On September 7, 2023, the U.S. Commodity Futures Trading Commission (CFTC) once again focused its enforcement efforts on the decentralized finance (DeFi) sector and filed a series of lawsuits against three U.S.-based companies: Opyn, Inc., ZeroEx, Inc., and Deridex, Inc.BlockchainThe company was punished and eventually accepted the penalty and reached a settlement.

Before the DeFi industry could begin to enjoy the "fruits of victory" that Uniswap brought to the court, the CFTC ruthlessly smashed it a week later and aimed its regulatory cannon directly at the DeFi derivatives market and even the entire DeFi industry.

This article will analyze the subsequent impact and response strategies on the DeFi industry by sorting out the case background of this CFTC regulatory enforcement and the opposition voices within the CFTC.

TL;DR

• The CFTC may be a more formidable regulator than the SEC, and it may aim its regulatory guns directly at DeFi;

• The CFTC directly imposed regulatory penalties on the developer company because DeFi violated the regulations on derivatives trading;

• The CFTC places the responsibility for malicious third-party behavior directly on the developer, even if the developer has no control over the malicious third-party behavior.

• Delphi Labs legal director Gabriel Shapiro said: “100%’s DeFi will be illegal.”

• The SEC is targeting CeFi, the CFTC is targeting DeFi, and FinCEN is focusing on KYC/AML/CTF for the global circulation of crypto assets. This should be the regulatory landscape for crypto assets before the 2024 US presidential election.

I. Case Background

According to the CFTC press release, Opyn and Deridex each developed and deployed their ownBlockchainThe agreement and website, respectively, provideTokenDerivatives trading and perpetualcontractTrading. This type of trading is a swap/leverage/margin retail commodity trading and can only be done in a registered institution that complies with the U.S. Commodity Exchange Act (CEA) and CFTC regulations.exchangeOpyn and Deridex illegally provided services to retail users without registering with the CFTC and failed to perform customer identification procedures required by the Bank Secrecy Act. In addition, although Opyn implemented some measures to restrict US users from using the service, these measures were not actually effective, while Deridex did not take any measures.

ZeroEx has developed and deployed the 0x Protocol and the Matcha application, which is similar to a DEX for users to trade on multipleTokenHowever, there are some leveraged/margin tokens deployed by unrelated third parties on DEX for investors to trade. The CFTC believes that transactions of this nature can only be conducted in a registered exchange that complies with CEA and CFTC regulations.exchangeProviding services to retail users while ZeroEx was never registered with the CFTC and illegally providing services.

As a result, Deridex and Opyn were accused of failing to register as a Swap Execution Facility (SEF) or designatecontractZeroEx, Opyn and Deridex were also accused of illegally offering leveraged and margin retail commodity trading in crypto assets.

According to the complaint, the CFTC requires three developer-operated companies, Opyn, ZeroEx, and Deridex, to pay civil penalties of $250,000, $200,000, and $100,000, respectively, and to cease and desist from the violations. Under the settlement agreement, the three companies agreed to pay civil penalties to avoid further legal prosecution.

Ian McGinley, CFTC Enforcement Director, said: “Once upon a time, there was an inherent idea among DeFi projects that the chain was lawless in decentralization. However, this is not the case. The DeFi industry may be innovative, complex and evolving, but law enforcement will keep pace with the times and actively pursue unregistered platforms that allow U.S. users to trade derivatives.”

2. CFTC Commissioner’s Opposition

2.1 Conflict with CFTC Regulatory Principles

Despite the CFTC’s decision, CFTC Commissioner Summer K. Mersinger still expressed her objection. She said: This regulatory enforcement is aimed at DeFi protocols and applications in a decentralized environment, and the CFTC has never been involved in this field before. Therefore, the first regulatory attitude in this field is particularly important.

Last year, the CFTC stated in its 2022-2026 strategic plan that the regulation of DeFi would increase stakeholder participation and communication, and acknowledged that innovative industries such as DeFi require broad stakeholder participation. However, this regulatory enforcement behavior is completely different from the strategic plan. The CFTC's "regulatory enforcement first, communication later" model is contrary to the strategic plan and the "responsible innovation" required by Congress.

She said that in this case, there was no evidence that customer funds were misappropriated, nor that any market participants were harmed by DeFi protocols/applications. Although the CFTC's unreasonable regulatory approach can protect "imaginary" investors, it cannot promote responsible innovation and will only drive the DeFi industry out of the U.S. market.

2.2 Uniswap Caseofconflict

In addition, she raised a very real question through regulatory enforcement against ZeroEx:If a DeFi protocol is developed and deployed for legitimate purposes, but is used by an unrelated third party for purposes that violate CEA and CFTC regulations, who should be held responsible? Should the developers of the DeFi protocol always be held responsible?

These questions have actually been answered in the previous Uniswap case (see article: The Tragedy of DeFi Regulation, Uniswap in Heaven, Tornado Cash in Hell). The court told us from a judicial perspective:Uniswap developers and investors should not be held liable for any damages caused by third parties using the protocol, because the underlying smart contracts of Uniswap and the token contracts deployed by third parties are completely different.

So, I believe that this Uniswap case can also be applied to the regulatory enforcement of ZeroEx. The CFTC's regulatory enforcement of it completely violates judicial precedent.

2.3 There is no CFTC compliance path for DeFi

Commissioner Summer K. Mersinger stated in her dissenting opinion that the existing CFTC regulations are aimed at centralized intermediaries, and the regulatory requirement is for centralized institutions to register as a compliant intermediary (such as a futures broker FCM), and then fulfill the KYC/AML/CTF procedures required by the Bank Secrecy Act, as well as the business compliance requirements corresponding to regulatory requirements.

