Understanding Tornado Cash

‍

INTRODUCTION

Tornado Cash is the largest crypto mixer running on the Ethereum blockchain. Mixers allow users to anonymously transfer cryptocurrency, without creating a direct link between the accounts that send and receive funds.

On August 8th 2022, Tornado Cash was blacklisted by the US Treasury’s Office of Foreign Asset Control (OFAC), with Tornado Cash’s smart contracts now subject to sanctions under US Law.

This article will investigate how Tornado Cash works, its features and limitations, as well as enforcement actions taken against it.

Disclaimer: This article is intended for informational and research purposes only. You obviously should not use Tornado Cash. This article is meant to shed light on one of the most infamous projects in crypto for observers, researchers, and professionals.

WHAT IS TORNADO CASH

Tornado Cash allows anybody to anonymize their Ethereum transactions. It does this by maintaining a system of “pools” that users can deposit to. A “pool” is an Ethereum account owned by a smart contract. Think of it like a bank that doesn’t maintain specific accounts for each user, but makes sure that users cannot withdraw more than they deposited.

Each pool only accepts deposits of certain tokens, in certain amounts - for instance, there is a Tornado Cash pool that only accepts deposits of 1 ETH at a time - and a different pool that accepts deposits of 100 ETH. This means that all the users sending 1 ETH to Tornado Cash, send their ETH to the same pool - which makes it difficult to identify which account exactly is withdrawing its ETH, when ETH is removed from the pool.

Tornado Cash supports a number of different cryptocurrencies, and runs on a number of different networks - although the vast majority of transactions are made in ETH, deposited to the version of Tornado Cash running on the Ethereum Blockchain. As of September 2023, there is about $230 million of crypto in Tornado Cash’s contracts, with around $195 million of that being ETH on Ethereum. The second and third largest assets being used in Tornado Cash are BNB on BNB Chain for ~$20M, and DAI on Ethereum for ~$15M.

Tornado Cash can be used to transfer:

ETH, DAI, cDAI, USDC, USDT & WBTC on Ethereum Mainnet
ETH on Arbitrum
ETH on Optimism
BNB on BNB Chain
AVAX on Avalanche
MATIC on Polygon
xDAI on Gnosis Chain

However, the USDC in Tornado Cash’s contracts is currently Blacklisted by Circle, and unable to be transferred.

The Blacklist Function on the Tornado Cash Contract (Etherscan)

‍

Tornado Cash uses a system of immutable smart contracts. The code that powers Tornado Cash Pools cannot be upgraded, changed, or taken over by anyone - even the original creators. However, some functions can be modified through governance - such as those of the routing contract (such as withdrawal or deposit destinations), and those relating to the TORN token (for instance, the token can be frozen through voting with TORN).

IS TORNADO CASH LEGAL?

US Department of Treasury Notice Regarding Tornado Cash Sanction

‍

On August 8th 2022, the US Treasury Office of Foreign Assets Control (OFAC) placed sanctions on 45 Ethereum addresses associated with Tornado Cash, including the asset pools that users deposit to and withdraw from when making transactions with Tornado Cash.

Tornado Cash provides anonymity to all users, whether regular retail users or hackers/malicious actors attempting to launder stolen funds. In the past, it has been used by the Lazarus Group, associated with the DPRK - to launder currency stolen from Sky Mavis’s Ronin Bridge.

Tornado Cash Transactions on Arkham (With Filters Applied)

‍

In the aftermath of Tornado Cash being sanctioned, a number of prominent crypto personalities in the US received ETH from Tornado Cash to their public wallets, in a public protest from Tornado Cash users on 9th August 2022 referred to as ‘dusting’. This is because you can direct a withdrawal from Tornado Cash to any wallet address, even one you do not own directly.

All of these individuals inadvertently interacted with a US-sanctioned entity, despite not necessarily owning the funds themselves - or even initiating the transactions. In the aftermath of this, several of these personalities saw their accounts automatically frozen on certain centralized crypto platforms.

WHY DO HACKERS USE TORNADO CASH?

Hackers use Tornado Cash to legitimize their source of funds by removing connections to a hacked wallet or malicious crypto activity.

