Despite being an automated, decentralized version of a typical cryptocurrency mixer, Tornado Cash was sanctioned by the U.S. government last week as the Treasury Department’s Office of Foreign Assets Control (OFAC) added Ethereum addresses associated with the tool to its specially designated nationals and blocked persons (SDN) list.
Much has been written about the legal aspects of the Treasury Department’s move. Instead of embarking on –– arguably much needed –– advocacy to dispute the legal grounds of such a move, this article seeks to objectively explore the technical intricacies of Tornado Cash and its sanction, as well as evaluate potential risks that could bleed into Bitcoin in the future.
How Tornado Cash Works
At its core, a mixer receives users’ cryptocurrency deposits, which it pools or tumbles together before enabling each user to withdraw the same amount of coins it deposited. By doing so, users receive “fresh” coins that aren’t related to the ones they deposited, which can offer them a great deal of forward-looking privacy.
Most mixers are centralized, run by an entity or business that collects fees for the aforementioned services.
Tornado Cash, on the other hand, is deployed as a smart contract on the Ethereum blockchain. Hence, it is more akin to a robot than an entity –– it can be thought of as an automated version of a typical cryptocurrency mixer. It still works similar to a regular mixer, though. Users deposit cryptocurrency into the Tornado Cash contract, which pools the funds and enables withdrawals unlinked to the deposits.
Tornado Cash ensures privacy and enables trustless user withdrawals by leveraging robust cryptography techniques, with proofs known as zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) is at its core.
In essence, zk-SNARK –– and zero-knowledge proofs in general –– allow an entity to prove a statement about a secret without revealing the secret. In the context of Tornado Cash, it allows the user to prove they are entitled to withdraw a certain amount of coins from the smart contract without handing out information about their deposits.
“SNARKs in the context of Tornado Cash allow depositors to move money into the pool and have an off-chain deposit note they can use to withdraw it to any other account,” Michael Lewellen, security solutions architect at smart contract security firm OpenZeppelin, told Bitcoin Magazine. “The fact that the deposit note has zero ties to the deposit account is where the SNARKs are used to ensure privacy.”
Beyond the privacy benefits, the deposit note also allows a greater level of security and control for the user as it enables them to trustlessly withdraw their funds from the smart contract at any time. This feature makes Tornado Cash akin to a non-custodial service, as these “redeemable notes” function as cryptographic keys that unlock the user’s funds.
“I think it’s still fair to call it non-custodial,” Lewellen said. “You’re essentially given a new cryptographic key ‘proof’ related to that specific deposit that can then be used by the withdrawing account to pull the money out.”
Cryptocurrency mixers have for years been targeted by the U.S. government and its enforcement agencies. One would think that Tornado Cash, being a piece of code autonomously living on a blockchain instead of a centrally-run business, would be immune to such targeting. Still, OFAC came after it.
Why And How OFAC Sanctioned Tornado Cash
The idea that the U.S. Treasury Department’s can sanction a smart contract like Tornado Cash seems far fetched and odd. However, it sits at the intersection of the department’s previous sanctions of cryptocurrency mixers (in reasoning) and blockchain addresses (in approach).
The sanctioning of Tornado Cash represents OFAC’s second-ever sanction on a cryptocurrency mixer. The first, on Blender, happened in May 2022.
OFAC said in a statement that Tornado Cash “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019,” highlighting the alleged funneling of over $455 million stolen by the Democratic People’s Republic of Korea (DPRK)-sponsored Lazarus hacking group, which was sanctioned by the U.S. in 2019.
More specifically, the statement details:
“Tornado is being designated pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”
According to the U.S. Treasury Department’s website, Executive Order (E.O.) 13694 focuses on harms caused by “malicious cyber-enabled activities,” which it judges as “any act that is primarily accomplished through or facilitated by computers or other electronic devices.” It directs the Secretary of the Treasury to impose sanctions on the persons he or she determines to be responsible for, or complicit in, the activities leading to those harms.
