Sanctioning a cryptocurrency protocol: What does that mean for Web3?

What are the OFAC sanctions?

The OFAC administers trade and economic sanctions on countries and persons (both natural and legal) involved in activities that threaten the security or financial stability of the US – such as terrorism, drug trafficking and money-laundering.

One of its primary tools is the Specially Designated Nationals and Blocked Persons List (SDN): a list of its sanctioned individuals and legal entities. Sanctioned persons have their assets under US jurisdiction frozen, and US persons are, in general, prohibited from dealing with sanctioned persons. By walling off sanctioned persons from the US financial system, it becomes very hard for such persons to do international business, especially so while transacting in USD. This is not the OFAC’s first brush with the crypto space, it having previously sanctioned crypto companies or protocols controlled by centralized entities. However, the recent move represents the first time a non-individual or non-entity has been sanctioned, creating an unclear precedent for open-source protocols that are in essence pieces of code/software or technological tools used to some end.

The impact of the OFAC sanctions is that anyone/any wallet (read US persons and businesses, and indirectly, citizens and institutions of other countries that have a relationship with US persons or businesses) that interacts with the sanctioned entity/protocol and the mentioned Ethereum addresses would be strictly liable under US law. Since the OFAC announcement, stakeholders in the ecosystem have been divided over the appropriateness and feasibility of the sanctions.

How will the decision shape Web3?

OFAC sanctions announcement highlights the need for the Web3 ecosystem to collectively focus on developing solutions that are preventive and curative. Image: Chainanalysis

In light of several large-scale hacks and exploits, especially where crypto mixers have been used to whitewash funds, the aforementioned OFAC sanctions announcement highlights the need for the Web3 ecosystem to collectively focus on developing solutions that are preventive and curative, i.e. prevent bad actors from misusing the technology and enforcing penalties where such bad actors/actions are identified. On the other hand, the sanctions mark the first time a non-person/open-source software (not a natural or legal person) has been added to the SDN, raising questions about the proportionality of the measure.

How are permissionless protocols meeting the compliance requirements?

When faced with sanctions compliance requirements, decentralized finance (DeFi) protocols often use blockchain forensics and analytics tools to block addresses that interacted with the sanctioned entity/addresses from using the protocols’ front-end web applications. While such an action prevents a blacklisted address from associating with the front-end user interface or application used to interact with the protocol’s smart contract, tech-savvy individuals (such as hackers) can instead use a “call function” to directly access the smart contract and bypass the front-end application, including its blacklisting measures. Thus, blacklisted addresses are able to continue using such protocols even once blacklisted at the application level. Yet, blacklisting does prevent average, non-technical users from interacting with the protocol when such users are dusted with sanctioned funds.

Though not as common, some permissionless protocols may choose to incorporate a blacklist function – not at the application level, but directly into their smart contracts. This allows specified sanctioned addresses to be blocked at the smart contract level, thus introducing elements of centralization in an otherwise permissionless ecosystem.

As such, sanctioning a decentralized permissionless protocol, while failing to ensure its demise, tends to make the protocol inaccessible for the average user and reduces its network effects as various actors seek to comply with the regulations.

Could the decision have unintended consequences?

The sanctions, while intended to target bad actors in the space, could have a collateral impact on those looking to innovate and build a better and/or more decentralized ecosystem. Sanctions and the lack of clarity over their enforcement mechanisms may increase the existing difficulty faced by Web3 companies and other entities associated with cryptocurrency in accessing on/off ramp services through the fiat banking system.

Since sanctions rely on proactive enforcement by banks and other financial institutions, such entities may err on the side of caution and be overly restrictive with their compliance measures.

Depending upon specific circumstances, non-compliant institutions could find themselves blocked from participation in the global financial system. As such, it may result in shutting out new Web3 users, while potentially de-platforming existing ones. Know-your-business requirements for Web3 companies could become more stringent, again making it harder for such companies to access fiat banking.

Developer liability issues have also been brought to the fore by the recent sanctions, with individual contributors to open-source projects potentially being held liable for facilitating criminal actions on permissionless protocols they created. In this context, it becomes increasingly important for unincorporated Web3 companies to consider legal solutions to minimize risk, one of which may be adopting a legal wrapper – or in other words, incorporating as a legal entity. This, among other benefits, would shield members/employees from individual liability in most cases by transferring liability to the legal entity.