Tornado Cash doesn’t just break the link between deposits and withdrawals, but also associates all deposited funds together in a shared pool. This means that any user withdrawing from Tornado Cash could inadvertently be helping a hacker or bad actor to stay undetected.

‍

Tornado Cash is still the largest crypto-mixer on Ethereum, with a massive ‘anonymity set’, meaning total deposited funds. This means that there are lots of other users and fund flows interacting with Tornado Cash’s pools and Routing contracts which collectively help obfuscate the activity of all users. Despite the OFAC sanctions in August 2022, there is still currently over 120,000 ETH in Tornado Cash’s pools on Ethereum - an amount worth slightly under $200M. This is far off from its peak balance of over $3B, but still more than any other Ethereum mixer.

HOW DOES TORNADO CASH WORK?

‍

If a user wishes to deposit crypto to Tornado Cash, they must send ETH in certain amounts (0.1, 1, 10 or 100) to the Tornado Cash Router contract. The Router deposits all funds to a shared pool, also known as an ‘anonymity set’. This is a shared pool of all deposited funds. In return, the user is given a code - a cryptographic proof that verifies their claim to the deposited funds.

The larger the shared pool, or “anonymity set” becomes, the more difficult that inflows and outflows are to track or link together. This is why Tornado Cash users often wait for a period of time before redeeming their funds, as this increases the number of wallets potentially associated with their Tornado Cash deposits.

A Mirrored Version of Tornado Cash's Frontend

‍

This code can be submitted again to Tornado Cash in order to retrieve the funds to a completely different wallet. Because it can be redeemed by any wallet, codes do not necessarily have to be redeemed by the same entity that deposited the funds initially. A hacker could deposit 100 ETH to Tornado Cash, and sell the code to another individual who could then redeem it at their leisure.

Technical Note: The code that the user receives is a cryptographic hash, or “proof”. It verifies that a valid deposit has been sent to the pool. Tornado computes this hash using a type of Zero-Knowledge proof, ZK-SNARKS. This means that when a user wants to withdraw their funds, the hashed code can be verified by the smart contract as representing a valid deposit, without publicly revealing the “secret” data to other Ethereum users.

Tornado Cash ensures a limited range of anonymity with on-chain transactions. The reason this anonymity is “limited” is because deposits and withdrawals from Tornado Cash happen on Ethereum in public, and can be publicly examined and reviewed through a blockchain explorer.

For example: if you deposit 456 ETH to Tornado Cash, and 5 minutes later withdraw 456 ETH from Tornado Cash, it becomes very obvious to an observer that the accounts making the deposits and withdrawals are likely owned by the same entity.

WHY DO PEOPLE USE TORNADO CASH?

Tornado Cash provides a level of anonymity on Ethereum to any users who wish to obscure their transactions on-chain. For example, many developers look for means of deploying a new token contract from a fresh address. On the other hand, as we discussed earlier - Tornado Cash is also useful to hackers and protocol exploiters, with many exploit addresses interacting with Tornado Cash either before or after their malicious activity.

In fact, 4 out of the top 5 hacks in Crypto have either been funded by Tornado Cash, or used it to launder the proceeds from their attacks.

Ronin Network Exploit ($624M) - moved proceeds to Tornado Cash
Polynetwork Exploit ($611M) - moved proceeds to Tornado Cash
Wormhole Exploit ($326M) - initially funded from Tornado Cash
Euler Exploit ($197M) - moved proceeds to Tornado Cash

Tornado Cash can also be used for other means. While hackers may wish to obscure themselves sending money - project insiders funding fresh wallets may wish to obscure themselves receiving money.

Throughout 2021 there were a number of different protocols that planned airdrops or released positive announcements. Individuals who did not want their actions to be identifiable were known to transfer considerable amounts of ETH through Tornado Cash in order to purchase the project tokens, or sybil-attack airdrops on fresh and unconnected wallets.

Sharp-eyed traders who scanned the blockchain for wallets freshly-funded with ETH from Tornado Cash would sometimes notice a correlation. For instance, Ampleforth’s FORTH token airdrop was heavily sybil attacked by a single entity, receiving upwards of $28M of the newly minted FORTH tokens across more than 8000 addresses.

