Turning Point in Crypto Finance History: USDC is Backfiring on DeFi

Author: 0x137, BlockBeats

Just as the Ethereum testnet announced the successful merge, the crypto world also faced another historical turning point: due to the freezing of access to funds in certain addresses by USDC issuer Circle, the mainstream DEX protocol dYdX experienced user account restrictions, passively following the sanctions against Tornado Cash.

Three days ago, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) added Tornado Cash and 45 associated Ethereum wallet addresses to its SDN sanctions list. This made Tornado Cash the second mixer to be sanctioned by OFAC after Blender.io. However, unlike the former, Tornado Cash is the first case where regulators targeted a protocol for sanctions.

"The entire crypto industry has entered a significant turning point, and government regulation of the industry has entered uncharted territory." In a blog post published earlier yesterday, Circle CEO Jeremy Allaire repeatedly emphasized the importance of the "Tornado Cash incident." While expressing an absolute commitment to regulatory order, the text also revealed Jeremy's concerns and worries about this industry regulation and the future of crypto.

Many people have yet to fully understand what Jeremy means by a "significant turning point." But perhaps as more and more "decentralized protocols" passively follow sanctions, we will find that those foundational pillars that once supported the entire decentralized world are now being used as regulatory tools, becoming a killer weapon against the industry. We can't help but wonder, is there still decentralization in the industry? How strong is Crypto's ability to resist censorship and regulation? What will the future path of privacy in the crypto world look like?

Tornado Cash: The B-side of a Tool

Origin Story

Tornado Cash's founder, Roman Semenov, studied physics as an undergraduate, particularly enjoying research on black holes, cosmic particles, and quantum statistics. However, with the rise of the internet trend, Roman began to learn programming and soon founded several internet startups. In 2017, out of curiosity and love for new things, he entered the blockchain field, working on Ethereum scalability. At that time, the mainstream solution for Ethereum scalability was still Plasma, but shortly after joining, Roman discovered the efficiency issues with Plasma and quickly shifted to the ZK Snark path.

Initially, Roman did not consider the potential of ZK Snarks in terms of privacy; he only used it to solve Ethereum's scalability issues and for some oracle development. However, as Roman delved deeper into the crypto OG community, he realized the enormous market for privacy and the natural advantages his team possessed.

Due to the underlying design, transactions on both Bitcoin and Ethereum are public. As long as others know your wallet address, your financial history is completely exposed. Roman found that many hardcore crypto players were unwilling to be in such a passive state, but transferring assets between Ethereum and privacy tokens like Monero was very inconvenient. Thus, he experimented with some privacy projects at an Ethereum hackathon, unexpectedly achieving great success.

Not long after, the team decided to put their small experiment into production, and Tornado Cash was born.

Tornado Cash founder Roman Semenov.

The most important aspect of Tornado Cash is that it is no longer just a simple mixer, but a mixer built on smart contracts. For crypto newcomers, this may not seem like much of a difference. But for crypto OGs, this is crucial because it involves the issue of custody.

In fact, the concept of mixers is not new; many teams had attempted it before Tornado Cash, but most were centralized companies. Users only needed to submit a specified address and pay a fee, while the asset transfer process was completed off-chain. This also meant that their assets would be held by the company, putting user data and ownership at risk, which was a huge red flag for many crypto OGs who had experienced the "Mt. Gox incident."

In contrast, a mixer like Tornado Cash, based on smart contracts, is non-custodial. After users send funds to the mixer, they receive a deposit receipt, allowing them to withdraw funds from a new address at any time. Additionally, Tornado Cash collaborates with relayer service providers to ensure that new addresses can withdraw funds without gas savings. Without the need for custody and saving on gas, Tornado Cash naturally became the preferred choice for privacy users.

After years of development and immersion, Roman had long become a solid Ethereum OG. Upholding the community-led philosophy, after Tornado Cash went live, the team intervened little in the protocol's operation, mainly focusing on development research and releasing new code on GitHub. All deployments, protocol changes, and important decisions for Tornado were made by the community through a DAO governance model.

Of course, at this time, Roman Semenov did not anticipate that his flagship protocol would become a "relative" of terrorists and drug lords three years later.

A Hacker's Favorite

In March 2022, the well-known blockchain game Axie Infinity's team created a cross-chain bridge, Ronin Bridge, which was hacked, resulting in over $620 million in crypto assets being lost in less than a month, causing the largest crypto hacking incident in history. When the problem was discovered and the team was notified, everyone could only watch helplessly as nearly $450 million of the stolen funds flowed into Tornado Cash, washed away without a trace.