Blender’s sanction was also pursuant to E.O. 13694. Tornado Cash’s situation, however, raised some eyebrows because of the many nuances involved in its sanction.
OFAC clearly sees Tornado Cash as a mixer, and the Financial Crimes Enforcement Network (FinCEN) considers mixers to be money transmitters –– hence being susceptible to regulations and enforcement. At the same time, however, Tornado Cash is open-source code, and the U.S. ruled in “Bernstein v. Department of Justice” in the 1990s that code is speech. Hence the paradox. Furthermore, new research published by cryptocurrency think tank Coin Center challenges the premise that Tornado Cash is a mixer altogether.
Putting the paradox and legal nuances aside, things which might take years to dispute, in practice OFAC might have simply looked at a piece of software akin to a cryptocurrency mixer being used to launder illegal funds and decided to crack down on it –– regardless of the decentralized nature of the tool.
Even though OFAC’s SDN list is more often than not leveraged for persons or entities, the Treasury Department has, since 2018, spelled out that it can and will add cryptocurrency addresses to the list as it deems necessary to protect U.S. national security interests.
“To strengthen our efforts to combat the illicit use of digital currency transactions under our existing authorities, OFAC may include as identifiers on the SDN List specific digital currency addresses associated with blocked persons,” per the Treasury Department website. “OFAC may add digital currency addresses to the SDN List to alert the public of specific digital currency identifiers associated with a blocked person.”
Counterintuitively, and here’s the hard truth, the transparent nature of blockchains more broadly along with specific characteristics of the Ethereum blockchain facilitated the Treasury Department to overextend its authority and mingle reasoning and approach to add Tornado Cash to the SDN list.
Ethereum leverages a model based on accounts. According to the Ethereum foundation, an account “is an entity with an ether (ETH) balance that can send transactions on Ethereum” and it can be either user-controlled or a smart contract. Accounts can receive, hold and send ETH and tokens on the Ethereum blockchain as well as interact with smart contracts.
As a default, deployed smart contracts on Ethereum have a fixed address which other accounts, owned by users or other contracts, can interact with. Therefore, since OFAC can sanction blockchain addresses through its SDN list, it was trivial for the enforcement body to sanction Tornado Cash.
So, is it then just a matter of time until OFAC or similar organizations begin coming after tools in Bitcoin land?
There is arguably little limit to what enforcement agencies such as OFAC can do to reach their objectives, as evidenced by the Tornado Cash case. But many decentralized tools were built in response to the state’s overarching control in the first place and are designed to prevent such actions.
Does that mean Bitcoin is immune to the threats that the Ethereum ecosystem is currently facing? Not necessarily.
As explained above, and judging by the Treasury Department’s statements and guidelines, OFAC’s sanction on Tornado Cash appears to have been a coupling of two of the agency’s practices: the goal of cracking down on virtual currency mixers facilitating money laundering and its ability to add blockchain addresses to its SDN list. Bitcoin is well positioned to mitigate against the former, and while the latter poses a real threat, this is where Nakamoto’s design proves more resilient. Here’s why.
CoinJoins Aren’t Mixers
Bitcoin privacy tools, namely CoinJoins, are also leveraged by criminals to launder money –– which also puts them on the radar of regulators.
Earlier this year, the U.K.’s National Crime Agency (NCA) called for the regulation of Bitcoin CoinJoins, erroneously calling them “decentralized mixers” and citing Samourai and Wasabi wallets as two well-known mixers, per a report by the Financial Times. The agency claimed that such tools allow users to disguise transactions that are otherwise traceable on blockchains.
“The NCA said regulation would force mixers to comply with money laundering laws, with an obligation to carry out customer checks and audit trails of currencies passing through the platforms,” per the report.
As highlighted on Samourai Wallet’s follow-up blog post, there should be a clear distinction between a mixer and a CoinJoin as they are different tools.
