Last month, the US Office of Foreign Assets Control (OFAC) blacklisted decentralized crypto mixer Tornado Cash. The development marked the first time for the US government to sanction a smart contract.
The ripple effects of this move have been critical for Ethereum with many stakeholders taking actions to comply with the sanctions. Circle, dYdX, GitHub, Infura, Oasis and Alchemy all took steps by blocking sanctioned addresses — and related ones — from accessing their products and services.
The situation has also made Ethereum supporters and developers worry that these steps portend a more problematic future, one which might see the network become vulnerable to censorship.
When Ethereum transitions to proof of stake — and validators become the ones processing transactions on the network — it’s possible that those who run these validators could participate in censoring certain transactions to comply with current or future sanctions. Doing so, the validators could potentially damage Ethereum’s status as a neutral technology. It’s an issue so concerning that even one of Ethereum’s biggest supporters would abandon the whole project if it were to happen.
“If the Ethereum base-layer ends up engaging in permanent censorship then I will consider the Ethereum experiment a failure and I will move on,” EthHub co-founder Anthony Sassano, one of Ethereum’s biggest advocates, said on Twitter.
Moving to proof of stake
After The Merge, Ethereum will be running on a proof-of-stake consensus mechanism. Gone will be the miners and the new kings in town will be validators — those that cough up large amounts of ETH and process new transactions, knowing that if they act maliciously, they could see their staked tokens get slashed.
Among the largest validators include crypto firms like Coinbase, Kraken, Binance, Staked.us, Bitcoin Suisse, stakefish, and Figment, all of which offer staking services to their users to let them earn staking rewards. These firms have become so popular that they look after nearly 40% of ether deposited by validator nodes on the Beacon Chain.
There’s also Lido Finance, a liquid staking protocol that is responsible for more than 30% of ether deposits on the Beacon Chain and remains a potential point of centralization. That said, it doesn’t serve as a single validator but makes use of a range of validators like those mentioned above.
If these validators agreed to comply with the US sanctions, they possess enough power for protocol-level censorship, with the Ethereum community being forced to support validators that they might disagree with. Worse, due to the design of Beacon Chain, users can’t un-stake their ether until the Shanghai upgrade, which is another 6-12 months after The Merge.
How censorship could happen
Ethereum co-founder Vitalik Buterin said in a developer call on August 18 that base layer censorship can come in two forms with different amounts of probability.
The first type is when certain validators choose to exclude or filter sanctioned transactions within the blocks they propose themselves. This scenario, according to Buterin, can lead to temporary censorship and transactions may get delayed as they wait to be finalized.
As long as some validators don’t partake in censorship, those transactions will eventually get picked up in the subsequent blocks. The only issue will be that it will take a longer time for transactions to be processed into blocks.
After The Merge, validators will also have to sign and broadcast an attestation during every epoch on the network. This brings us to the second type of potential censorship where validators (with more than 51% stake) decide to not attest blocks that contain sanctioned transactions. The attestation-based censorship coming from a majority number of validators would create a soft fork of Ethereum or an alternative version of the Ethereum blockchain that does not include any sanctioned transactions.
The second scenario is classified as “permanent censorship” that may result in sanctioned transactions never getting finalized on the Ethereum network, according to Buterin. While Buterin said that the likelihood of the second scenario is small, Ethereum core developers are still discussing ways to resist chances of both temporary and permanent censorship.
Key validators are largely undecided
At this stage, the fear of censorship coming from centralized validators is hypothetical, given how Ethereum validators haven’t clarified whether they will comply with sanctions.
Whatever may be the eventual result, Ethereum validators are going to face a tough time keeping Ethereum as a permissionless network and complying with regulations from OFAC. This would particularly be the case if the US regulators instructed them to not process transactions that have come from Ethereum mixers like Tornado.cash.
Coinbase CEO Brian Armstrong has clearly stated that his staking service, which has 14% control over all Beacon Chain validators, will not censor transactions. Armstrong said he would prefer to stop the company’s staking service rather than engage in on-chain censorship on Ethereum.
Any existing validators on Beacon Chain can stop its duties by invoking a function called voluntary exit process. This means they would be able to stop staking their tokens without getting punished for doing so.
Meanwhile, other staking providers such as Kraken and Bitcoin Suisse want to preserve censorship resistance. But these don’t have clear answers yet to how they would deal with sanctions.
“Kraken believes in the importance of crypto being censorship-resistant and permissionless. As a leading ETH validator we are carefully monitoring the discussion on the potential implications of Tornado Cash sanctions for validators,” Marco Santori, chief legal officer at Kraken, told The Block in a statement.
A similar reply came from Bitcoin Suisse, whose spokesperson said: “Regarding the question of the handling of transactions involving sanctioned addresses, Bitcoin Suisse is currently reviewing the situation, as it involves complex legal, regulatory, and technical questions to which there are no clear answers yet.”
What can be done to fight censorship?
Since the issue has come to light, Ethereum’s core developers have discussed mitigation strategies to fight it. In response to a Twitter discussion on the issue, Buterin commented that he supported the idea of punishing validators who participate in censorship.
Here Ethereum developers can manually slash validators that engage in censorship. This may result in censoring validators losing a portion of their collateral and is being explored as the primary defense against censorship by major staking providers. Ethereum’s core developers are preparing to organize social enforcement and democratic slashing if these firms try to censor transactions.
Then there are more stringent steps as well. For example, to counter a potential 51% censorship that leads to an alternative version of the Ethereum blockchain, developers can consider implementing what’s called a “user activated soft-fork (UASF).”
According to Lefteris Karapetsas, an Ethereum developer and founder of Rotki, the stake of validators participating in censorship can be taken away with a USAF. “If a dishonest majority tries to attack the protocol with something like censoring, the approach is a UASF from the community to throw them out of the network and burn their stake,” Karapetsas told The Block.
Another technique previously suggested by Vitalik Buterin as an anti-censorship tool is called proposer/builder separation (PBS). This is a proposed proof-of-stake organizational structure where Ethereum block production is divided between two types of entities: proposers and builders, creating an on-chain check against transactional censorship.