On-Chain Analysis of Tornado Cash on the Arkham Visualizer

‍

TORN TOKEN

‍

The TORN Token is the Governance Token of the Tornado Cash Protocol. Holders of TORN can vote on new proposals to be ratified and executed through Tornado Cash’s on-chain governance smart contract. There are 10M total TORN on Ethereum, distributed on December 18th 2020 in the following percentages:

Airdrop: 5%
Anonymity Mining: 10%
Team: 30%
DAO Treasury: 55%

Governance is used to execute certain functions in Tornado’s contracts that have the ‘onlyGovernance’ modifier. This means that these functions are locked behind the approval of a majority of TORN tokens.

Users can create proposals by locking at least 1,000 TORN, and need at least 25,000 TORN to vote on a proposal before it can be passed with a majority vote.

For example, though Governance, TORN holders can:

Add new Tornado Cash Pools
Emergency Pause the entire TORN contract, preventing people from moving or interacting with TORN tokens
Change the TORN reward rate for crypto held in Tornado’s pools
Change routing addresses for the Tornado Cash Router

TORN HOSTILE TAKEOVER

On the early morning of May 20th 2023, a hacker granted themselves 1,200,000 illegitimate Tornado Governance votes through a malicious proposal on Tornado’s Governance Contract. This effectively granted them full control over all the Governance-locked functions of the Tornado Cash Protocol - at the time there were only ~700,000 TORN tokens locked in the contract as legitimate votes, so they could not be outvoted even if every single other Governance participant voted against them.

With full control of the Tornado Cash Governance, the hacker could now:

Re-route withdrawal and deposit destinations through the Tornado Cash Router
Pause all transfers of the TORN Token
Drain all TORN tokens locked in the Governance Contract

The hacker decided to drain ~$750K worth of TORN from the Governance Contract (in other words, other users’ locked governance deposits), selling it all straight away for ETH.

However, shortly afterwards, the hacker published another proposal to revert his changes, which the community approved. The entire fiasco was over in under 2 days, with the approval of the hacker’s proposal to reset his voting balance to zero.

The hacker got to keep 472 ETH as profits from the exploited TORN … which he sent straight back into Tornado Cash.

ON-CHAIN ANALYSIS OF TORNADO CASH

Full Tornado Cash Entity Profile on Arkham

‍

Tornado Cash has existed on-chain since 2019, when it was first developed by its 3 founders: Roman Semenov, Alexey Pertsev and Roman Storm. All 3 of these individuals have been charged by the US Government with conspiracy to commit money laundering, and violating sanctions laws. Pertsev and Storm are both currently under house arrest pending trial - while Semenov is at large in Russia.

‍During its lifetime, >12,000 users have made >160,000 collective deposits - representing almost 3,200,000 ETH. At its peak in September 2021, Tornado Cash held almost 230,000 ETH in its pools.

However, pool volume plummeted after Tornado Cash was sanctioned in August 2022. At the lowest point after its sanctions, Tornado Cash held just under 90,000 ETH in its pools - but has more recently recovered to a total of around 120,000.

Real-world implications of the OFAC Sanctions caused a majority of Tornado Cash’s monthly volume to disappear, as well as a large portion of its active userbase to stop transacting with the protocol. This made it a lot easier for sleuths to track Tornado Cash deposits and withdrawals. To learn how to do analysis like this yourself, read Arkham’s on-chain analysis guide.

For example, the 13,557 ETH stolen during the $60M Anubis DAO Rugpull was laundered through Tornado Cash in mid-July 2023. By that point, this amounted to around $26M in ETH - making the Anubis DAO Entity was the largest transferrer of ETH to Tornado Cash in 2023.

At the same time, a number of different accounts, all exhibiting similar patterns of movement, were withdrawing from Tornado, and sending to accounts on exchanges. The sheer size of the fund transfers, combined with the low volume and user amount on Tornado Cash post-sanctions, allowed many sleuths to link these accounts together with a high level of confidence.

CONCLUSION

Tornado Cash is the largest and most well-known crypto-mixer on Ethereum, but as we’ve discussed, it is not necessarily 100% effective. The protocol’s future remains open ended - while sanctions may have dissuaded regular users from using it, Tornado Cash is still popular among criminals & other rogue actors seeking to obscure the movements of their funds.