Although such large-scale thefts like Ronin are still quite rare, various hacking exploits and theft cases have shown a growing trend over the past year, especially in DeFi protocols and cross-chain bridges. These incidents often share a common point: hackers send most of the stolen funds to Tornado Cash.

It must be acknowledged that the core positioning and functionality of mixers, along with their minimal KYC requirements, naturally make them the preferred choice for cybercriminals. According to Chainalysis data, nearly 10% of funds sent from illegal addresses were transferred to mixers like Tornado Cash, while funds sent to centralized exchanges and DeFi "mainstream infrastructure" did not even exceed 0.5%.

From 2021 to 2022, the proportion of funds from illegal addresses in the Tornado Cash protocol rose by 10%, exceeding 25%. In a report on Monday, OFAC made efforts to depict the important role Tornado plays in illegal money laundering, pointing out that in just three years since its inception, it has laundered over $7 billion.

Before imposing sanctions on Tornado Cash, regulators had contacted Roman multiple times, hoping the team could provide corresponding improvements and solutions regarding illegal money laundering issues, but the team's response was not positive. Roman stated that his team could hardly control how Tornado users operated the protocol, "We are powerless in assisting with investigations because the team has little control over the protocol."

In an interview, Roman even made a bold claim. He believed that imposing sanctions on decentralized protocols "is technically impossible." In response to such remarks, regulators had no choice but to take strong action.

Centralized Regulation vs Open Source Protocol: How Decentralized is Crypto?

Shortly after the regulatory news broke, a user named @Depression2019 tweeted that he had accumulated a large number of wallet addresses of celebrities and KOLs and would send 0.1 ETH to these addresses via Tornado Cash. Many users interacted below, thinking that this public act of defiance against regulation was just a joke.

Unexpectedly, on Tuesday, an anonymous address really sent transactions from Tornado Cash to these Ethereum addresses. Coinbase CEO, Beeple, talk show host Jimmy Fallon, clothing brand Puma, and a wallet address created to donate to Ukraine were all affected, sparking considerable discussion.

To some extent, this indeed reflects the absurdity of sanctioning users who receive funds from SDN blacklisted addresses, as they cannot refuse others' transfers. At the same time, it also highlights the essential differences between native and centralized crypto applications.

Since Tornado Cash is a mixer smart contract, it cannot be shut down and is difficult to fit into a legal regulatory framework because there must be a sanctioned entity. Therefore, OFAC's approach is to "shift" the sanctioned entity, requiring or sanctioning U.S. individuals or entities associated with Tornado Cash, demanding they freeze transactions or funds coming from Tornado Cash.

Clearly, this approach is very clumsy. The regulatory framework still relies on traditional finance, using banks, funds, and other institutions as "gatekeepers." Once they capture the entity, they seize the money faucet. However, the open-source and decentralized nature of crypto aims to eliminate intermediaries, making regulation nearly impossible without a physical entity. According to Dune Analytics data, since the OFAC ban was announced on the 8th, over $55 million in ETH has still been transferred out of Tornado Cash into new wallet addresses.

So, if that's the case, why are developers in the crypto space still concerned about this sanction? The answer remains the same.

"Source Code Is Speech"

Tornado Cash is not an entity; although many crypto institutions had "enjoyed" legal sanctions before Tornado, this is the first time regulators have pursued legal responsibility against a protocol. This means that the sanctions not only impact user privacy but also pose a new threat to protocol freedom.

Having been in the crypto circle for a long time, we are well aware of the concept of "Code is law." However, for many OG developers, protocols are not just laws; they are also expressions of their thoughts and speech. In other words, protocol freedom is as important as freedom of speech. After the ban was announced, some developers even cited the 1996 federal court case "Bernstein v. U.S." to defend the legal compliance of "source code as speech" protected by the First Amendment of the U.S. Constitution.

Circle CEO Jeremy also wrote in a blog post released yesterday: "Sanctioning protocols has now become a major policy issue, as we want to obtain permissionless innovation rights on public blockchains while still adhering to financial integrity principles and preventing bad actors. This should raise significant attention and discussion, as well as the continuous development of new policies."

Indeed, taking a blunt approach to sanctioning Tornado Cash sets a bad precedent for crypto regulation. Today it's Tornado Cash; tomorrow could it be Uniswap or SushiSwap? When will it end? Where is the bottom line? Regardless, this sanction has placed decentralized protocols in a dangerous position.

