In August 2022, the United States Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned a cryptocurrency “mixer” – a program used to increase the anonymity of crypto transactions – for alleged money laundering. It also blacklisted several Ethereum addresses linked to the protocol. The sanctioning and subsequent reaction by affected actors sparked heated debates in cryptocurrency circles and beyond about how permissionless cryptocurrency protocols should be regulated.

What Exactly Are the OFAC Sanctions?

OFAC imposes trade and economic sanctions on countries and individuals (both natural and legal) who engage in activities that endanger US security or financial stability, such as terrorism, drug trafficking, and money laundering.

The Specially Designated Nationals and Blocked Persons List (SDN), a list of sanctioned individuals and legal entities, is one of its primary tools. Sanctioned individuals have their assets frozen under US jurisdiction, and US citizens are generally prohibited from dealing with sanctioned individuals. By excluding sanctioned individuals from the US financial system, it becomes extremely difficult for such individuals to conduct international business, particularly when transacting in USD.

The OFAC has previously sanctioned crypto companies or protocols controlled by centralized entities, so this is not its first brush with the crypto space. However, this is the first time that a non-individual or non-entity has been sanctioned, creating an unclear precedent for open-source protocols, which are essentially pieces of code/software or technological tools used to achieve a goal.

The OFAC sanctions have the effect that anyone/any wallet (read US persons and businesses, and indirectly, citizens and institutions of other countries that have a relationship with US persons or businesses) that interacts with the sanctioned entity/protocol and the mentioned Ethereum addresses is strictly liable under US law. Since the OFAC announcement, stakeholders in the ecosystem have been divided about the sanctions’ appropriateness and feasibility.

What Impact Will the Decision Have on Web3?

Web3 – the vision of a new, better internet – is frequently defined by the guiding principles of decentralization, permissionlessness, and trustlessness. Rather than a few central players monopolizing the web, the goal is for the community of users to build, operate, and own the web, potentially resulting in a more equitable distribution of value generated across participants.

In light of several large-scale hacks and exploits, particularly where crypto mixers were used to whitewash funds, the aforementioned OFAC sanctions announcement emphasizes the need for the Web3 ecosystem to focus collectively on developing preventive and curative solutions, i.e. preventing bad actors from misusing the technology and enforcing penalties where such bad actors/actions are identified. However, the sanctions are the first time a non-person/open-source software (not a natural or legal person) has been added to the SDN, raising concerns about the measure’s proportionality.

How Are Permissionless Protocols Meeting Compliance Standards?

Following the OFAC sanctions, “permissionless” protocols have scrambled to meet compliance requirements in various ways. Permissionless blockchains and protocols are distinguished by their open access for use by anyone without authorization and their resistance to censorship, in the sense that it is impossible or exceedingly difficult to prohibit transactions to or from a user. This is because the smart contracts that underpin such protocols are “immutable,” or the data they store cannot be changed.

When faced with sanctions compliance requirements, decentralized finance (DeFi) protocols frequently use blockchain forensics and analytics tools to prevent sanctioned entities/addresses from using the protocols’ front-end web applications. While this action prevents a blacklisted address from interacting with the protocol’s smart contract via the front-end user interface or application, tech-savvy individuals (such as hackers) can use a “call function” to directly access the smart contract and bypass the front-end application, including its blacklisting measures. As a result, blacklisted addresses can continue to use such protocols even after being blacklisted at the application level. However, when non-technical users are dusted with sanctioned funds, blacklisting prevents them from interacting with the protocol.

Though less common, some permissionless protocols may choose to include a blacklist function directly in their smart contracts rather than at the application level. This allows for the blocking of specific sanctioned addresses at the smart contract level, introducing elements of centralization into an otherwise permissionless ecosystem.

As a result, sanctioning a decentralized permissionless protocol while failing to ensure its demise makes it inaccessible to the average user and reduces its network effects as various actors seek to comply with the regulations.

Is It Possible That the Decision Will Have Unintended Consequences?

While the sanctions are intended to target bad actors in the space, they may have unintended consequences for those looking to innovate and build a better and more decentralized ecosystem. Sanctions, as well as a lack of clarity about their enforcement mechanisms, may make it even more difficult for Web3 companies and other entities associated with cryptocurrency to access on/off-ramp services via the fiat banking system.

Because sanctions rely on proactive enforcement by banks and other financial institutions, such entities may be overly cautious in their compliance measures.

Non-compliant institutions may be barred from participating in the global financial system, depending on the circumstances. As a result, new Web3 users may be excluded, while existing ones may be de-platformed. Web3 companies’ know-your-business requirements may become more stringent, making it more difficult for them to access fiat banking.

The recent sanctions have also brought developer liability issues to the forefront, with individual contributors to open-source projects potentially being held liable for facilitating criminal actions using permissionless protocols they created. In this context, it is becoming increasingly important for unincorporated Web3 companies to consider legal risk-mitigation strategies, one of which may be the use of a legal wrapper – or, in other words, incorporation as a legal entity.

Among other advantages, this would protect members/employees from individual liability in most cases by transferring liability to the legal entity.

Governments/regulators, permissionless protocols, Web3 companies, centralized service providers, traditional financial institutions, and users are all critical stakeholders in ensuring that the next generation of the internet complies with regulations and protects financial privacy. The OFAC sanctions provide an important opportunity for the public and private sectors to collaborate and deliberate on the need to identify risks and develop innovative solutions (blockchain analytics, embedded regulations, legal wrappers, and so on) that are legally compliant while maintaining the core tenets of a fair, inclusive, and sustainable Web3 ecosystem.