Tornado Cash: A Force For Good Or Evil?

Table Of Content



When cryptocurrency first emerged with the creation of Bitcoin in 2009, it was regarded as a highly innovative form of technology due to the unique values associated with it. Never before had there been a decentralized form of currency with the potential to wipe out intermediaries like banks entirely when processing transactions. Bitcoin offered its users a unique promise-  the privilege of privacy and anonymity in a world heavily regulated by governments and federal agencies (the intentions of whom are still up for debate).

As time went on, various use cases for both blockchain technology and cryptocurrency in general emerged. Among these was the emergence of Tornado Cash, a popular privacy solution built on Ethereum. Working slightly differently from a standard coin mixer, Tornado Cash is used to achieve the same goal of hiding a transaction trace. In this way, a user can prevent someone else from piecing together clues from their transaction history in an attempt to uncover their identity. Although this service is highly beneficial to those who value their privacy, it can also be very useful for malicious actors wanting to cover their tracks after an exploit. 

This dual nature brings forth layers of doubt surrounding the morality of Tornado Cash. Who benefits more from using Tornado Cash? The average man concerned about his privacy, or a criminal with millions of dollars worth of stolen funds? At the end of the day, can it be argued that Tornado Cash is doing more harm than good?

Before we discuss this, let us try to understand the technology used by the protocol in carrying out its service.

How Does Tornado Cash Work?

The blockchain is often regarded as being pseudonymous. Though the true names of users are technically hidden, it is also transparent. This can make it very easy for someone to track a certain user’s actions in an attempt to uncover their identity.

To combat this paradox of privacy and transparency, users can take the help of the Ethereum-based privacy solution Tornado Cash. Tornado Cash uses a type of zero-knowledge proof known as zk-SNARKs to achieve this.

Initially, a user is provided with a randomly generated key known as a note. The hash of this note is then supplied to the Tornado Cash smart contract along with the amount of Ether a user wishes to send. Now, imagine hundreds of users are doing the same thing, each person submitting the hash of their unique key along with a fixed amount of money. You can think of this as the smart contract containing a pool of a large sum along with many hashes of notes. 

When a user decides to withdraw their amount, they can simply submit the hash they had initially shown to the Tornado Cash smart contract. The existence of this hash will prove that their money was deposited. Once the provided hash matches with that of a note present in the pool, money can be withdrawn to a recipient address. 

The amount deposited and withdrawn is the same, but the ERC20 tokens that make up that value are different each time. In this way, the on-chain link between source and destination addresses is broken- meaning there is no way to link the withdrawal to the deposit.

Tornado Cash In The News

Tornado Cash has been fully decentralized since May 2020, when the team behind the protocol ceded control over its multi-signature wallet in a trusted setup ceremony. Since then, the platform has become popular among hackers and criminals wanting to cash in their loot.

In recent times, it seems that almost every analysis report for a major or minor hack in the blockchain space has some mention of Tornado Cash. Big names like Liquid Global, Poly Network, and Kucoin have all faced exploits in the past, with losses equating to millions of dollars worth of funds. In each scenario, the attacker was seen utilizing the privacy solution Tornado Cash in an attempt to get away with their loot. In most cases, this is where the trail goes cold, preventing the attacker from being caught.

Ensuring The Common Man’s Privacy or Facilitating Criminal Activity?

Money laundering using cryptocurrency is no longer a novel concept. According to a report published by blockchain analytics firm Ciphertrace, money lost from major crypto thefts, hacks, and frauds during the first four months of 2021 totaled close to $432 million in value. As exploits increase, so does the use of Tornado Cash. According to Dune Analytics, as of October 2021, Tornado Cash has processed over 88,000 deposits and nearly USD 4 billion.

A question that arises amidst its growing popularity is regarding who to consider as the true users of Tornado Cash. It can be argued that privacy is an important concept to any person operating in the blockchain space. The majority of people who consider themselves members of the blockchain community are believers in the values of anonymity and decentralization. In a world of regulations, a platform like Tornado Cash helps keep the common man assured that his activity isn't being tracked for someone else’s benefit.

However, we cannot refute the claim that Tornado Cash is often the first line of action in an attacker’s getaway scheme. This has become common to the point where users are concerned that using Tornado Cash for their personal use may tie them to criminal activity. While no one will be able to connect a user’s withdrawal to their deposit, it will be clear that the withdrawal came from Tornado Cash and hence create grounds for suspicion.

The Bottom Line

There is no concrete way to know whether Tornado Cash is doing more harm than good by offering its services to the public. The only method to achieve something like this would be to somehow document the deposits made by criminals and compare them to overall activity on the platform. A task like this would be not only tedious but also defeat the purpose of creating the privacy solution in the first place. At the end of the day, we cannot blame Tornado Cash for applying anonymity- one of the core principles of blockchain technology- in such a successful way. The real solution to this problem is to strengthen the security of our platforms, preventing criminal activity in the first place. Until then, Tornado Cash is an easy scapegoat.


More Audits

SushiSwap - April 9, 2023

On April 9, 2023, SushiSwap suffered a security breach which led to a loss of over $3.3 million. The attack exploited a flaw in the RouteProcessor2 contract of SushiSwap's router processor. The fallout was felt across several major chains that had previously authorized the RouteProcessor2 contract.

Euler Finance (March 14, 2023)

The Euler Finance hack had a devastating impact on the platform and its users, with approximately $197 million worth of assets stolen, including ETH, WBTC, USDC, and DAI. This placed Euler Finance at number 6 on the leaderboard of the largest DeFi hacks. The platform's total value locked (TVL) dropped from $264 million to just $10 million.

Revisiting Ethereum Classic in Light of the London Hard Fork

The successful upgrade of the London Hard Fork is a big difference from the fork leading to Ethereum Classic that took place back in 2016. However, despite their divergence, both are milestones in the Ethereum world- guaranteed to have lasting impacts on the blockchain as we know it. Read more to find out the circumstances surrounding each hard fork and the role they may play in shaping Ethereum's future.

Infiltrating the EVM-II: Inside the War Room's Arsenal

War Room is an immersive, high-energy environment incorporating a dedicated team of experts that comes together to form the backbone of the War Room. Read more in this part

Flower Fam NFT Audit Report

Flower Fam is an NFT-based project, after you mint your NFT you can “harvest” them on weekly bases to get 60% royalties. It's quite simple: every flower has a 10% chance to win. The rarer the species of a flower.

Your Data, Your Rules: The Blockchain Way

Data has become the vigor of the digital age, powering industries, economies, and societies worldwide. Whether personal information, financial records, intellectual property, or trade secrets, data is the driving force behind decision-making, innovation, and business operations. However, data security has emerged as a paramount concern with the increasing digitization of our lives and businesses.

Cast Storage

Lets understand the smart contract storage model in Ethereum and EVM-based chains and how you can access the public and private variables of any smart contract deployed on the blockchain. We can do this by using cast storage.

Beyond Buzzwords: Exploring the Real Potential of AI and Blockchain Integration

The AI and blockchain integration can help overcome some of the limitations of each technology and create a more secure, transparent, and efficient Web3 ecosystem. This article explores the differences between AI and blockchain, ways to integrate them, use cases, and challenges that need to be addressed.

PhoenixDAO LP Staking Final Audit

BlockApex (Auditor) was contracted by PhoenixDAO (Client) for the purpose of conducting a Smart Contract Audit/Code Review.  This document presents the findings of our analysis which took place on   28th October 2021.

1 2 3 10
Designed & Developed by: 
All rights reserved. Copyright 2023