tag:blogger.com,1999:blog-6704573462403312459.post1307631877798229283..comments2024-03-29T02:53:03.321-04:00Comments on Moneyness: Tornado.cash and money launderingJP Koninghttp://www.blogger.com/profile/02559687323828006535noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-6704573462403312459.post-48387226199059657422021-12-15T09:15:13.663-05:002021-12-15T09:15:13.663-05:00Relayers are another layer of mixing to lower the ...Relayers are another layer of mixing to lower the chance of linking the withdrawal tx with the output payment (which are in the same block by definition). Imagine you have a block where ETH address 123 requests a withdrawal, and the contract pays out something to address 456. You now know 123 is linked to 456, and the amount (which is revealed on the way out). At best you get mixed with other payment requests in the very same block.<br /><br />https://ethereum.stackexchange.com/questions/94740/how-tornado-cash-relayer-trustless-protocol-worksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-60338888993364195712021-12-13T09:36:01.548-05:002021-12-13T09:36:01.548-05:00"When I withdraw my funds, it's the same ..."When I withdraw my funds, it's the same funds I deposited in my note account."<br /><br />I still don't see it. When Bob withdraws ETH from Tornado, he's withdrawing them from the same pool that everyone else withdraws from. If Bob were withdrawing ETH from a stand-alone Tornado smart contract -- one to which only he had originally deposited, and to which only be had access -- then I'd certainly buy your argument that his ETH hasn't been commingled with other ETH deposits. But using isolated smart contracts would prevent the very obfuscation that is Tornado's motivating purpose, right?<br /><br />But I think we're getting distracted by analogies. Remember, money laundering occurs when someone knowingly conducts a transaction that allows criminals to disguise the source of the proceeds of unlawful activity. Any legitimate user who transacts on Tornado.cash is expanding the tool's anonymity set, making it easier for criminals to clean their cash. If these legitimate users are large and savvy (and know full well that Tornado is used by criminals), their contribution to that set puts them at risk of a money laundering conviction. JP Koninghttps://www.blogger.com/profile/02559687323828006535noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-6876436101941479532021-12-12T08:34:59.019-05:002021-12-12T08:34:59.019-05:00I think you're stuck on the fact that there...I think you're stuck on the fact that there's a single on-chain Ethereum address, when addresses are just an arbitrary label. You're ignoring that the funds are actually controlled by thousands of lines of smart contract code and math. <br /><br />>Every person's funds stay compartmentalized.<br /><br />I would say that the funds *do* stay compartmentalized, at least from a user interface and math perspective. <br /><br />Many Tornado.Cash users use <a href="https://tornado-cash.medium.com/tornado-cash-adds-on-chain-deposit-backups-dbef9ac9e61d" rel="nofollow">"Note Accounts"</a> which are encrypted backups of their deposit and withdrawal data. This data *is* stored on the blockchain and effectively acts as a user's anonymous "safe deposit box" in the aforementioned anonymous vault. <br /><br />We can even see <a href="https://etherscan.io/address/0x756c4628e57f7e7f8a459ec2752968360cf4d1aa" rel="nofollow">thousands of transactions where users are initializing these Note accounts.</a><br /><br />When I use the Tornado.Cash front-end, it even shows me a nice table with all of my deposits and withdrawals in my note account, as well as some other information about them. (This is separate from Tornado's compliance tool.) <br /><br />The fact that a casual observer sees that the funds are stored in the same pool address is irrelevant. They are compartmentalized on a layer that is not viewable on etherscan.com. When I withdraw my funds, it's the same funds I deposited in my note account. They just are hard to trace by users who aren't me. <br /><br />If we apply that idea that funds in the same Ethereum address are commingled while ignoring the fact that they're in a programmatically-enforced smart contract, then we would say that all ETH stored on Solana, Arbitrum, Polygon, BSC, Avalanche, and other blockchains/layer-2 scaling solutions are commingled in their <a href="https://etherscan.io/accounts/label/bridge?subcatid=undefined&size=25&start=0&col=2&order=desc" rel="nofollow">respective bridges,</a> as these bridges have Ethereum addresses which hold large amounts of funds despite the fact that in *most* cases, this ETH is actually self-custodied on their respective blockchains (if you assume the bridge is secure and won't get hacked). Choosing to interpret it as "all funds on Arbitrum are commingled" wouldn't be a reasonable interpretation.