Of course, this sanction has also made the industry realize that the key to regulating crypto lies not in whether it is a protocol, but in how many entities exist within the space. In fact, this industry is not as decentralized as we imagine.

Web3 Built on Web2

Less than 24 hours after the OFAC sanctions were announced, Tornado Cash's source code disappeared from GitHub, Roman's personal GitHub account was suspended, and his personal repositories were closed, even though he was not on the sanctions list. The most important donation application in the crypto space, Gitcoin, also immediately stopped all sponsorships for Tornado Cash.

Although Tornado Cash's code is still running, its interactive front-end webpage can no longer be opened, making it increasingly difficult for crypto users unfamiliar with smart contracts to retrieve their funds.

Tornado Cash GitHub page.

Over the past year, various Web3 protocols and applications have emerged one after another, leaving people dazzled. We live every day in a decentralized narrative, seemingly forgetting our dependence on Web2. Community information management relies on Discord, industry news dissemination relies on Twitter, and code dissemination and development depend on GitHub.

This seemingly reasonable dependence provides favorable leverage for centralized regulation, as it increases the number of entities within the space. Although regulators cannot shut down contracts, they can prohibit the dissemination of code; although they cannot eliminate DAO communities, they can monitor or even sever connections between members; although they cannot find anonymous teams, they can shut down project Twitter accounts. As long as there are enough entities, regulatory hands can be everywhere.

These real risks have been thoroughly forgotten in the industry's narrative of "harmonization" and "mainstreaming," and decentralization and de-entityization seem to have become two separate concepts. This sanction serves as a wake-up call for the industry: in Web3, non-protocol means entity, and once there is an entity, there is regulation.

Centralized DeFi

Despite fully expressing concerns about OFAC sanctions, Circle still had to comply and immediately froze the USDC access rights of addresses on the SDN list. This opened many crypto users' eyes to the fact that their "digital dollars" could also be confiscated. We can't help but wonder, how is this different from traditional finance?

In the crypto space, stablecoins are undoubtedly the largest sector, with a market cap exceeding $100 billion, accounting for 10% of the entire crypto market. Without a doubt, without stablecoins, there would be no DeFi Summer, and there would be no thriving Web3 ecosystem today. It can be said that stablecoins are the cornerstone of today's decentralized world. However, among the four major stablecoins currently dominating the market (USDT, USDC, BUSD, DAI), three come from centralized institutions.

After USDT faced a brief crisis in 2018, the risks of centralized stablecoins have been a hot topic of debate in the community. Although centralized stablecoins are based on full collateral, the U.S. dollars stored in their bank accounts are subject to freezing risks. Additionally, some deposits may be used to purchase corporate bonds, government bonds, etc., which also increases centralized risks. For a long time, people preferred USDC over USDT, believing Circle to be more compliant and transparent. This freezing of access rights has made many realize that the difference between the two is not that significant.

To escape centralized risks, decentralized stablecoins like DAI have emerged. They also use full collateral but rely on decentralized crypto assets, with the peg to the dollar achieved through algorithmically adjusting interest rates. Although the narrative sounds beautiful, the reality is not so. Whether it's DAI or FRAX, USDC holds an absolute proportion in their collateral assets. In other words, current decentralized stablecoins are still built on centralized foundations.

DAI collateral asset ratio, with USDC accounting for more than half. (Image from The Block).

Indeed, shortly after Circle announced the freezing of access rights for blacklisted addresses, one of the mainstream DEXs, dYdX, experienced user accounts being frozen without cause.

dYdX issued a statement saying that OFAC's "surprise ban" affected many users who had never directly used Tornado Cash; these users were even unaware that their funds had any association with Tornado Cash before interacting with our platform.

Although the dYdX team is making efforts to adjust within compliance, lifting some account bans, they are powerless against the "invisible hand" of OFAC and Circle. On Twitter, dYdX founder Antonio expressed regret over OFAC sanctions and Circle's freezing of access rights, while also pointing out the reality that DeFi cannot do without USDC. It is easy to imagine that more DeFi protocols or Web3 applications will face similar issues in the future.

In fact, after the collapse of UST, the topic of algorithmic stablecoins gradually lost its luster, and both new and old stablecoin projects returned to the path of full or over-collateralization, with USDC coincidentally becoming their main backing asset. This is indeed a very ironic fact: a financial institution incubated by Wall Street giants has now become the backbone of the entire DeFi. We can't help but wonder, who is the master of the decentralized world?