While a mixer functions in the typical deposit–pool–withdraw format, a CoinJoin is nothing more than a Bitcoin transaction. It differs from typical Bitcoin transactions because CoinJoins are really large ones with a specific format, but software like Samourai and Wasabi enable only the coordination of users to form that same transaction. In other words, there is no deposit, pooling or withdrawal of funds.
In fact, the EU’s most prominent law enforcement agency, Europol, makes a clear distinction between mixers and CoinJoins. In its latest two Internet Organized Crime Threat Assessment (IOCTA) reports, Europol’s flagship strategic product that provides a law enforcement-focused assessment of evolving threats and developments in the area of cybercrime, the agency did not bundle mixers and CoinJoins into the same basket.
“Criminals are increasingly converting their illicit earnings made in Bitcoin using cryptocurrency obfuscation methods like swapping services, mixers and coinjoins,” it said in its 2021 IOCTA report. “…In the last few years, many different obfuscation methods have gained popularity, such as mixers, CoinJoin, swapping, crypto debit cards, Bitcoin ATMs, local trade and more.”
Furthermore, in a 2020 report on Wasabi, Europol stated that “users who download the wallet store all bitcoins locally,” which “means that the AML legislation including Europe’s latest AMLD5 (the 5th anti-money laundering directive) does not apply to this service.”
Therefore, at the present time, it seems rather unlikely that the Treasury Department or other enforcement agencies would crack down on Bitcoin CoinJoins as cryptocurrency mixers and add them to the OFAC SDN list. But let’s entertain the possibility that said agencies choose to do so.
The Theoretical Sanctioning Of Bitcoin CoinJoins And Its Possible Ramifications
Assuming that enforcement agencies can extend their authority to fit their needs, CoinJoins can come under sanctioning threats. But how could that be done? While there are no clear answers to that question, some possible scenarios do emerge.
The first natural scenario is an enforcement agency banning CoinJoins altogether. However unlikely, and while it would actually mean banning multiple-party Bitcoin transactions, such an action can in theory still be done. This threat, however, is sentient and the same threat that existed –– and arguably still exists –– for Bitcoin at large.
Perhaps a more down-to-earth scenario would be the sanctioning of CoinJoins’ coordinators instead. While this isn’t applicable to JoinMarket in a straightforward way, given its maker and taker structure, in the cases of Samourai and Wasabi there are central coordinators that facilitate the CoinJoin transaction that is performed between the transacting parties. (This type of sanction is still unlikely given the structure of CoinJoins and as evidenced by Europol’s statement saying that AML rules don’t apply to these tools. But, again, let’s suppose the contrary.)
The action of sanctioning coordinators could be similar to the sanctioning of Tornado Cash in theory, but it’s very different in practice.
While OFAC, for instance, could simply add a CoinJoin’s coordinator to its SDN list, there is no single blockchain address it could use to represent that coordinator. As a gift from Bitcoin’s unspent transaction output (UTXO) model, coordinators change their address each round. This means that with Bitcoin CoinJoins there is no single point of contact to the Bitcoin blockchain and therefore this poses a key difference to Tornado Cash’s smart contract structure based on Ethereum’s account based system.
In practice, OFAC would need to continuously analyze the blockchain to spot Bitcoin CoinJoins and retroactively add addresses to the SDN list. (There is one aspect that washes OFAC’s hands in this case –– it makes it clear that the SDN list is not exhaustive, meaning that if an address that’s not listed is found to belong to an entity that is on the list, the sanction would still apply.)
Beyond the retroactive enforcement of such rules, the enforcement body would also need to know the identities of the Bitcoin users leveraging the services. While it is true that Bitcoin transactions and addresses aren’t anonymous, Bitcoin’s UTXO model increases robustness and resilience against this as well and most of the chain analysis work relies on (sometimes educated) guesses. This would be truly effective only if the addresses going in are either publicly known (for example from known hacks or hackers) or KYC’d (known to exchanges and therefore law enforcement).
However, the fact that there is no direct or reliable way to tell which coordinator was used in a given CoinJoin round poses further challenges. While it can often be plausible to assume that the default coordinator was used in a round, such a statement cannot be reliably used against users because nothing prevents users from creating and using different coordinators, with the only obstacle being liquidity –– which can be solved with time.
