to avoid accidentally interacting with an entire sanctioned group, such as all Iranians, and failure to comply could result in fines or imprisonment.
While Coinbase appears to have chosen to ignore OFAC’s requirements with respect to its verification service, Kraken has not, and has incorporated SDN listings into the internal logic of the verification service it offers. But Kraken has only done this in a limited way, as I will show below.
Five years ago, OFAC began including known cryptocurrency addresses of SDNs in its SDN data array. To date, OFAC has published about 600 crypto wallet addresses, including about 150 Ethereum addresses, a large portion of which are related to Tornado Cash. Kraken used this list of 150 addresses as the basis for excluding certain transactions from blocks.
Among members of the cryptocurrency community, this behavior is sometimes described as creating an "OFAC-compliant block." Crypto theorists argue that it undermines Ethereum's core values of openness and censorship resistance. While Kraken's approach may appear to be a compliant way to propose a block, it is not.
OFAC-Compliant Blockchain
Currently, Kraken’s block validation process only clears transactions involving the 150 or so Ethereum wallets specifically mentioned by OFAC, which include Tornado Cash addresses. But many of the SDNs associated with those 150 wallets may have already been adjusted by acquiring new wallets. Kraken did nothing to determine what those new wallets were, and so would almost certainly process those SDN transactions in its blocks. This would be a violation of OFAC policy.
OFAC’s SDN list has about 12,000 SDNs, most of which are not explicitly linked to specific Ethereum wallets by OFAC. But that doesn’t mean these entities don’t have such wallets. To be compliant, Kraken would need to scan the entire list of 12,000 SDNs and verify that none of them are included in the Kraken block. Again, it doesn’t seem to have done that.
Complying with OFAC is more than just cross-checking the SDN list. Remember, OFAC also has sweeping sanctions against countries like Iran that prohibit any US entity from dealing with Iranians in general. Since Kraken’s proposed block only excludes the 150 or so Ethereum addresses mentioned by OFAC, it will almost certainly allow Iranians’ transactions into its proposed block. This is ironic, because the violation that Kraken was penalized for last year was for allowing Iranians to use its trading platform. Apparently, the Kraken exchange has one policy regarding Iran and another for its block proposal service.
Coinbase’s complete disregard for OFAC’s policy now makes more sense. Perhaps it would be better to not comply at all and retain the ability to claim that sanctions law does not apply to verification than to not comply fully but in the process acquiesce to OFAC’s jurisdiction over verification. As part of this strategy, Coinbase may attempt to lean on the argument that verification is not a financial service but rather a “transmission of informational material” that is not subject to sanctions law.
Having started down the road to compliance, the only way for Kraken’s verification business to come close to full compliance with sanctions law is to adopt the exact same exhaustive process that its own cryptocurrency exchange adheres to. This means painstakingly collecting and verifying the IDs of all potential traders, cross-checking against OFAC’s requirements, and going forward only proposing blocks consisting of transactions from an internal list of approved addresses. By adopting this complete approach to verifying transactions, Kraken will now be much closer to compliance. For OFAC, its embarrassing situation will be alleviated.
OFAC policy decisions are not simple
However, this approach has its drawbacks. It would be costly for Kraken to verify IDs for block inclusion purposes. I suspect the company might be forced to stop offering verification services. Even if Kraken and Coinbase roll out OFAC-compliant KYC processes for assembling blocks, most Ethereum transactions would likely go to offshore validators who don’t check IDs because they are unregulated and don’t have to comply with OFAC’s policies.
Therefore, the transactions that OFAC seeks to prevent ultimately occur.
Further complicating matters, by moving validation away from US soil, the US national security establishment would destroy the nascent “US Ethereum nexus” that they could have used as a tool to spread US power beyond their borders. If you’re curious what this means, consider how New York State currently uses New York correspondent banking relationships to implement US policy abroad. The San Francisco-based Ethereum network would be its encrypted version, but only if it doesn’t get expelled.
To prevent validation from outside the U.S., the government could combine a requirement for domestic block validators to implement KYC with a second requirement for all U.S. persons and companies to submit all Ethereum transactions to sanctions-compliant validators. This would bring U.S. Ethereum trading back onto U.S. soil and into the arms of Coinbase and Kraken.
But this is a complicated chess game, and you can understand why OFAC has been hesitant.
On the other hand, OFAC can’t prevaricate forever. Cryptocurrencies are still niche, sure. But OFAC is an agency with a democratic mandate to enforce the law, and the law is clearly being broken. It can’t afford to “neglect its duties.” Sanctions are a matter of national security, which adds urgency to the issue.
One option is for OFAC to provide explicit exceptions to sanctions law to U.S. blockchain validators in the form of special licenses. But this raises questions of technological neutrality and equal treatment under the law. Why should Coinbase and Kraken be allowed to host financial networks with sanctioned participants, while other network operators like Visa or American Express are not afforded the same exemptions?
This is not just a matter of fairness. By stripping blockchain away, OFAC could inadvertently spur the financial industry to move toward blockchain-based verification, as this has become the least regulated and therefore cheapest technological solution for deploying a variety of financial services. At that point, OFAC would find itself with far less to manage, since a large portion of the money now resides within OFAC’s boundaries.
I don’t envy the OFAC officials. They have a tough decision to make. Meanwhile, Coinbase continues to process Tornado Cash transactions every hour.