"Know Your Customer": On Privacy and Secrets

In the crypto circle, the term KYC is discussed at all times. Centralized exchanges require KYC, project crowdfunding requires KYC, and even buying real estate in the metaverse requires KYC. However, although KYC is often mentioned in this industry, many users do not know what KYC actually means. In fact, KYC is not just a verification procedure.

"Know Your Customer" has long been a fundamental principle in traditional finance. By understanding a customer's work and financial background, potential risks in opening accounts for them can be assessed, and more importantly, it prevents "bad actors" from entering the market. But we also know that finance is an industry that places great emphasis on privacy, as no one wants to casually let others know their financial situation.

Because of this, the demand for anti-cheating KYC and the privacy needs of protecting personal information form a mutually exclusive yet attractive force, creating a paradox that is difficult for the industry to resolve. Thus, in the financial world, we often hear another saying: "Privacy and secrets are like twins, often confused with each other."

The Panama Papers

In April 2016, a German newspaper called Sddeutsche Zeitung published leaked documents from a law firm. A week later, over 100 media outlets and the International Consortium of Investigative Journalists collaborated on a massive investigation based on these documents, which later became synonymous with exposing international financial and political corruption—the Panama Papers.

The leaked documents came from one of the world's four major offshore law firms, Mossack Fonseca. Among the 11.5 million encrypted documents, over 210,000 tax avoidance networks were covered, involving individuals and entities from 200 different countries, including dozens of current or former world leaders, hundreds of business and entertainment celebrities, and other wealthy individuals. Before the documents were made public, the personal financial information of these individuals was completely confidential.

Investigators found that most of the document contents did not involve illegal activities, and the offshore business entities established by Mossack Fonseca were entirely legal. However, upon closer examination, it was discovered that beneath layers of shell companies and obscure terms lay a wealth of tax evasion, fraud, and other criminal activities. This mature legal framework not only safeguarded the financial privacy of the super-rich but also provided a haven for "bad actors."

Headquarters of Mossack Fonseca in Panama.

Undeniably, the privacy market can bring enormous profits. However, the pursuit of privacy and high standards often inadvertently nurtures the growth of secrets, sometimes even intentionally, as those with the greatest need for privacy are precisely the two types mentioned above. For a long time, the competition for the privacy market has played out in global financial centers, from Switzerland to London to New York, where governments and financial institutions attract massive funds with higher standards and more favorable terms under the guise of "Know Your Customer," including a fair share of illicit "blood money."

The "Secret War" of Crypto

The point of all this is to illustrate that the struggle between privacy and secrets exists not only in the crypto space but is an eternal topic throughout the financial world.

In reality, Tornado Cash is not entirely a "den of thieves." According to Chainalysis data, over half of Tornado's funds come from DeFi protocols and centralized exchanges. Due to privacy needs, many DeFi project teams and crypto whales regularly use Tornado Cash to change wallet addresses; for them, Tornado is an essential privacy tool.

The same goes for ordinary crypto users; when we encounter situations where we need to make anonymous donations to specific organizations and countries or pay for sensitive medical expenses, privacy tools demonstrate their value, even if such situations are not common. On the 9th, Vitalik publicly stated on Twitter that he had used Tornado Cash to donate to Ukraine to support this viewpoint.

In response to the regulatory sanctions, the industry has also made positive responses. Circle CEO Jeremy, while emphasizing the importance of this incident, called on industry leaders and developers to brainstorm and provide better and more suitable regulatory solutions for crypto to ensure the future of free and open-source protocols.

Personally, I have always believed that what crypto faces is not a regulatory war, but a "secret" war.

For a long time, the main excuse for regulating the crypto industry has been anti-money laundering and anti-fraud, from Bitcoin to DeFi, and now to Tornado Cash. You must acknowledge that there are indeed many illegal activities in both the real world and the crypto world. Since illegal activities in the real world are sanctioned, why shouldn't those in the crypto world be?

In fact, decentralization does not mean deregulation; even in a decentralized world, there is still "Code is law." Crypto should not become a lawless land; maintaining a healthy financial and community order is also a fundamental responsibility of "Crypto Code."

Of course, welcoming regulation does not mean abandoning privacy. Technologies like Bitcoin and DeFi were born to address the shortcomings of traditional finance, and these shortcomings largely stem from the confusion between privacy and secrets. As its alternative, crypto should do better in this regard. With the support of technologies like ZK, today's crypto is closer than ever to unraveling the ultimate paradox of privacy and secrets. The future of crypto should be to become regulation itself, even a new tool for regulating the decentralized world.