<br />The fact is, no reasonable prosecutor would start singling out Tornado.Cash users and trying to argue against them, as this logic would quickly lead to an interpretation where almost every Web3 user has funds which were commingled with stolen funds and would be unenforceable. <br /><br />I have no idea why some institutions are okay using Aave Arc instead of regular Aave (I'm told it's because of "risk appetites") but there are definitely some institutions whose lawyers will allow them to use regular Aave. DrNickhttps://www.blogger.com/profile/06451667478492162501noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-17688392139364070902021-12-12T07:30:18.398-05:002021-12-12T07:30:18.398-05:00"...can prove the correspondence between thei..."...can prove the correspondence between their own deposit and the specific note they withdraw."<br /><br />Sure, a Tornado user can show that they deposited funds to the Tornado 10 ETH pool. And they can also show that they withdrew funds from the pool. But they cannot prove that they are withdrawing the exact same funds that they deposited. They can't show that they haven't engaged in commingling.<br /><br />By contrast, a user of a bank vault can prove that they haven't commingled their money with anyone else's, because the safety deposit boxes are isolated from each other. <br /><br />What am I missing?JP Koninghttps://www.blogger.com/profile/02559687323828006535noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-84582534743409151332021-12-11T19:59:33.430-05:002021-12-11T19:59:33.430-05:00Since one can prove the correspondence between the...Since one can prove the correspondence between their own deposit and the specific note they withdraw, I would argue its an apt analogy. Just as there can be many deposit boxes in one physical location, so too can there be many distinct deposits in one virtual location. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-79156788893661670112021-12-11T14:53:31.604-05:002021-12-11T14:53:31.604-05:00I don't think you can edit the comments. Typos...I don't think you can edit the comments. Typos won't be held against you.JP Koninghttps://www.blogger.com/profile/02559687323828006535noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-44732192244478557992021-12-11T14:52:42.521-05:002021-12-11T14:52:42.521-05:00Good points. I'm aware of the relayers, but I ...Good points. I'm aware of the relayers, but I don't entirely understand their role. There's not much information out there on them. They certainly add an extra layer of complexity.JP Koninghttps://www.blogger.com/profile/02559687323828006535noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-35957487761736099952021-12-11T14:50:51.497-05:002021-12-11T14:50:51.497-05:00DrNick,
It's an interesting analogy. I agree,...DrNick,<br /><br />It's an interesting analogy. I agree, commingling doesn't occur in a bank vault with anonymous safe deposit boxes. Every person's funds stay compartmentalized. <br /><br />But is this the right analogy for Tornado? <br /><br />It seems to be that a bank vault with many safe deposit boxes would be more analogous to a Ethereum-based tool that has many separate smart contracts, such that if Bob's ETH gets deposited it stays separate from Aelliseu's ETH.<br /><br />Tornado relies on a collective smart contract. Anyone can deposit into the <a href="https://etherscan.io/address/0x910cbd523d972eb0a6f4cae4618ad62622b39dbf#internaltx" rel="nofollow">10 ETH pool</a>, for instance. The 10 ETH pool seems more analogous to a bank vault without individual safe deposit boxes, just one big shared box. Without any separation, it's risky to use since one might accidentally commingle one's funds with criminally-derived funds.<br /><br />The same problem arises with Uniswap, as you point out. My guess is that explains why tools like Aave are setting up completely isolated pools for traditional finance to experiment with. Lawyers at these institutions probably realize that they can't risk having their funds come into contact with money deposited by anonymous entities.JP Koninghttps://www.blogger.com/profile/02559687323828006535noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-35651691030339068932021-12-11T12:03:01.272-05:002021-12-11T12:03:01.272-05:00I agree that this is certainly plausible but I hop...I agree that this is certainly plausible but I hope this isn't how it plays out.