We're hiring → Join us!

August 2022

The Monthly Ledger Report

By Bryan Wilson, Legal Engineer at Upside
Edition #
Ledger Scan:
August 2022
Posts (month):
Posts (all-time):
Authors (month):
Authors (all-time):

Tornado Cash v. OFAC

When does it make sense to sanction a technology?

This is the question that is at the heart of the decision by the United States Office of Foreign Assets Control to sanction Tornado Cash (Official Press Release). For background, Tornado Cash describes themselves as a "fully decentralized protocol for private transactions on Ethereum." Per FTI Consulting, the dApp works by "Tornado Cash is an Ethereum-based (ETH) virtual currency tumbler that mixes a variety of Ethereum-based transactions (i.e., both ETH and ERC-20 tokens) into a lockbox that can be withdrawn by individuals who possess specific keys. Providing those keys takes place within a "zero knowledge proof" algorithm in which the withdrawer proves they have the required keys in hashed form without actually providing them to the verification service on the Tornado side and therefore compromising their identity." The benefits of using a mixer ought to be apparent: they uphold financial privacy in a way that is inviolable. Nobody is able to surveil who is sending what where. This is part of the original promise of blockchain.

The other side of the coin is that mixers can be used to bypass perfectly legitimate sanctions, enabling criminals and other nefarious actors to operate with a type of financial impunity that has been carved out of many financial systems today. This conundrum almost seems like something law students might have seen on a final exam for Administrative Law a few years ago. Both sides have good arguments about why they should get their way. At the heart of the issue is a decision that must be made about the extent to which technologies can be regulated in the first place. If we look at the popular tools of criminals from a pre-digital era, many of them are regulated. Lots of countries restrict the purchase of guns, ammunition, knives, and other weapons that are likely to cause physical harm. But when we start to examine the tools of digital criminals, the lines become more blurry.

If regulators take a heavy handed approach to restricting all tools used to perpetuate cybercrime on the internet, the internet would be less interesting and less useful. There is, however, a tendency for each side arguing here to oversimplify their position. The government is arguing: if you don't like the sanctions, you like cybercriminals. Tornado Cash is arguing: if you don't like mixers, you don't care about privacy or individual autonomy. One of the reasons this is, in fact, such a big problem is because the protocols for Tornado Cash don't permit any of the compromises that TradFi systems have built in place to reduce incidence of cybercrime. For government agencies, who are by their nature tasked with protecting people from criminals, this will not seem like a good idea.

However, it is argued by Jerry Brito and Peter VanValkenburgh of CoinCenter that the response by OFAC is not proportional to the circumstances of what the situation truly merits. In particular, they point out that adding certain Tornado Cash smart contract addresses to the Specially Designated Nationals and Blocked Persons List (SDN List), that this action potentially violates constitutional rights to due process and free speech, and that OFAC has not adequately acted to mitigate the foreseeable impact its action would have on innocent Americans. The fall out of this is very tricky to navigate because the consequences of being placed on the SDN List are so severe. This means that it is probably a wise idea for most Web3, DeFi, and other crypto companies to implement some type of sanctions compliance regime to avoid being whacked with the government's proverbial ban hammer.


There was certainly some bad news over the last month in the Web3 world. The hits kept coming for Open Sea. On the market-front, Trading volume on top NFT marketplace OpenSea down 99% in USD from May peak. On the human front, OpenSea changes its policy, requires a police report to freeze NFTs. One of these is more avoidable than the other, but that's probably a whole other article.

Bloom Protocol is being sued by the SEC for selling unregistered securities as part of an ICO in 2017.

Michael Saylor, CEO of Microstrategy, is being sued for tax fraud. In itself, this isn't notable. CEOs of companies find themselves in trouble with tax authorities a lot. No, the interesting aspect of this was that Michael Saylor's lawsuit was announced by the AG of DC via Twitter.

With the bad news out of the way, now comes the interesting, exciting, and good.

One of the most interesting topics, to me, for the month was that of the User Activated Soft Fork. Following OFAC's willingness to add smart contract addresses to the SDN list, this will become more important as UASF's enable blockchains to replace older rules in a less strict way, with opt-in's for stakeholders.

With the NFL starting back up, I was pleasantly surprised to learn that a DAO was considering the purchase of a team, the Denver Broncos, after it was announced they were for sale over the summer. As a long-suffering fan of the Kansas City Chiefs, I was a little hesitant to see that a divisional rival was doing this cool stuff, but was excited about the design pattern employed. Essentially, BUYTHEBRONCOS follows the same pattern employed by LinksDAO: users purchase NFTs to help finance the purchase of the item (a sports franchise and golf course, respectively). The NFTs provide holders with certain rights and have varying degrees of transferability. I also have to shout out BUYTHEBRONCOS for having a great FAQ. I think this is one of the most user-centric examples of a venture DAO I have seen to date. In spite of their best efforts, BUYTHEBRONCOS appears to have come up short as NFL owners unanimously approve $4.65 billion sale of Denver Broncos to Walton-Penner group.

