Table of Contents
A trio of simultaneous US CFTC actions against decentralized finance (DeFi) protocols raises questions about just how legal DeFi is in the US. Opyn, 0x and Deridex all settled charges that they were violating a range of derivatives trading laws. But the exact charges, and the finer points of the allegations, vary a bit from case to case.
Some of this looks straightforward. But some of this is far more concerning and looks to reveal a limited understanding of how these protocol works within the CFTC. So before digging in to the details we will look at what the CFTC's director of enforcement recently had to say about these issues. And then, after working through the charges, tie a few things back together.
Both the government and industry look to have work to do.
The CFTC's Narrative
In this talk we get a great summary of the CFTC's first enforcement action in crypto:
In 2015—ancient history in the world of digital assets—the Commission’s enforcement stance in the digital asset space became public in two actions: Coinflip and TeraExchange.
"Coinflip was operating as an unregistered exchange" and TeraExchange had a registration but specialized in facilitating wash trades, which led to a somewhat comical situation where:
the exchange touted the transaction as “the first [B]itcoin derivative transaction to be executed on a regulated exchange”—thus granting the first Bitcoin derivative transaction on a regulated exchange the dubious honor of also leading directly to the first CFTC enforcement action relating to a digital asset transaction executed on a regulated exchange.
That's 2015 and those platforms are long gone. In 2016, again quoting this recent talk:
the Commission acted against BitFinex, a foreign-based company that was offering digital asset derivative products without registering with the Commission. Bitfinex had been operating an online platform for trading various digital assets and offered leveraged and margined trading.
BitFinex is definitely still around though their US-linked activity is greatly reduced.
So from the CFTC's perspective none of this is new. People may joke that 2015 is ancient history in crypto – but eight years in financial regulation is also long past the time you can claim ignorance. And the language with respect to DAOs in general and the OokiDAO settlement in particular is quite aggressive for a regulator at a public forum:
The CFTC then prevailed in its precedent-setting litigation against the DAO, which established that the Commission can sue and serve DAOs; that DAOs are persons under the Commodity Exchange Act; and that this DAO violated the law. So to those advising clients, this case made clear: the DAO structure doesn’t put anyone above the law.
Now think for a moment what it means if DAOs are legally people and the long-past actions of 2015 and 2016 are good precedent. From the CFTC's perspective the actions we are about to look at are natural because:
Each of these three platforms was offering and confirming off-exchange leveraged or margined retail commodity transactions, and engaging in other activities that required CFTC registration, yet had not done so. Through these orders, the platforms agreed to cease the unlawful aspects of their operations and pay civil monetary penalties.
All that is to say the regulator does not think they are stretching the rules – they think these protocols are simply getting more creative in their attempts to skirt the rules. Or, again in the CFTC enforcement chief's own words:
the CFTC will keep up with developments in the relatively new market for derivatives on digital assets and will continue to prosecute those who try to avoid the US regulatory regime no matter how esoteric their means of avoiding that regime.
Opyn's charges revolve around providing access to improperly registered products for US users. Specifically:
The Opyn Protocol was accessible to users in the United States and abroad in three ways: through Opyn’s website; by accessing the Opyn Protocol through Decentralized Exchange 1; and by accessing the Opyn Protocol directly through a blockchain explorer.
The centralized website feels like a fair target. And there is some question as to whether producing a token you intend to trade on a decentralized exchange makes you responsible for whether or not people actually do that. But you cannot interact with a protocol through a blockchain explorer. You can read data that tells you what the protocol did through an explorer. But it is a one-way, read-only, interaction.
We can give the government a little benefit of the doubt here and assume they meant some sort of explorer where you can attach a wallet and smart contract calls. That would at least make sense on a technical level. But there is nothing a protocol can do to block such access. You can block US IP addresses from a website – you cannot block blockchain addresses from interacting with your smart contract.
No blockchain offers that. Individual protocols can employ whitelists that restrict access to approved-in-advance lists of addresses. But that is an exceptionally blunt instrument. If those whitelists are required by US law then DeFi is approximately illegal. That is a stronger requirement than blocking IP addresses. This should be clarified.
But not all of the charges are novel or surprising. The Opyn team also retained a fair amount of control over the protocol:
Opyn developed and deployed the fully automated smart contracts that held custody of users’ assets in the Opyn Protocol. Opyn retained a degree of control over the Opyn Protocol by retaining the ability to impose transaction fees on the minting of oSQTH, as well as the ability to effect a shutdown of the protocol, which would unwind all transactions.