<br /><br />Unfortunately, firms such as Chainalysis and CipherTrace actually profit from crime and have an incentive to make things as complicated as possible. More crime/criminalization --> more cases for them -->more revenue. <br /><br />I think that this would lead to more profits for those who are willing to skirt laws and launder funds through black/gray markets -- which would not be dissimilar from alcohol prohibition.<br /><br />IMO, crime prevention would be significantly more cost-effective. That is, hold parties who are negligent with user funds accountable, educate consumers about audits and general security, and design front-ends so that it is more difficult to fall victim to a crime (MetaMask is already attempting to warn users about phishing but unfortunately their current approach turns into a game of whack-a-mole). DrNickhttps://www.blogger.com/profile/06451667478492162501noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-89216727202149570992021-12-11T11:49:24.068-05:002021-12-11T11:49:24.068-05:00"Aelliseu could exchange stolen ETH for anoth..."Aelliseu could exchange stolen ETH for another ERC-20 via uniswap, which would result in the ETH in the uniswap pool being commingled with stolen ETH."<br /><br />Sooner or later this will very likely happen and networks will split into clean and dirty coins (or clean and dirty chains), that are not fungible (so you'll get two uniswaps, one for ETH-dark and one for ETH-clear, and there will be a black market price to swap, off-chain, between ETH-dark and ETH-clear), or equivalently two forks (on the clear one all the non-KYC coin will be burnt or otherwise disabled, to keep the clean ones clean).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-5538986742504992062021-12-11T11:41:28.852-05:002021-12-11T11:41:28.852-05:00Relayers get paid a fee to act as money mules. :-)...Relayers get paid a fee to act as money mules. :-)<br /><br />The smart contract is immutable with no admin so there's nothing to govern. The governance token looks like a side-joke, just some memorabilia token that you used the protocol, that can be speculated on.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-16446421482068248712021-12-11T11:33:54.731-05:002021-12-11T11:33:54.731-05:00I'm not smart enough to figure out how to edit...I'm not smart enough to figure out how to edit my comment. Probably introduced a few typos, first one: <br /><br />*so that funds are stored across many addresses<br /><br />instead of "aren't"DrNickhttps://www.blogger.com/profile/06451667478492162501noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-22566176221224599422021-12-11T11:30:26.828-05:002021-12-11T11:30:26.828-05:00I believe your argument hinges on a rather arbitra...I believe your argument hinges on a rather arbitrary definition of "commingled" with regards to smart contract addresses. <br />You're stating that because the fund are in the same ETH address, they are commingled. I strongly disagree with this interpretation.<br /><br />While I appreciate the mixing box analogy, I think a better physical analogy is a bank vault with anonymous safe deposit boxes. Imagine Aelliseau has stolen 2 kilograms of gold and the police are hot on her trail so she enters a bank with anonymous safe deposit boxes inside a vault that has no cameras. Nobody can see which box she is accessing. She stashes her gold, then disappears. Many other legitimate people use the same vault to store and retrieve their gold from their own anonymous boxes. Some are using the vault to protect their privacy. Others, like Carol, are using the vault for purposes other than privacy (e.g. to <a href="https://etherscan.io/address/0x023a5ea899df16831d6f3101f4568fddb577c887" rel="nofollow">farm $TORN).</a> <br />The police have limited resources and can’t harass every person who enters and exits the vault so in practice they would have to choose which vault customers appear the most suspicious. After 1 month, Aelliseu disguises herself as Bob who is seen leaving the bank with 1 kilogram of gold. Then she gives her key to her fence, Dave, who also retrieves 1 kilogram of gold. In this case, Aelliseu gets away with the theft unless the police can find other evidence tying Aelliseu to Bob and Dave.