Tornado Cash Should Not Die in Vain: An Alternative Approach to Regulating DeFi

From our perspective, the correct way forward is not a one-off solution; it’s a multi-pronged approach focused primarily on two things

The recent news around Tornado Cash caught some in the crypto world by surprise. The Office of Foreign Asset Controls (OFAC) added forty-five Ethereum addresses associated with Tornado Cash to its Specially Designated National (SDN) list.

This move bars all US persons from transacting with any of those addresses, and, as a result, numerous companies or projects with technological exposure to or integrations with TC have moved to cut those connections. Further, private companies, like Github, have removed TC repos from their platform and suspended the accounts of TC contributors.

Whether OFAC’s approach here will “succeed” is unclear, though we hope that Treasury wielding a heavy hand does not indicate a trend against less controversial DeFi protocols. But if not outright sanctions, what should OFAC have done? On a grander scale, what is the right course of regulatory action in a permissionless, open-source, and fully decentralized environment? In previous blogs, we have defined decentralization, and how DeFi protocols can be regulated using the ocean analogy: while you can’t regulate the ocean or tides (decentralized protocols), you can regulate ports and harbors (users accessing protocols) and the activity on the water.

From our perspective, the correct way forward is not a one-off solution; it’s a multi-pronged approach focused primarily on two things:

  1. A user’s activity and the positioning of those enabling that activity through centralized user interfaces, and
  2. The pursuit of nefarious actors through aggressive civil and criminal enforcement.

We cover our thoughts on how regulators may address user activity below.

Addressing Regulatory Gaps

We have noticed glaring regulatory gaps that affect user safety and security across DeFi. Although many operate transparently by making voluntary disclosures of risks, others often promote, as Federal Reserve Vice Chair Lael Brainerd stated, the “false allure of seemingly easy returns that obfuscate and obscure significant risk.” The collapse of Terra, the ensuing contagion across many lightly regulated CeFi providers, and the resulting damage wrought on retail users are glaring examples of what occurs when unscrupulous individuals, and those that promote them, are free to operate unabated and unregulated.

Most end-user interactions with DeFi protocols occur through graphical user interfaces and other “off-chain” components. These tools are often hosted on centralized servers and rely on traditional internet infrastructure to enable users easy access to DeFi through websites or mobile apps. Some interfaces even extract various fees from users, for instance by charging a “swap fee” when a user makes a trade. Because of the role these businesses play in channeling users to protocols, we believe centrally-controlled UIs – the “application (or dapp) layer” – are the logical focus for regulatory application. And what regulation depends on the service or activity permitted through the interface.

Actionable Examples

Business A: Whitelist built on top of DEX that permits the trading of securities

If a user interface permits access to traditionally regulated activity and extracts fees for that access, the entity operating that centralized UI should have the appropriate licensure. For example, business A operates a whitelist built on top of a DEX where securities tokens trade at spot and are used for margin. Accordingly, that business should be a registered broker-dealer and, at least, operate a registered alternative trading system, leaving it to be regulated by FINRA and the SEC.

Business B: Lending and borrowing non-security digital assets with fees

If business B operates a UI permitting users to lend and borrow non-security digital assets, and charges a fee, that activity may need to obtain lending licenses or an equivalent banking license depending on the jurisdictions where they offer said service.

Takeaway: Businesses should be subject to the applicable regulatory scheme based on the activities in which they permit users to engage. Since these operators provide the convenience of a UI to users in exchange for fees, they can afford the financial burden associated with regulation.

Frontline Issues with focusing on the UI

What if a project simply provides a UI without fees to allow access to a DeFi protocol?

For operators that control interfaces that neither (a) permit users to engage in regulated activity nor (b) extract fees from users, a simpler customer protection disclosure regime fits well. For instance, if a development team releases a user interface simply to encourage use of a DeFi protocol, there should still be requirements whereby risks surrounding the protocol are made clear. A notice and disclosure regime, with the Consumer Finance Protection Bureau as the lead regulator, may suffice to ensure that users are fully informed about the tooling they use.

What if UIs are hosted on IPFS?

There are some protocols now that permit “on-chain” components for services that traditionally have been operated “off-chain” (e.g., decentralized file storage with the Interplanetary File Sharing system (IPFS)). Developers could launch static UIs on IPFS and give users truly decentralized access to protocols permitting regulated activity. Nonetheless, we have not yet seen a large move toward using IPFS-hosted sites and believe that as more retail users onboard to DeFi, the majority will prefer to rely on “trusted interfaces” operated by recognizable teams or companies. But perhaps OFAC sanctioning TC may drive projects to launch static UIs on IPFS; it’s too early to tell.

What about custody (or lack thereof)?

There also is an important issue here regarding custody: whether the centralized entity/operator of the UI permitting access to a certain non-securities-related activity on a permissionless, non-custodial protocol, may be required to conduct AML/KYC reviews for its users. Here’s a potentially controversial take: a UI that operates as a business and permits access to underlying regulated activity may be best placed to carry that AML/KYC burden as part of its larger regulatory obligations. We may write more about this topic in the future, but in a world where Tradfi integrates with permissionless protocols, those financial institutions and businesses doing the integrations can and should shoulder the burden of regulatory compliance.


Shutting off Tornado Cash from US citizens is a watershed moment for crypto. Yet it seems an isolated incident tailored to North Korea-related activities rather than a move against DeFi. Since integrating digital assets into the traditional financial system appears inevitable, we think it most logical to focus regulatory attention on centralized businesses operating user interfaces while law enforcement pursues nefarious actors. Such an approach places the onus of compliance where it should realistically sit (the UI operator) and punishes those who violate the law.