With reference to this post on meta-protocol for listing.
I think Tornado should consider significantly opening up their listing criteria for the simple reason that if they don’t, other protocols are at liberty to fork Tornado’s codebase and deploy privacy solutions themselves. Tornado deploying them would ensure they remain canonical - even if Tornado is not the one hosting the frontend.
Potential harms to listing multiple assets:
1. Dilution of anonymity sets
(a) If multiple versions of an asset - say yearn ETH, compound ETH and plain old ETH are listed, if everyone does not use the same solution, everyone loses anonymity. We can expect the market to automatically and rapidly converge to those tokens which are most used because everyone wants this privacy.
(b) This is less of an issue when comparing different assets - say YFI versus COMP - because the people who want to hold YFI and the people who want to hold COMP are distinct. Nobody is diluting anybody else’s anonymity set here, because the alternative for say a COMP holder is to just sit without any privacy.
One could argue that a lot of pools with insufficient anonymity doesn’t help much, but it’s still better than the status quo of zero privacy, as long as it doesn’t dilute anon sets as described in (a)
2. Supporting illegitimate projects
In DeFi, being permissionless does not amount to supporting illegitimate projects. For instance, Uniswap is not called a scam or given moral authority to dictate whichh tokens are or aren’t scams. Similarly I think Tornado should adopt a permissionless or near-permissionless approach, and let the market decide which solutions are best.
Tornado can choose to not be the one hosting the frontend, or else show warnings on its frontend, for unvetted assets.
3. Market may not be able to judge quality of anon sets
This is a distinct problem, which is not solved by restricting listing because projects will eventually want to fork our codebase.
Tornado could fund researchers trying to break its anonymity, this opens another can of worms, but is the only real way to objectively judge privacy afforded by various coins. Until then, letting the market judge where they think they get sufficient privacy might be good enough. We as governors of the protocol aren’t necessarily a better judge for this than individual users - both casual and professional - who may do any amount of due diligence and research before using Tornado.
Many users are anyway not looking to escape from state-level actors, they just want to break the link between deposits and withdrawals so that casual users (friends, twitter followers, etc) can’t chainalyse them. Tax evasion is the other common use case for Tornado but Tornado has a clear policy of not wanting to support this.
In short, imperfect privacy also is useful to some users and an improvement over status quo.
4. Imperfect convergence
In the case of competing assets (yearn ETH versus compound ETH), it is possible that the market converges upon the sub-optimal asset, assuming there is an objective way to determine which assets are bad assets. In this case, perhaps Tornado could run liquidity mining on whichever projects it wishes to be opinionated on. Those protocols could also contribute to liquidity mining. Liquidity mining may not significantly increase anonymity, because users who are here only for the profits will leave soon after - but there is a possibility some subset of users stay and continue to use Tornado.
Significantly open up listing of new assets on Tornado