DeFi Web Apps Block Users Hit by Tornado Cash ‘Dust Attack’
Tron founder Justin Sun was blocked by the front-end web app of DeFi protocol Aave over the weekend after a Tornado Cash ‘dust attack.’
- Sun claimed he was sent 0.01 ETH from an anonymous source via Tornado Cash, leading to Aave blocking his blockchain address
- Privacy advocates say the Treasury’s move to ban Tornado Cash is a violation of human rights
Prominent crypto users reported being blocked by web apps of major DeFi (decentralized finance) protocols over the weekend, as the ecosystem continues reckoning with recent Tornado Cash sanctions.
Tron founder Justin Sun claimed he was “officially blocked” from lending protocol Aave after someone “randomly” sent him a small amount of ether via crypto mixer Tornado Cash.
More than 600 addresses were hit with the same 0.01 ETH ($19.25) “dust attack,” according to analytics unit PeckShield, including crypto exchanges and public figures such as Coinbase CEO Brian Armstrong and Jimmy Fallon.
Last Monday, Tornado Cash was placed on the Office of Foreign Assets Control’s blacklist over its usage by North Korean hacker crew Lazarus Group to launder stolen digital assets. The ban made it illegal for US citizens to interact with its Ethereum smart contracts.
OFAC in total sanctioned 45 Ethereum addresses associated with Tornado Cash, many of them USDC contracts, leading MakerDAO co-founder Rune Christensen to float ditching the stablecoin from its treasury altogether.
Days later, Dutch financial crimes agency FIOD arrested a 29-year-old Tornado Cash developer in Amsterdam over their suspected involvement in facilitating money laundering via the platform.
Sun tweeted his ban on Friday. “This address is blocked on app.aave.com because it is associated with one or more blocked activities,” the screenshot reads. Ethereum proponent Anthony Sassano said he experienced similar treatment.
Aave later responded to the social media outcry with its own Twitter thread. The firm explained it had implemented a API maintained by compliance startup TRM Labs to ensure it’s in line with US sanctions.
TRM Labs’ API identifies “all wallets that have interacted with Tornado Cash contracts post-sanctions, even so-called ‘dusted’ self-custodial wallets,” Aave said.
This explains why some users were unable to access the protocol’s front-end, even though its web app is hosted by peer-to-peer protocol Inter-Planetary File System.
Web apps for other popular DeFi protocols, including decentralized exchange Uniswap and automated market maker Balancer, also reportedly blocked users flagged by TRM Labs’ database.
“The team [Aave] mitigated these issues by immediately addressing this, and we continue to evaluate responsible and reasonable risk mitigation given the circumstances,” Aave said. Sassano later tweeted to confirm his block had been lifted.
DeFi still weighing full impact of Tornado Cash sanctions
While their web apps rely on centralized services, Aave, Uniswap and Balancer are non-custodial, peer-to-peer platforms powered by immutable smart contracts.
This means anyone at all can spin up alternative front-ends that don’t utilize automated block lists like TRM Labs’, allowing blocked users to interact with their permissionless protocols.
Still, seeing high-profile individuals such as Sun indirectly impacted by the Treasury’s recent ban is somewhat troubling. The department’s move has been called into question by activists and proponents, who say “hair-raising precedent” is an “unconstitutional restriction on free speech.”
Privacy advocates argue Tornado Cash is intended to preserve sensitive information relating to a user’s wallet, including the amount stored, where funds are sent and received, and general DeFi activity.
Digital rights advocacy group Fight for the Future last week wrote that the Treasury made a “clumsy attempt” to sanction Tornado Cash, compromising human rights and the US’ first amendment.
“The Internet is feeling the chilling effects of this choice: the open source code used to run Tornado.cash has been taken down from Github,” the group said. “Unfortunately it seems that such an effect is exactly what the US government was seeking.”
Commonplace sanctioning of smart contracts could have wide-reaching repercussions for DeFi and the blockchain industry writ large, proponents say.
Fireblocks CEO Michael Shaulov believes technology built over the past decade to catch bad actors has led to increased threat intelligence sharing between industry and law enforcement. Although, the systems in place are not perfect, he said.
“In theory, Tornado Cash has a lot of interesting properties for anonymizing your transactions,” Shaulov told Blockworks in an interview. “But in practice, we all know that the people that were using it for a sizable part of the activity were not the good guys.”
Shaulov mused on the idea of a continuously updated database “at the wallet level,” with the addresses made public in a bid to aid other platforms and protocols from engaging with tainted wallets.
Shaulov, who spent four years in Israeli intelligence developing monitoring software for law enforcement, likened the Treasury’s actions against Lazarus and Tornado Cash to that of a game of “cat and mouse” across DeFi.
“Chasing after bad people on the internet is not a new thing,” he said, adding that banning protocols like Tornado Cash wasn’t a real solution.”
“It’s open source,” Shaulov said in relation to Tornado Cash’s code. “What prevents the next person from basically spinning that contract another 50,000 times?”
Shaulov then suggested increased intelligence sharing between all related parties, such as Tornado Cash, Uniswap and the Treasury, who could then programmatically blacklist all wallets belonging to terrorists, for example.
Don’t miss the next big story – join our free daily newsletter.