DeFi protocols Aave, Uniswap, Balancer, ban users following OFAC sanctions on Tornado Cash
Several decentralized applications on the Ethereum network have implemented code changes that disable access from “authorized” addresses. Currently identified protocols are Aave, Uniswap, Ren, Oasis, and Balancer. Yearn’s Banteg identified his GitHub repository in question in a tweet early Saturday morning.
When the defi app starts stealing you with links
2021-10-25 Uniswap https://t.co/ym0wdNPJS6
2022-05-10 Ren https://t.co/9588mTitKe
2022-06-29 Balancer https://t.co/5V1FaxPUOn
2022-08-11 Oasis https://t.co/GzkOQXXPb9
2022-08-12 aave https://t.co/vYY8MjqZ1p
(never) yearn for, bend pic.twitter.com/1FkgVPnUqb— Bangteg (@bangtg) August 12, 2022
Sanctions for “screened” addresses.
The introduced “address screening” revolves around TRM Labs, a compliance company that provides services to dApps via APIs.top page TRM lab website mentions the tool as being applicable to “new Russia-related designations.”
However, following OFAC’s move to sanction all addresses associated with Tornado Cash, users who interacted with Tornado Cash were also labeled as “sanctioned” and banned from the platform using TRM Labs’ API. There seems to be
The sanctions do not apply to addresses associated with Russia, but apply to all users, including US citizens, who have received funds from Tornado Cash addresses.
Given the recent dusting attacks against high-profile addresses such as Brian Armstrong, Justin Sun, and several VC firms, they are blocked from Aave, Uniswap, and other applications using TRM Labs. It seems that.
Dusting attack causes high-profile ban
A tweet by Tron founder Justin Sun puts the issue in the spotlight as he claims he is currently unable to interact with Aave.Sun murmured After receiving 0.1 ETH from a random account through Tornado Cash, Aave blocked the account.
The text in the tweet and the screenshot shared read, “This address has been blocked on app.aave.com because it is associated with blocked activity.”
#PeckShieldAlert 600+ addresses received 0.1 $ETH from https://t.co/LLczi0PVvh: 0.1 ETH contract added to OFAC authorization list. Also includes big names and centralized exchanges.
Some users claimed they were blocked @AaveAave This is due to an “airdrop”. https://t.co/WeXfpiSi7N pic.twitter.com/cB4M5T29Ya— PeckShieldAlert (@PeckShieldAlert) August 13, 2022
according to pec shield alertover 600 ENS addresses received 0.1 ETH from Tornado Cash, and many of those who received the funds were blocked by Aave.
Aave’s decision to block these accounts follows a decision by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) to ban Tornado Cash. OFAC has banned Tornado Cash, citing several associated addresses that it claims are used by the North Korean hacking group Lazarus.
Following the ban, GitHub disabled the Tornado Cash creator’s account. Crypto his website on his mixer and his Discord server have also gone offline. One of its developers was arrested in Holland.
Many have criticized GitHub’s move, but no one expected a decentralized platform not directly under U.S. regulation to block Tornado Cash-related addresses.
However, it appears that Aave is not the only Defi platform compliant with the ban. Defi exchange dYdX has also blocked addresses that have previously interacted with Tornado Cash.
The move affected multiple accounts, including users who had never used Tornado Cash or even didn’t know where the funds they received from various past transactions came from.
The founder of DeFi KYC platform Assure told CryptoSlate: where does it end ‘ he continued,
“The recent OFAC sanctions and developer arrests against Tornado Cash are of serious concern.
This is Silk Road again, and we know how it unfolded. “
further contagion
In response to Justin Sun’s tweet, Alex and Omega highlighted potential workflows that could cause widespread contagion across the DeFi ecosystem, as shown below. Given the current implementation, there is concern that a malicious actor could send his Ethereum via his Tornado Cash to a wallet with a large loan, triggering a liquidation event.
1. Identify all major loans @AaveAave Plan possible liquidation cascades
2. Send ETH from @tornado cache to all wallets with major loans
3. Let AAVE block all wallets
4. Short ETH
5. Start an ETH dump
…
6. Look at the liquidation cascade, no one can run sth.about it🍿
— Alphalex | Alphalex and Ωmega (@alexandomega) August 13, 2022
If wallets with active loans are banned from Aave, they will not be able to add capital to manage their LTV. As a result, if the price of the underlying asset falls, a significant liquidation event may occur as users will lose access to their accounts.
This is impractical as the protocol is responsible for granting users access to funds. However, it seems that only the front end of the application is blocked, as the error message indicates in Sun’s tweet.
Users may be able to work with the protocol via the CLI or fork the project to create a frontend UI. This is beyond many users, but anyone with significant funds should be able to access blocked assets this way.
Sans Ban Search wallet address “0x3ddfa8ec3052539b6c9549f12cea2c295cff5296” indicates that Aave tokens are over $100 million. He has his $91 million aTUSD, $58 million aUSDC and $19 million aDAI. These funds are currently not recoverable through Aave’s frontend UI.
TRM Labs approach
The biggest concern, however, is how TRM Labs decides what constitutes an authorized address. There is a direct correlation if the wallet receives funds directly from his Tornado Cash. But what if the user transferred the funds to his DEX and exchanged them for another token?Are wallets participating in swaps also considered authorized wallets?Once passed through Tornado Cash This is a real possibility if you own ETH.
According to a chart compiled by Block119 analyst ElBarto Crypto, 90% of Ethereum addresses are only 4 degrees away from Tornado Cash, and 41% are within just 2 degrees.
A 6 degree tornado cache is a thing. Even crazier, only 0.03% of addresses received ETH from Tornado Cash, while nearly half of the entire ETH network is just two hops away from Tornado Cash receivers. pic.twitter.com/LDU9g0r7tQ
— ElBarto_Crypto (@ElBarto_Crypto) August 13, 2022
The potential for billions of ETH to be “blacklisted” could actually happen in the wake of OFAC sanctions. TuongVy Le, Head of Regulation and Policy at Baincap Crypto, told CryptoSlate:
“This is a problem. We need standards and transparency on how we all need to comply with this unprecedented and novel sanctions on TC smart contracts and wallets.”
Former SEC TuongVy Le commented on TRM Labs’ approach to compliance issues posed by OFAC:
“The TRM seems to be taking a broad approach, which is understandable because the sanctions violations are serious and there is a lot of uncertainty about how it applies here. If our compliance provider is doing work for both the private sector and the government, I think we should ask if there are any inherent conflicts of interest.”
Responding to concerns that the DeFi protocol in question may be sending user data to OFAC, Balancer confirms that ‘user addresses’ are sent to the ‘federal government’ and not to ‘others’. Did.
Balancer only sends user addresses and nothing else. We do not send your IP or any additional information.
— Balancer Labs (@BalancerLabs) August 12, 2022
Balancer developer Tim Robinson further commented that all data “sends through lambdas, so the user’s IP is never sent to TRM.”
legal text != code implementation
All TRM requests go through lambdas, so the user’s IP is not sent to TRM. https://t.co/J4HkQfzdaN
lambda: https://t.co/SpXsy4pdB9
Everything is open source
— Tim Robinson (@timjrobinson) August 13, 2022
At the time of this writing, the incident has had no apparent impact on the price of Ethereum or the broader crypto market. slightly below the dollar.
CryptoSlate has contacted the platform in question with which they can communicate directly. We do not have an answer at this time, but we will update this article as soon as we have more information.