It does not seem to matter than Opyn never initiated an unwind or imposed those fees. The government is alleging that merely having this power is sufficient to cause trouble. Note this is consistent with what we previously wrote about Coinbase's base.
The Deridex situation is less confusing:
The Deridex Protocol was accessible to retail and institutional users in the United States and abroad through Respondent’s website, and through direct interaction with the smart contracts that constituted the Deridex Protocol. Respondent did not take any steps to exclude U.S. persons or non-ECPs. Respondent also did not maintain a CIP, and did not require that any user of the Deridex Protocol provide any identifying information as would have been a necessary precondition for Respondent to implement KYC and anti-money laundering procedures.
In addition, Deridex retained substantial control over the Deridex Protocol. For example, Respondent retained the ability to update relevant smart contract code to adjust how the smart contracts operated in order to, among other things, suspend trading or prevent users from depositing collateral.
So Deridex was decentralization theater. The control here went beyond a mere kill switch: the team could change whatever they wanted. And they did not even attempt to block US IP addresses from their website.
This case is not even borderline. And really it is uninteresting in that they ran an unregistered centralized service that was never going to end well.
The interesting part of the allegations is that the government gets the "interaction with the smart contracts" bit right. It does not allege (imprecisely or incorrectly) that such interaction happened via a blockchain explorer like in the Opyn case.
The CFTC really should clarify this and amend the documents to remove the inconsistency (or error depending on how you view it).
In this case the government seems to be charging 0x with operating the website front end and saying nothing about the underlying technology.
During the Relevant Period, the 0x Protocol was a collection of smart contracts on the Ethereum blockchain that functioned as a blockchain-based digital asset trading platform. Respondent developed and deployed the 0x Protocol. Respondent additionally created and operated Matcha, a front-end user interface that was integrated with the 0x Protocol. By accessing Matcha’s website, users could trade on a peer-to-peer basis in thousands of different digital assets trading pairs for settlement on various blockchains.
After the Division began an inquiry into 0x, Respondent promptly took remedial action and provided substantial cooperation with the Division of Enforcement’s investigation, which materially assisted the investigation. In particular, 0x took immediate steps to prevent Leveraged Tokens from being traded through Matcha.
Nothing about the on-chain bits except that they existed. If the underlying technology was trading on a foreign stock exchange, or a random futures exchange, this would look the same. Of course it is illegal in the US to set up a website that facilitates trades on exchanges without any registrations. This is the same thing and looks straightforward. Nothing about blockchains matters here.
What is surprising is that in this case, blocking US IP addresses looks like it would have been sufficient. Alternatively deploying the smart contracts and leaving front-end development up to others also would have worked.
Why might this be? The 0x contracts are immutable and there is no kill switch. Perhaps that is the reason the government does not cite on-chain interaction as a problem? It is not clear.
These actions raise a few specific questions the government should address:
- Does "blockchain explorer" in the Opyn document refer to read-only explorer-type activity or some tool that can make smart contract calls?
- Is deploying immutable smart contracts with no kill-switch (or similar functionality) which constitute a trading protocol OK?
- Is blocking US IP addresses sufficient when deploying a front-end for unaffiliated (or immutable per the previous question?) protocols?
If the answers are "we should change the document to reference interaction in a manner consistent with the other charges," "yes," and "yes," then the rules make sense. It is difficult to understand what is and is not permitted otherwise.
This is particularly important as the CFTC's position, based on recent public comments, is that nothing they are doing requires novel legal theories and relies upon well-settled facts.
There was an earlier reference to "esoteric" means of avoiding rules. Complexity does not get you a free pass. But, at the same time, the government needs to be both factually correct and consistent in the way it approaches charges.
It look as though we are now in a weird space where attempts to evade enforcement are so obscure, wild or convoluted that very specific technical boundaries must be laid out. It cannot be the case that using a "blockchain explorer" as that term is normally understood is illegal in the United States. Such a claim amounts to censorship on a level that is clearly impermissible. And this is surely not what the CFTC meant.
At the same time prosecutors and judges are not software developers. And laws are not code. If the government is going to take up the task of regulating an automated financial system seriously it is going to need to get a bit deeper in the weeds. High-level clarity was provided in 2015 – but some lower-level clarity and clarification is now needed.