Ropsten, Rinkeby, & Deprecation Announcement: Ethereum Foundation announced that they will be deprecating several testnets that were once integral for proof-of-work, but will be surplus to requirements for the proof-of-stake world headed our way with the Merge. For me, Rinkeby was the first place where I was able to play around with building (read: demoing) smart contracts on my own back in the halcyon days of 2016. Like Queen Elizabeth II, these applications served the world well during their time and will be missed.

A proposal to create a Uniswap Foundation passed on Uniswap. Uniswap remains the most robust DAO, in my mind, for its ability to actually transform the financial industry. Some might point to Bitcoin as a DAO as an example of a more revolutionary institution in the financial industry, but the Bitcoin governance proposals are not as distributed as Uniswaps are, hence my reasoning here.

Security Token Standards

Security Tokens are becoming increasingly popular in Web3, as interest pours in from venture capital, investment analysts, and fund managers. Critically, the features of blockchain enable the programmatic enforcement of many features within the securities industry that are vulnerable to fraud or untoward manipulation, including transfer restrictions, lock-up periods, and dividend distributions. With enough creativity and stakeholder buy-in, these features present a number of cases where banks, venture capital firms, and investment funds might actually be improved by operating as a DAO.

Additionally, the regulatory clarity created by registering under one of the SEC's exemptions for securities reduces the legal uncertainty many tokens face when starting out. This post, in particular, has some insight into how the mechanics of the SEC's exemptions play out for more lightweight securities offerings, including Reg D, Reg S, and Reg CF.

Yet, as the popularity of these rule machines continues to grow, the need for standardization will be critical for their growth. Because they align so much with already regulated industries, there is a definite target for finding out what security tokens need to be able to do from a legal standpoint, but how well do existing token standards for security tokens function?

Because this is part of the monthly report and not a more thorough examination of Security Token standards, I'm only going to look at ERC1404 and ERC3643.

  • ERC1404: based on the ERC1400 standard developed by Polymath to bring clarity to investors specifically for Security Tokens and developed by Tokensoft in 2018, ERC1404 helps launch compliant security tokens and includes basic transfer restrictions (i.e., transfer groups + rules for transferring between groups). This means, I can set up a group for transfers between accredited investors, unaccredited investors, international investors, etc. Think of 1404 as an extendable version of ERC20 with the preceding rules, as well as the ability to manage stakeholder identities for things like AML/KYC. (Disclaimer: this is the standard we use at Upside for Security Tokens).
  • ERC3643: aka the T-REX protocol (Token for Regulated EXchanges) was developed by Tokeny and memorialized as ERC3643 in 2021. Where ERC1404 relies onthe simplicity of the ERC20 token to generate trust, ERC3643 relies on robustness. With over 100 additional access, control, and issuance management functions, ERC3643 offers lots of customization for complying with regulations wherever you are in the world.

Each of these standards is great, but provides value to users in different ways. Ultimately, you are the only person who can decide which set of features is best for your project. The scalability of an already-audited 1404 contract means it can be adapted to many use cases that are aligned to the structure. This makes it ideal for building a business. It would be possible to get an already-audited 3643 contract, as well. However, the strengths of 3643 are that you can do things with it that other standards are unable to effectuate.

Sufficient Decentralization

One of my personal favorite reads from the last month was Marc Boiron's Sufficient Decentralization. This playbook for web3 builders and lawyers provides a rich context about what it means to operate a crypto company, from a legal perspective, in this day and age. I would absolutely recommend checking this out if you are working on anything web3-related.

Something that struck me as I read this was that there are a number of projects out there that the nature of launching any utility token can be much simpler if you coordinate the development of the utility token via a DAO and according to a set of on-chain rules that aid this decentralization. As the native language of web3, it feels like this point should be more obvious than it is, but projects seeking to leverage the actual utility of blockchain should, in and of themselves, use blockchain.

By way of example, consider centralized exchanges and decentralized exchanges. Centralized exchanges function much more like banks than anything in the Bitcoin or Ethereum whitepapers. Yet, many centralized exchanges boast about financial inclusion. In contrast, many decentralized exchanges function in a way that leverages the potential of blockchain to facilitate more blockchain. Each has strengths and weaknesses, but projects that are more like legacy financial systems are more likely to be fit into the TradFi regulatory categories.

from https://daocollective.xyz/

To that end, this section includes a few links to efforts that are working to the end of sufficient decentralization.

  • DAO Research Collective is a great resource to learn about the fundamental building blocks of DAOs and Decentralization.
  • C0C0 is a really cool project that is focused on acquiring and managing CC0 NFTs.
  • no1s1 is a cool, quasi-academic example of a self-owned autonomous space from folks at ETH Zurich, EY, Dezentrum, and Digitec.
  • OnchailnID is an example of a company creating an identity solution for DeFi that leverages the composable nature of DeFi.
  • Collab.Land is a cool project to help with community decision-making for DAOs.
  • Self-Custody Wallets (as opposed to custodial wallets) are an important topic to read about.

Visit our Are.na Group

To see the full collection of curated content we gather from the web on all things Blockchain.
Visit Are.na