DeFi protocols Aave, Uniswap, Balancer, ban users following OFAC sanctions on Tornado Cash
Decentralization may be under attack as Aave, Uniswap, Balancer and more reportedly ban wallets which have interacted with Tornado Cash. A centralized dataset created by TRM Labs appears to be responsible for the accounts being banned.
UPDATE: Aave has responded with a breakdown of the issue and claims to have removed “dusted” addresses from the ban; users report regaining access to the Aave front end.
Several decentralized applications on the Ethereum network have implemented code changes to revoke access from “sanctioned” addresses. The currently identified protocols are Aave, Uniswap, Ren, Oasis, and balancer. Banteg from Yearn identified the GitHub repositories in question via a Tweet early Saturday morning.
when defi apps started snitching on you, with links
2021-10-25 uniswap https://t.co/ym0wdNPJS6
2022-05-10 ren https://t.co/9588mTitKe
2022-06-29 balancer https://t.co/5V1FaxPUOn
2022-08-11 oasis https://t.co/GzkOQXXPb9
2022-08-12 aave https://t.co/vYY8MjqZ1p
(never) yearn, curve pic.twitter.com/1FkgVPnUqb
— banteg (@bantg) August 12, 2022
Sanctioning “screened” addresses.
The “address screening” that has been put into place revolves around TRM Labs, a compliance company offering services to dApps via an API. A page on the TRM Labs website refers to the tool as applicable for “new Russia-related designations.”
However, following the OFAC move to sanction all addresses related to Tornado Cash, it appears that users that have interacted with Tornado Cash are now also being labeled as “sanctioned” and thus banned from the platforms using TRM Labs’ API.
The sanctions are not being placed on addresses related to Russia but on any users, including United States citizens, who have ever received funds from a Tornado Cash address.
Given the recent dusting attack of high-profile addresses such as Brian Armstrong, Justin Sun, and several VC firms, it appears they have been blocked from Aave, Uniswap, and the other applications using TRM Labs.
Dusting attacks cause high-profile bans
A tweet by Tron founder, Justin Sun, has spotlighted the issue as he claims to now be unable to interact with Aave. Sun tweeted that Aave has blocked his account after he received 0.1 ETH from a random account through Tornado Cash.
The text on the screenshot shared with the tweet reads, “This address is blocked on app.aave.com because it is associated with one or more blocked activities.”
#PeckShieldAlert Over 600 addresses received 0.1 $ETH from https://t.co/LLczi0PVvh: 0.1 ETH contract which was added to the OFAC sanction list, including Big Names and Centralized exchanges.
Some users claimed that they were blocked by @AaveAave due to the "airdrop". https://t.co/WeXfpiSi7N pic.twitter.com/cB4M5T29Ya
— PeckShieldAlert (@PeckShieldAlert) August 13, 2022
According to PeckShieldAlert, over 600 ENS addresses received 0.1 ETH from Tornado Cash, and many of those who received the fund got blocked by Aave.
Aave’s decision to block these accounts is to the US Treasury Department’s Office of Foreign Assets Control (OFAC) decision to ban Tornado Cash. OFAC banned Tornado Cash, citing several connected addresses, claiming that North Korean hacker group Lazarus has been using it.
Following the ban, GitHub deactivated the account of the Tornado Cash creator. The crypto mixer’s website and Discord server also went offline. One of its developers was arrested in the Netherlands.
While many have criticized GitHub’s move, no one expected a decentralized platform not directly under US regulations to block any address connected to Tornado Cash.
But it seems like Aave is not the only Defi platform complying with the ban. Defi exchange, dYdX also blocked addresses that have interacted with Tornado Cash in the past.
The move affected several accounts, including users who didn’t interact with Tornado Cash or even knew the origin of the funds they received in various past transactions.
The founder of Assure, a DeFi KYC platform, told CryptoSlate, “We’ve opened Pandora’s box. Where will it end?” He continued,
“The recent OFAC sanctions on Tornado Cash and arrest of the developer are gravely concerning. The concept of banning & sanctioning open source code on the internet with a real use case is completely counter to the WEB3 ethos.