If legislation turns around and decides CoinJoins should fall under the same rules as mixers despite their striking differences, and the above actions by enforcement agencies turn out to be successful –– or at least effective enough –– there are still a couple of possible nonexclusive avenues that hold the potential to bring about an outcome different than what Tornado Cash is facing.
First, business entities running the coordinators could attempt to prevent illegal funds to be CoinJoined. Wasabi Wallet is seeking such a reality with its zkSNACKs coordinator, according to an announcement from earlier this year. It isn’t clear whether Wasabi has implemented this feature yet. (This is a complicated and hardly positive path for the ecosystem as a whole, however, because it enables regulatory overreach on tools that are not money transmitters and which regulators and enforcement agencies themselves realize at present should not be subject to AML rules.)
A second –– and arguably better –– option would be leveraging even more decentralized CoinJoin tools such as JoinMarket. Even though it isn’t a perfect implementation, as highlighted by Shinobi in this article, JoinMarket presents a great option for Bitcoin users to embark on CoinJoins in a catastrophic scenario such as the above. It is even more resilient than centrally-coordinated CoinJoins, meaning it would amplify all the enforcement challenges posed by the likes of Samourai and Wasabi, and spotting JoinMarket CoinJoin transactions on-chain is in and of itself already more challenging and can lead to false positives.
On a different note, OFAC’s sanction of Tornado Cash has also created additional problems in a cascading effect that are worth considering when it comes to potential sanctions on Bitcoin. One of the contributors to the Tornado Cash open-source code was arrested following the sanction; Tornado Cash’s GitHub account and of some of its developers were shut down; and the website for Tornado Cash was taken down.
It isn’t yet clear why the developer was arrested, but Bitcoin Magazine contacted GitHub to learn more about the accounts shutdown.
“Trade laws require GitHub to restrict users and customers identified as Specially Designated Nationals (SDNs) or other denied or blocked parties, or that may be using GitHub on behalf of blocked parties,” a GitHub spokesperson told Bitcoin Magazine. “At the same time, GitHub’s vision is to be the global platform for developer collaboration. We examine government sanctions thoroughly to be certain that users and customers are not impacted beyond what is required by law.”
Bitcoin Magazine inquired further but received the same response as above.
Therefore it is clear that Bitcoin, and any open-source project for that matter, may suffer from the same GitHub accounts shutdown in the event of an OFAC sanction. However, as highlighted by the community in forums and Twitter, some options also exist to mitigate this threat such as self-hosted GitLab instances.
Still, another difference between Bitcoin and Ethereum also plays a role here. While in the ecosystem of the latter centralized tools play a bigger role in its decentralized offerings –– for example Infura, which powers most of the Ethereum apps, wallets and services and is susceptible to sanctions and censorship –– the former is better positioned to sustain similar threats.
In sum, Bitcoin is arguably the most well-prepared network to withstand nation-state attacks given the intricacies of its design, some of which were explored in-depth in this article. Moreover, challenges to the enforcement of possible sanctions on Bitcoin privacy tools make such an action not only unlikely but seemingly futile to be undertaken as its efficacy might simply not be amplified compared to what is done today regarding money laundering with Bitcoin and CoinJoins. Finally, the unlikelihood of such an event is further exacerbated by the unique characteristics of CoinJoins and the structural differences their implementation poses to mixing.
This article mainly focuses on the probable reasoning behind OFAC’s sanction on Tornado Cash to imagine how such a sanction could be ported onto Bitcoin and its tools. But it wouldn’t be fair to leave out a commentary on what has likely been an overextension of regulatory oversight.
As highlighted by several industry players and businesses, the sanction of open-source code might be an infringement on the Constitutional First Amendment, which protects freedom of speech, and, as mentioned previously, code has been established as speech under U.S. law. Moreover, any attack on open-source code is an attack on Bitcoin.
