Fancy seeing you here! The SEC nailed an NFT project. Uniswap notched a win for DeFi. And buckle up for one hell of a fight over Tornado Cash. This is Glitch the Sixth.
In this issue:
Stuff that has us like 👀
A US judge sides with Uniswap in “scam tokens” case
Is the SEC on the verge of an NFT crackdown?
If you care about financial privacy and the future of the internet, it’s worth wrapping your mind around Tornado Cash
1. Two things that have us like 👀
Uniswap smart contracts are not like self-driving cars
In a big win for crypto, a US District Court judge in New York has dismissed a lawsuit that argued decentralized exchange developer Uniswap Labs had violated securities laws by not registering as an exchange or broker-dealer. The plaintiffs had said Uniswap, its creator Hayden Adams, and several of Uniswap’s venture capital backers were to blame for investors’ losses due to “scam tokens” they traded using Unsiwap’s smart contracts and website.
The larger discussion here, which has been going on for years, is maddeningly complicated (welcome to crypto). But it boils down to a question: Are the people who create smart contracts—or the websites that facilitate the use of those smart contracts—responsible if they’re used to do crimes? (This is such a fun question that we wrote a whole feature on it, below.)
In this case, Judge Katherine Polk Failla also had to decide whether the answer to that question lies in existing securities laws. It does not, she wrote in a filing last week. “The Court declines to stretch the federal securities laws to cover the conduct alleged, and concludes that Plaintiff’s concerns are better addressed to Congress than to this Court.”
Failla wrote that it “defies logic that a drafter of computer code underlying a particular software program could be held liable” under today’s securities law for “a third-party’s misuse of that platform.”
The plaintiffs’ argument that Uniswap Labs’s conduct is analogous to a “technology company that creates a self-driving car with flaws leading to harm or death” falls short, she wrote. “Indeed, this is less like a manufacturing defect, and more like a suit attempting to hold an application like Venmo or Zelle liable for a drug deal that used the platform to facilitate a fund transfer.” —Mike Orcutt
“The next Disney” will not be tokenized
The US Securities and Exchange Commission (SEC) brought its first-ever enforcement action against an NFT project last week, ending the dreams of a company that fancied itself “the next Disney,” except tokenized.
LA entertainment company Impact Theory became the latest crypto slinger to attract ire from the SEC as it settled an investigation to the tune of $6.1 million plus other damages for selling unregistered securities in the form of NFTs. Impact Theory offered digital assets called founders keys, which promised access to items on a roadmap including everything from new games to feature-length movies. “(I)magine that you could’ve gotten in on Disney when they were doing Steamboat Willie,” the company said in promotional materials, according to the SEC’s charging order.
The agency zeroed in on such statements to make the case that the value of the NFTs would be derived from the efforts of the company, and thus constituted a securities violation.
The enforcement action is sure to have struck fear into the hearts of the many other projects that have made similar-sounding claims about letting outsiders in on the ground floor of the next Disney, a ticket to the moon, or any other absurd hyperbole.
On the other hand, SEC Commissioner Hester Peirce, known as “Crypto Mom” for her friendliness toward the industry, cautioned against inferring precedent from the move. “Non-fungible tokens are not an easy-to-characterize asset class, particularly because they can give the owner a wide array of rights to digital or physical assets,” she said in a statement along with fellow Commissioner Mark Uyeda. “People are experimenting with a lot of different uses of NFTs. Consequently, any attempt to use this enforcement action as precedent is fraught with difficulty,” they wrote.
Watch this not-easy-to-characterize space. —Lucy Harley-McKeown
2. Why normies should care about Tornado Cash
You may have heard that the US government has indicted two of the developers behind a cryptocurrency project called Tornado Cash. Unless you are a crypto enthusiast, however, you probably don’t care. Fair enough.
But this isn’t just another crypto thing.
Granted, the Tornado Cash saga is extremely crypto. Talking about it requires using terms like “smart contract” and “DAO.” But more broadly it’s about financial privacy in the digital age. It’s about the nature of software as a form of human creativity. And depending on how things play out, it could be a defining moment in how the next generation of the internet gets built.
Mixing it up
Think about it this way: physical cash is going away, and right now there is no reason to think the government will come up with a digital alternative that is just as private. If it doesn’t, and you still want to transact privately, you’ll need to look elsewhere. Tornado Cash was an attempt at a digital alternative to physical cash.
Whatever you think of cash, it provides freedom—to buy or sell stuff without anybody else knowing about it. The convenience of debit cards and electronic payments is helping to undermine that freedom. The vast majority of payments—especially big ones—leave a digital trail of some sort.