This is Silk Road all over again, and we know how that played out. Ross Ulbricht is still rotting in prison since he was sentenced in 2015.”
In response to Justin Sun’s tweet, Alex and Omega highlighted a potential workflow that could cause widespread contagion across the DeFi ecosystem, as shown below. Given the current implementation, there is a concern that a malicious actor could send Ethereum through Tornado Cash to wallets with large loans to trigger a liquidation event.
1. Identify all major loans on @AaveAave and plan possible liquidation cascade
2. Send ETH from @TornadoCash to all wallets with major loans
3. Let AAVE block all wallets
4. Short ETH
5. Initiate ETH dump
6. Watch liquidation cascade and nobody can do sth. about it
— αlex | αlex and Ωmega (@alexandomega) August 13, 2022
If wallets with active loans are banned from Aave, they would be unable to add additional capital to manage their LTV. As a result, if the price of the underlying assets declined, there could be a significant liquidation event as users would be unable to access their accounts.
This is unlikely in practicality as the protocols have a responsibility to their users to allow them access to their funds. However, as the error message shows on Sun’s tweet, it seems that only the application’s front end is being blocked.
Users may be able to interact with the protocols via CLI or forking the project to create their front-end UI. This is beyond many users, but those with considerable funds should be able to access blocked assets via this method.
A search of Sun’s banned wallet address “0x3ddfa8ec3052539b6c9549f12cea2c295cff5296” indicates that he has over $100M in Aave tokens. He holds $91 million aTUSD, $58 million aUSDC, and $19 million aDAI. These funds appear to be unrecoverable via the front-end UI of Aave at present.
TRM Labs approach
The biggest concern, however, is how TRM Labs decides what constitutes a sanctioned address. If a wallet receives funds directly from Tornado Cash, there is a direct correlation. However, what if a user sends said funds to a DEX and swaps for a different token? Will the wallet that partakes in the swap now also be considered a sanctioned wallet? This is a real possibility if it is in possession of ETH, which has once gone through Tornado Cash.
A chart created by ElBarto Crypto, an analyst at Block119, shows that 90% of Ethereum addresses have just four degrees of separation from Tornado Cash, with 41% within just two degrees.
Six degrees of tornado cash is a thing. Even crazier, while only 0.03% of addresses received ETH from tornado cash, almost half the entire ETH network is only two hops from a tornado cash receiver. pic.twitter.com/LDU9g0r7tQ
— ElBarto_Crypto (@ElBarto_Crypto) August 13, 2022
The potential for billions of ETH to become “blacklisted” is a real possibility in the fallout of the OFAC sanctions. TuongVy Le, Head of Regulatory & Policy at Baincap Crypto, told CryptoSlate,
“This is an issue. There need to be standards and transparency as to how we all need to be complying with this unprecedented and novel sanction of TC smart contracts and wallets.”
TuongVy Le, who is ex-SEC, went on to comment on TRM Labs’ approach to the compliance issue caused by OFAC,
“It seems like TRM is taking an expansive approach, which is understandable because sanctions violations are severe and there is a lot of uncertainty about how it applies here. At the same time, I think we need to ask whether there is an inherent conflict of interest when these compliance providers are doing work for both private sector and the government.”
In response to some concerns that the DeFi protocols in question may be sending user data to OFAC, Balancer confirmed that “user addresses” would be sent to “the feds” but “nothing else.”
Balancer only sends user addresses, absolutely nothing else. We do not send IPs or additional info.
— Balancer Labs (@BalancerLabs) August 12, 2022
A balancer developer, Tim Robinson, further commented that all data is sent through “lambda so users IP’s aren’t sent to TRM.”
legal text != code implementation
All TRM requests go through a lambda so users IP's aren't sent to TRM: https://t.co/J4HkQfzdaN
Everything is open source
— Tim Robinson (@timjrobinson) August 13, 2022
At the time of writing, the incidents have had no apparent impact on the price of Ethereum or the broader crypto markets. Ethereum is sitting just below $2,00 after finally breaking through the psychological resistance overnight.
CryptoSlate reached out to the platforms in question that we have direct lines of communication with. Currently, there has been no response, but this article will be updated when more information becomes available.