Additionally, the sanctioning of Tornado Cash altogether has negative implications to law-abiding citizens that leveraged the tool to protect their legitimate privacy interests, as explained by Seth Hertlein, global head of policy at hardware wallet maker Ledger.
All in all, as already mentioned, while regulators shouldn’t overextend their statutory authority, litigation can take years. Furthermore, given that legislation is dependent on jurisdiction, what is legal or illegal is geographically subjective. Consequently, decentralized systems should be designed from the ground up to withstand capture or overreach with unstoppable, uncensorable networks.
UPDATE (Aug. 26, 2022 – 9:40 a.m. ET): Adds information about new Coin Center research on the mechanics of Tornado Cash.
El Salvador Takes First Step To Issue Bitcoin Volcano Bonds
El Salvador’s Minister of the Economy Maria Luisa Hayem Brevé submitted a digital assets issuance bill to the country’s legislative assembly, paving the way for the launch of its bitcoin-backed “volcano” bonds.
First announced one year ago today, the pioneering initiative seeks to attract capital and investors to El Salvador. It was revealed at the time the plans to issue $1 billion in bonds on the Liquid Network, a federated Bitcoin sidechain, with the proceedings of the bonds being split between a $500 million direct allocation to bitcoin and an investment of the same amount in building out energy and bitcoin mining infrastructure in the region.
A sidechain is an independent blockchain that runs parallel to another blockchain, allowing for tokens from that blockchain to be used securely in the sidechain while abiding by a different set of rules, performance requirements, and security mechanisms. Liquid is a sidechain of Bitcoin that allows bitcoin to flow between the Liquid and Bitcoin networks with a two-way peg. A representation of bitcoin used in the Liquid network is referred to as L-BTC. Its verifiably equivalent amount of BTC is managed and secured by the network’s members, called functionaries.
“Digital securities law will enable El Salvador to be the financial center of central and south America,” wrote Paolo Ardoino, CTO of cryptocurrency exchange Bitfinex, on Twitter.
Bitfinex is set to be granted a license in order to be able to process and list the bond issuance in El Salvador.
The bonds will pay a 6.5% yield and enable fast-tracked citizenship for investors. The government will share half the additional gains with investors as a Bitcoin Dividend once the original $500 million has been monetized. These dividends will be dispersed annually using Blockstream’s asset management platform.
The act of submitting the bill, which was hinted at earlier this year, kickstarts the first major milestone before the bonds can see the light of day. The next is getting it approved, which is expected to happen before Christmas, a source close to President Nayib Bukele told Bitcoin Magazine. The bill was submitted on November 17 and presented to the country’s Congress today. It is embedded in full below.
How I’ll Talk To Family Members About Bitcoin This Thanksgiving
This is an opinion editorial by Joakim Book, a Research Fellow at the American Institute for Economic Research, contributor and copy editor for Bitcoin Magazine and a writer on all things money and financial history.
That’s it. That’s the article.
In all sincerity, that is the full message: Just don’t do it. It’s not worth it.
You’re not an excited teenager anymore, in desperate need of bragging credits or trying out your newfound wisdom. You’re not a preaching priestess with lost souls to save right before some imminent arrival of the day of reckoning. We have time.
Instead: just leave people alone. Seriously. They came to Thanksgiving dinner to relax and rejoice with family, laugh, tell stories and zone out for a day — not to be ambushed with what to them will sound like a deranged rant in some obscure topic they couldn’t care less about. Even if it’s the monetary system, which nobody understands anyway.
If you’re not convinced of this Dale Carnegie-esque social approach, and you still naively think that your meager words in between bites can change anybody’s view on anything, here are some more serious reasons for why you don’t talk to friends and family about Bitcoin the protocol — but most certainly not bitcoin, the asset:
- Your family and friends don’t want to hear it. Move on.
- For op-sec reasons, you don’t want to draw unnecessary attention to the fact that you probably have a decent bitcoin stack. Hopefully, family and close friends should be safe enough to confide in, but people talk and that gossip can only hurt you.