<br />If the police claimed they had credible intelligence that Carol’s gold was stolen, they could harass her. Then she'd show them her ledger, logging when she deposited and withdrew gold, along with a record of serial numbers, thus showing that her gold was legitimately acquired. <br /><br />Now let’s say instead of 2 kg of gold, Aelliseu <a href="https://etherscan.io/address/0xeff67710a1ae67885f660a965b0a8697cdb161a9" rel="nofollow"> stole 1524.0 kg of gold and deposited them in the vault</a>. Then 6 minutes later, <a href="https://etherscan.io/address/0xd7d08d621c125e0131689839639c52e714038b1f" rel="nofollow"> Bob was seen leaving the vault with 1524.0 kg of gold</a>. (This is a textbook example of a <a href="https://torn.community/t/funded-bounty-anonymity-research-tools/1437" rel="nofollow"> “multi-denomination reveal”</a> that everybody in-the-know is already familiar with.) The police find this suspicious and ask Bob to show them the receipt for the gold, at which point they realize Bob is actually Aelliseu with a fake mustache. <br />The difference between our interpretations is whether everything in the vault is commingled. I would say that because each user has a separate safe deposit box within the vault, the gold was never commingled, even if you can't always tell which box users were accessing. Some users can show their gold was legitimately acquired, others cannot. This example is not unlike a case that is in <a href="https://www.latimes.com/california/story/2021-07-26/judge-rules-against-fbi-beverly-hills-raid" rel="nofollow">Los Angeles.</a> I’m no lawyer, I think it's clear that the victims in this case had their 4th amendment rights violated.<br /><br />If you take the position that all ETH in the same smart contract address is commingled, then you run into other problems. For instance, Aelliseu could exchange stolen ETH for another ERC-20 via uniswap, which would result in the ETH in the uniswap pool being commingled with stolen ETH.<br />Tornado could be redesigned so that funds aren't stored across many addresses in order to avoid this arbitrary commingling definition but ultimately it would just add inefficiency to comply with an arbitrary interpretation of an archaic law. <br /><br />Many people who use privacy services are attempting to protect themselves from crimes such as fraud, identity theft or even violent robbery. If users protect themselves and make such crimes more difficult to commit, law enforcement will be stretched less thin and have more resources to focus on the crimes which couldn’t be prevented. <br />DrNickhttps://www.blogger.com/profile/06451667478492162501noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-46275335063727392622021-12-11T11:30:10.302-05:002021-12-11T11:30:10.302-05:00Tornado pays the yield by issuing its governance t...Tornado pays the yield by issuing its governance token, TORN. <br /><br />"Wouldn't the people who own the governance tokens be subject to KYC laws?"<br /><br />I'm operating on the assumption that Tornado is just software (with upgrades being initiated via governance), and so it can't be accused of committing a crime. (See my PPS at the end).JP Koninghttps://www.blogger.com/profile/02559687323828006535noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-77121981838041556132021-12-11T11:27:59.525-05:002021-12-11T11:27:59.525-05:00If Bob's mental state is genuinely not one of ...If Bob's mental state is genuinely not one of "knowing," then he probably couldn't be accused of money laundering. <br /><br />Mind you, if Bob is a large and sophisticated operator in the DeFi space -- maybe he regularly has 100 Ethereum on deposit in Tornado contracts -- I'd be skeptical if he were to claim to not realize that thefts are regularly commingled on Tornado.JP Koninghttps://www.blogger.com/profile/02559687323828006535noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-7952226026310503152021-12-11T11:13:51.565-05:002021-12-11T11:13:51.565-05:00How does tornado cash earn the yield it pays peopl...How does tornado cash earn the yield it pays people? Wouldn't the people who own the governance tokens be subject to KYC laws?Jonhttps://www.blogger.com/profile/02452892938623254025noreply@blogger.comtag:blogger.com,1999:blog-6704573462403312459.post-82031678457288483952021-12-11T09:38:07.057-05:002021-12-11T09:38:07.057-05:00Very interesting post.
You say that the introducti...Very interesting post.<br />You say that the introduction of yield for using Tornado makes Alice's claim to be a consumer of financial privacy less credible. What about Bob, who is not so much a financial privacy connoisseur but a yield junkie, who explicitly wants to earn returns on his investments. He doesn't know about money laundering or other illicit activities. But his claim that he uses the protocol for the yield is definitely credible, isn't it?Bobnoreply@blogger.com