Even Bitcoin, which has often been called a currency that's only useful to criminals, is not even close to private, because every transaction that involves Bitcoin is indelibly recorded on a publicly viewable ledger. People who like cryptocurrencies have spent a large amount of energy trying to figure out how to overcome this and bring paper-cash levels of privacy to the digital world. One approach they’ve come up with is called a mixer. The idea is essentially that a large number of people can pool their crypto funds, shuffle the money up, and then redistribute it. A user gets back the same amount of money they put in, but the coins they withdraw are no longer attached to the previous record of transactions.
Tornado Cash is typically called a mixer. But it’s a great example of how not all mixers are created equal. Most mixing services are run by real people who take control of the money and mix it up with other peoples’ money before returning the same value back, typically for a fee. By contrast, Tornado Cash automates that control via smart contracts, which are software programs stored on and executed by the Ethereum network.
Users deposit tokens into a Tornado Cash “pool” contract. Then they can withdraw the same crypto-tokens to a different address—as opposed to spitting out a mixture of coins that fellow users deposited, which is what most mixers do. The smart contracts use sophisticated math called zero-knowledge cryptography to keep the link between the two addresses secret.
Tornado Cash launched in August of 2019. In May of the following year, the creators upgraded the smart contracts to remove their ability to modify them, a move they said would make Tornado Cash “forever unstoppable!”
You can imagine how the US government felt about this.
Shit hits the funnel cloud
In the same way that people trying to evade the law tend to like cold hard cash, so too did they like Tornado Cash. According to the US Treasury, one of the biggest users happened to be Lazarus Group, a notorious North Korean state-sponsored hacking group.
In August of last year, the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash. Specifically, it added the Tornado Cash website and a list of Ethereum addresses to its list of “Specially Designated Nationals” with whom Americans are not allowed to do business.
It wasn’t the first time OFAC had sanctioned a mixer. In May of 2022, it added Blender.io to the SDN list—also for allegedly aiding Lazarus Group. In that case, OFAC sanctioned several dozen Bitcoin addresses, similar to how it sanctioned several dozen Ethereum addresses associated with Tornado Cash. But the Tornado Cash sanctions were different, Jerry Brito and Peter Van Valkenburgh of the blockchain policy advocacy group Coin Center pointed out at the time.
In the case of Blender, people controlled the addresses. In the case of Tornado, some of the addresses had no human controllers. “This is sometimes difficult for persons unfamiliar with decentralized blockchain technology to understand,” Brito and Van Valkenburgh acknowledged. “(B)ut an application (also known as a smart contract) can be installed on the Ethereum network in such a way that, once installed, the person who installed it no longer has any control whatsoever over it.”
This is a problem, Brito and Van Valkenburgh argued, because the Treasury referred to an executive order issued in 2015 by the Obama administration as the source of its authority to sanction Blender and Tornado Cash. The language in that order narrowly defines the “individuals or entities” that can be included in the SDN list as “a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.” The Tornado Cash pool contracts are none of those things, Brito and Van Valkenburgh said, so they cannot be subject to these sanctions.
Coin Center, along with other plaintiffs that include Tornado Cash users, donors, and activists, is now suing the Treasury Department. The suit argues that OFAC overstepped its authority in imposing sanctions on Tornado Cash’s privacy pools, that Americans with money trapped in the smart contracts were denied due process, and that by banning Americans from using the tool the sanctions violate the First Amendment right to associate privately—for example, by using Tornado Cash to hide politically sensitive donations.
Messy details
The past few weeks have been rough for Tornado Cash advocates. First, a judge decided against them in a separate lawsuit, this one financed by crypto exchange Coinbase, that had also argued that Treasury had exceeded its authority in sanctioning Tornado Cash. The judge determined Tornado Cash is an “association” or “entity” and thus OFAC can legally sanction it—including its smart contracts, which he deemed Tornado Cash’s “property.”
Fair warning that this is where the story starts to get really crypto. It’s also where it starts to become clear why the Tornado Cash fight is bigger than crypto.
What’s indisputable is that the Tornado Cash developers did a lot more than write some smart contracts and let them free in the wild. They built and maintained a website that made it easier for people to use those smart contracts. They set up a so-called decentralized autonomous organization, or DAO, to vote on changes, new features, and other decisions about the protocol. And they created a tradable token, called TORN, that members of the DAO could use to vote.
On top of all that, they added a system of third-party operators called “relayers” that add an extra layer of user privacy. On one level, the Tornado Cash pools work like a robotic coat check: when you drop your coat (tokens) off you get a claim check, and when you want your belongings back you return the claim check. Relayers will do that for you and pay the blockchain transaction fee that’s required to execute the withdrawal—saving users from having to send enough crypto to their withdrawal wallet to pay the transaction fee, an extra transaction that could be enough to crack their anonymity. Relayers profit because in return for their service, the smart contract kicks them a fee.