- People find bitcoin interesting only when they’re ready to; everyone gets the price they deserve. Like Gigi says in “21 Lessons:”
“Bitcoin will be understood by you as soon as you are ready, and I also believe that the first fractions of a bitcoin will find you as soon as you are ready to receive them. In essence, everyone will get ₿itcoin at exactly the right time.”
It’s highly unlikely that your uncle or mother-in-law just happens to be at that stage, just when you’re about to sit down for dinner.
- Unless you can claim youth, old age or extreme poverty, there are very few people who genuinely haven’t heard of bitcoin. That means your evangelizing wouldn’t be preaching to lost, ignorant souls ready to be saved but the tired, huddled and jaded masses who could care less about the discovery that will change their societies more than the internal combustion engine, internet and Big Government combined. Big deal.
- What is the case, however, is that everyone in your prospective audience has already had a couple of touchpoints and rejected bitcoin for this or that standard FUD. It’s a scam; seems weird; it’s dead; let’s trust the central bankers, who have our best interest at heart.
No amount of FUD busting changes that impression, because nobody holds uninformed and fringe convictions for rational reasons, reasons that can be flipped by your enthusiastic arguments in-between wiping off cranberry sauce and grabbing another turkey slice.
- It really is bad form to talk about money — and bitcoin is the best money there is. Be classy.
Now, I’m not saying to never ever talk about Bitcoin. We love to talk Bitcoin — that’s why we go to meetups, join Twitter Spaces, write, code, run nodes, listen to podcasts, attend conferences. People there get something about this monetary rebellion and have opted in to be part of it. Your unsuspecting family members have not; ambushing them with the wonders of multisig, the magically fast Lightning transactions or how they too really need to get on this hype train, like, yesterday, is unlikely to go down well.
However, if in the post-dinner lull on the porch someone comes to you one-on-one, whisky in hand and of an inquisitive mind, that’s a very different story. That’s personal rather than public, and it’s without the time constraints that so usually trouble us. It involves clarifying questions or doubts for somebody who is both expressively curious about the topic and available for the talk. That’s rare — cherish it, and nurture it.
Last year I wrote something about the proper role of political conversations in social settings. Since November was also election month, it’s appropriate to cite here:
“Politics, I’m starting to believe, best belongs in the closet — rebranded and brought out for the specific occasion. Or perhaps the bedroom, with those you most trust, love, and respect. Not in public, not with strangers, not with friends, and most certainly not with other people in your community. Purge it from your being as much as you possibly could, and refuse to let political issues invade the areas of our lives that we cherish; politics and political disagreements don’t belong there, and our lives are too important to let them be ruled by (mostly contrived) political disagreements.”
If anything, those words seem more true today than they even did then. And I posit to you that the same applies for bitcoin.
Everyone has some sort of impression or opinion of bitcoin — and most of them are plain wrong. But there’s nothing people love more than a savior in white armor, riding in to dispel their errors about some thing they are freshly out of fucks for. Just like politics, nobody really cares.
Leave them alone. They will find bitcoin in their own time, just like all of us did.
This is a guest post by Joakim Book. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
RGB Magic: Client-Side Contracts On Bitcoin
This is an opinion editorial by Federico Tenga, a long time contributor to Bitcoin projects with experience as start-up founder, consultant and educator.
The term “smart contracts” predates the invention of the blockchain and Bitcoin itself. Its first mention is in a 1994 article by Nick Szabo, who defined smart contracts as a “computerized transaction protocol that executes the terms of a contract.” While by this definition Bitcoin, thanks to its scripting language, supported smart contracts from the very first block, the term was popularized only later by Ethereum promoters, who twisted the original definition as “code that is redundantly executed by all nodes in a global consensus network”
While delegating code execution to a global consensus network has advantages (e.g. it is easy to deploy unowed contracts, such as the popularly automated market makers), this design has one major flaw: lack of scalability (and privacy). If every node in a network must redundantly run the same code, the amount of code that can actually be executed without excessively increasing the cost of running a node (and thus preserving decentralization) remains scarce, meaning that only a small number of contracts can be executed.
But what if we could design a system where the terms of the contract are executed and validated only by the parties involved, rather than by all members of the network? Let us imagine the example of a company that wants to issue shares. Instead of publishing the issuance contract publicly on a global ledger and using that ledger to track all future transfers of ownership, it could simply issue the shares privately and pass to the buyers the right to further transfer them. Then, the right to transfer ownership can be passed on to each new owner as if it were an amendment to the original issuance contract. In this way, each owner can independently verify that the shares he or she received are genuine by reading the original contract and validating that all the history of amendments that moved the shares conform to the rules set forth in the original contract.
This is actually nothing new, it is indeed the same mechanism that was used to transfer property before public registers became popular. In the U.K., for example, it was not compulsory to register a property when its ownership was transferred until the ‘90s. This means that still today over 15% of land in England and Wales is unregistered. If you are buying an unregistered property, instead of checking on a registry if the seller is the true owner, you would have to verify an unbroken chain of ownership going back at least 15 years (a period considered long enough to assume that the seller has sufficient title to the property). In doing so, you must ensure that any transfer of ownership has been carried out correctly and that any mortgages used for previous transactions have been paid off in full. This model has the advantage of improved privacy over ownership, and you do not have to rely on the maintainer of the public land register. On the other hand, it makes the verification of the seller’s ownership much more complicated for the buyer.
How can the transfer of unregistered properties be improved? First of all, by making it a digitized process. If there is code that can be run by a computer to verify that all the history of ownership transfers is in compliance with the original contract rules, buying and selling becomes much faster and cheaper.
Secondly, to avoid the risk of the seller double-spending their asset, a system of proof of publication must be implemented. For example, we could implement a rule that every transfer of ownership must be committed on a predefined spot of a well-known newspaper (e.g. put the hash of the transfer of ownership in the upper-right corner of the first page of the New York Times). Since you cannot place the hash of a transfer in the same place twice, this prevents double-spending attempts. However, using a famous newspaper for this purpose has some disadvantages:
- You have to buy a lot of newspapers for the verification process. Not very practical.
- Each contract needs its own space in the newspaper. Not very scalable.
- The newspaper editor can easily censor or, even worse, simulate double-spending by putting a random hash in your slot, making any potential buyer of your asset think it has been sold before, and discouraging them from buying it. Not very trustless.
For these reasons, a better place to post proof of ownership transfers needs to be found. And what better option than the Bitcoin blockchain, an already established trusted public ledger with strong incentives to keep it censorship-resistant and decentralized?
If we use Bitcoin, we should not specify a fixed place in the block where the commitment to transfer ownership must occur (e.g. in the first transaction) because, just like with the editor of the New York Times, the miner could mess with it. A better approach is to place the commitment in a predefined Bitcoin transaction, more specifically in a transaction that originates from an unspent transaction output (UTXO) to which the ownership of the asset to be issued is linked. The link between an asset and a bitcoin UTXO can occur either in the contract that issues the asset or in a subsequent transfer of ownership, each time making the target UTXO the controller of the transferred asset. In this way, we have clearly defined where the obligation to transfer ownership should be (i.e in the Bitcoin transaction originating from a particular UTXO). Anyone running a Bitcoin node can independently verify the commitments and neither the miners nor any other entity are able to censor or interfere with the asset transfer in any way.
Since on the Bitcoin blockchain we only publish a commitment of an ownership transfer, not the content of the transfer itself, the seller needs a dedicated communication channel to provide the buyer with all the proofs that the ownership transfer is valid. This could be done in a number of ways, potentially even by printing out the proofs and shipping them with a carrier pigeon, which, while a bit impractical, would still do the job. But the best option to avoid the censorship and privacy violations is establish a direct peer-to-peer encrypted communication, which compared to the pigeons also has the advantage of being easy to integrate with a software to verify the proofs received from the counterparty.