Relayer-facilitated transactions, which, according to the government, comprise 84% of all Tornado Cash transactions, generate fees for the DAO in the form of TORN tokens. This “regular stream of revenue from the smart contracts” represented a “beneficial interest” on the part of the DAO that justified sanctioning the contracts, the judge in the case concluded.
Then, on August 23 the US Department of Justice indicted Tornado Cash creators Roman Storm and Roman Semenov, charging them with conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money-transmitting business. Storm was arrested in Washington State; Semenov remains at large. (A third creator, Alexey Pertsev, was not mentioned in this indictment but is facing trial in The Netherlands on charges of facilitating money laundering.)
The indictment claims that Storm and Semenov knew that “a substantial portion” of the funds passing through Tornado Cash were “criminal proceeds,” and refers to private messages to argue that they were also aware that Lazarus Group used it.
It also emphasizes that Storm and Semenov had control over the Tornado Cash user experience, which for most people was the website they built and maintained. The indictment called the website a “key component of the service”—though it is possible to interact directly with the smart contracts instead of using the “frontend” website, it requires specific technical skills and savvy. Besides being user-friendly, the website also provided tips for how users could maximize anonymity while using Tornado Cash.
The indictment highlights one specific episode after the Treasury Department linked Lazarus Group to the theft of more than $600 million in cryptocurrency, in which Storm and Semenov deployed a change to the user interface that ostensibly blocked deposits from OFAC-designated addresses. The government cites private messages to show that the duo knew the change would be “easy to evade.”
🤔🤔🤔🤔🤔
Still, none of the legal proceedings so far have engaged directly with the central question that Coin Center posed last August: how should smart contracts, in a vacuum, be seen by the law?
Court documents have so far emphasized all the stuff the Tornado Cash founders did in addition to deploying the contracts. But let’s imagine for a moment that Tornado Cash’s creators didn’t do all that extra stuff. They just created smart contracts, deployed them on the Ethereum blockchain, threw away the keys, and walked away. Then Lazarus Group figured out how to use Tornado’s smart contracts on its own. Would Storm and Semenov still have been indicted?
The indictment accuses Tornado Cash of being an unlicensed money-transmitting business, saying it failed to register with the department’s financial crimes enforcement unit and deploy anti-money laundering systems. But this charge raises yet another question, Coin Center’s Van Valkenburgh noted last week. In 2019, the Treasury issued policy guidance focused on “virtual currency” in which it explicitly stated that an “anonymizing software provider is not a money transmitter.”
Since it appears that Storm and Semenov did not directly handle or control the funds that flowed through Tornado Cash, Coin Center contends that the government has already stated pretty clearly that, legally speaking, Tornado is not a money transmitter.
Now, can providing anonymizing software violate sanctions? That’s another question, and the courts and Treasury seem happy to leave it unanswered. Semenov and Storm did, in fact, do all that extra stuff, and that appears to have left an opening for the prosecution to build a case without going too far out on a legal limb.
As a matter of prosecutorial tactics, that’s probably wise, because a smart contract is indeed a novel type of software. It can be designed in such a way that you can’t kill it unless you kill the whole Ethereum network. In this sense, Tornado Cash really is unstoppable. Despite being sanctioned in the US, it’s still very much alive and well as a functioning piece of code—people outside of America can still use it if they want, provided they know how to access its pools without the help of the website.
Some Tornado Cash advocates argue that the US government is violating the Constitution. As mentioned before, Coin Center has argued that banning Americans from using the privacy tools violates their First Amendment right to associate privately. Meanwhile, internet freedom-focused groups like the Electronic Frontier Foundation (EFF) have long argued that computer code is Constitutionally-protected speech. After OFAC took the “unprecedented” step of adding open-source computer code to the SDN list, the EFF argued that it could have a chilling effect on privacy software development.
The judge who recently decided the Coinbase-funded lawsuit against OFAC disagreed with the EFF’s First Amendment argument. But he did clarify that it’s okay for people to “lawfully analyze the code and use it to teach cryptocurrency concepts … They simply cannot execute it and use it to conduct cryptocurrency transactions.”
In response, executive director Cindy Cohn wrote that the EFF was “disappointed that the Court did not conduct a full First Amendment analysis and directly require the Treasury Department to take more care, both here and in any future situations where open source projects interact with federal sanctions laws.”
Under what conditions is it legal or illegal to build and deploy anonymizing software? More broadly, under what conditions is it legal or illegal to build and deploy software that no one can fully control?
How and when these questions get answered will be core to shaping the direction not just of protocols like Tornado Cash, but the whole experiment of decentralized software—at least for Americans. That in turn is likely to shape the future of the internet, much of which is being built with an eye towards incorporating aspects of decentralization. Meanwhile, expect one hell of a fight. —Mike Orcutt