This model just described for client-side validated contracts and ownership transfers is exactly what has been implemented with the RGB protocol. With RGB, it is possible to create a contract that defines rights, assigns them to one or more existing bitcoin UTXO and specifies how their ownership can be transferred. The contract can be created starting from a template, called a “schema,” in which the creator of the contract only adjusts the parameters and ownership rights, as is done with traditional legal contracts. Currently, there are two types of schemas in RGB: one for issuing fungible tokens (RGB20) and a second for issuing collectibles (RGB21), but in the future, more schemas can be developed by anyone in a permissionless fashion without requiring changes at the protocol level.
To use a more practical example, an issuer of fungible assets (e.g. company shares, stablecoins, etc.) can use the RGB20 schema template and create a contract defining how many tokens it will issue, the name of the asset and some additional metadata associated with it. It can then define which bitcoin UTXO has the right to transfer ownership of the created tokens and assign other rights to other UTXOs, such as the right to make a secondary issuance or to renominate the asset. Each client receiving tokens created by this contract will be able to verify the content of the Genesis contract and validate that any transfer of ownership in the history of the token received has complied with the rules set out therein.
So what can we do with RGB in practice today? First and foremost, it enables the issuance and the transfer of tokenized assets with better scalability and privacy compared to any existing alternative. On the privacy side, RGB benefits from the fact that all transfer-related data is kept client-side, so a blockchain observer cannot extract any information about the user’s financial activities (it is not even possible to distinguish a bitcoin transaction containing an RGB commitment from a regular one), moreover, the receiver shares with the sender only blinded UTXO (i. e. the hash of the concatenation between the UTXO in which she wish to receive the assets and a random number) instead of the UTXO itself, so it is not possible for the payer to monitor future activities of the receiver. To further increase the privacy of users, RGB also adopts the bulletproof cryptographic mechanism to hide the amounts in the history of asset transfers, so that even future owners of assets have an obfuscated view of the financial behavior of previous holders.
In terms of scalability, RGB offers some advantages as well. First of all, most of the data is kept off-chain, as the blockchain is only used as a commitment layer, reducing the fees that need to be paid and meaning that each client only validates the transfers it is interested in instead of all the activity of a global network. Since an RGB transfer still requires a Bitcoin transaction, the fee saving may seem minimal, but when you start introducing transaction batching they can quickly become massive. Indeed, it is possible to transfer all the tokens (or, more generally, “rights”) associated with a UTXO towards an arbitrary amount of recipients with a single commitment in a single bitcoin transaction. Let’s assume you are a service provider making payouts to several users at once. With RGB, you can commit in a single Bitcoin transaction thousands of transfers to thousands of users requesting different types of assets, making the marginal cost of each single payout absolutely negligible.
Another fee-saving mechanism for issuers of low value assets is that in RGB the issuance of an asset does not require paying fees. This happens because the creation of an issuance contract does not need to be committed on the blockchain. A contract simply defines to which already existing UTXO the newly issued assets will be allocated to. So if you are an artist interested in creating collectible tokens, you can issue as many as you want for free and then only pay the bitcoin transaction fee when a buyer shows up and requests the token to be assigned to their UTXO.
Furthermore, because RGB is built on top of bitcoin transactions, it is also compatible with the Lightning Network. While it is not yet implemented at the time of writing, it will be possible to create asset-specific Lightning channels and route payments through them, similar to how it works with normal Lightning transactions.
RGB is a groundbreaking innovation that opens up to new use cases using a completely new paradigm, but which tools are available to use it? If you want to experiment with the core of the technology itself, you should directly try out the RGB node. If you want to build applications on top of RGB without having to deep dive into the complexity of the protocol, you can use the rgb-lib library, which provides a simple interface for developers. If you just want to try to issue and transfer assets, you can play with Iris Wallet for Android, whose code is also open source on GitHub. If you just want to learn more about RGB you can check out this list of resources.
This is a guest post by Federico Tenga. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.