Such regulations are not suitable for decentralized and disintermediate DeFi protocolsHow to require DeFi protocols to register as a futures commission merchant (FCM) in a decentralized environment? This is an unresolved issue, and the CFTC did not respond positively to this regulatory enforcement.

But no matter how strong the opposition is, the CFTC's regulatory enforcement remains.

3. It will have a huge impact on the derivatives trading market

3.1 The CFTC may be a more formidable regulator than the SEC

Due to the SEC’s previous regulatory enforcement and judicial challenges in the crypto industry, people mistakenly believe that the CFTC may be a more crypto-friendly regulator, so more regulatory authority should be given to the CFTC.However, in recent regulatory enforcement against DeFi projects, the CFTC has gradually revealed its true colors - the CFTC may directly destroy the entire DeFi industry.

The CFTC’s regulatory enforcement this time has sounded the alarm for DeFi protocols (including DEX based on the AMM mechanism) that engage in derivatives trading or have derivatives trading functions. If these protocols provide services to US users, they may be directly exposed to the CFTC’s regulatory cannon. Delphi Labs General Law Gabriel Shapiro even said:In the United States, all DeFi of 100% will be illegal."

He said in an interview: First of all, DeFi protocols with derivative trading functions have been targeted by the CFTC, whether in CFTC v. Ooki DAOCase (refer to article:The pain of DeFi regulation, Uniswap is in heaven, Tornado Cash is in hell) or in this regulatory enforcement, it is aimed at the DeFi protocol’s failure to comply with the regulations of CEA and CFTC.

Secondly, according to the relevant regulations of CEA and CFTC: "A person or entity cannot engage in leveraged/margined/financed transactions in commodities unless they are registered or licensed by the CFTC." However, basically all DeFi protocols are engaged in leveraged/margined/financed transactions in crypto assets, and commodity swap transactions can be understood as a derivative contract arrangement, the value of which is based on the value of the underlying commodity. Therefore, DeFi protocols like Lido, which pledge ETH to generate wETH, meet the definition of commodity swap transactions.

Therefore, in theory, almost all DeFi should be included in the CFTC's regulatory scope. This is a very scary theory. At present, the CFTC is only targeting three small-scale DeFi protocols (based in the United States, which is convenient for regulatory enforcement) for this regulatory enforcement, and may target Sizable Ones in the future.

Although Gabriel Shapiro's theory is very scary, in practice, unilateral regulatory enforcement by the SEC, CFTC, and DOJ can still be dealt with through judicial and legislative means.Because regulation cannot interpret the law or create the law.

3.2 What regulations have been violated and who will be held responsible?

Now that the CFTC has the power to fire on DeFi protocols within its jurisdiction, what is the reason and who will bear the responsibility?

Commissioner Summer K. Mersinger said that in this case, there was no indication that customer funds were misappropriated, nor that any market participants were harmed by the DeFi protocol. The CFTC only stated that the requirements of the CEA and CFTC regarding compliance registration were violated.

The theoretical basis of the CFTC can be found in a speech by Brian D. Quintenz (former CFTC commissioner and current a16z partner) in 2018: For smart contract agreements, first clarify what kind of agreement it is. Is it a swap/futures/options agreement? Is it for US users? If so, then no matter whether it is software code or any other form, it should comply with the CFTC's regulatory provisions.

If regulatory requirements are violated, who should be held accountable?

There is a huge space for discussion and debate here. Most lawyers have the same perspective on this issue as the judge in the Uniswap case, that is, the third party who did the evil should be held responsible for the damage caused, rather than the developers who were unable to control the third party's infringement and only published and submitted the code.

However, combined with the U.S. Department of Justice’s criminal prosecution of Tornado Cash’s founderXiaobai NavigationAllegations, CFTC v. Ooki DAOThis case, as well as the CFTC’s regulatory enforcement, shows that regulators do not think so.The CFTC will still attribute the responsibility of the malicious third party to the developer, even if the developer cannot control the malicious third party behaviorFor example, in the regulatory enforcement of ZeroEx, the regulator did not consider whether the protocol developer was associated with the launched derivatives tokens, or whether the protocol developer had the ability to control the launch of the derivatives tokens.

4. How to operate subsequent DeFi projects?

The most direct answer is:Escape from the United States and block American users.

Of course, there are also some considerations on how to block. For example, although Opyn has implemented some measures to restrict US users from using the service, these measures are not actually effective and it is still punished by the CFTC. Maybe blocking US IPs is not enough. Do we need to block VPNs from the US or Wallets from the US? These are easier to achieve through technical means.

Of course, we also need to pay attention to several American factors:

(1) can be used by U.S. users (including accounts,wallet, transactions, etc.);

(2) The website or product uses a server in the United States (AWS?);

(3) promoting or marketing the Services in the United States;

(4) The company, its employees, executives, agents, and other personnel in the United States are Americans;

(5) Have dealings with third-party service providers in the United States;

(6) Financial accounts involving the United States.

In general:

(1)The shielding should be complete, including the statement in the Terms of Use, to avoid falling into the regulatory scope;

（2）尽量做到开发团队、DAO的法律包装，避免个体承担DeFi协议的连带责任；

(3) Escape from the United States.In order to conduct derivatives business under US supervision, giants such as Coinbase are also hesitant to conduct derivatives business, so they have conducted offshore derivatives business and are actively applying for license qualifications from the CFTC.

The scope of application of how to operate is very broad, and it still needs to be looked at case by case.

5. Final Thoughts

Through the Ooki DAO case, the CFTC has achieved the recognition of DeFi business violations and the responsibility of the on-chain DAO and the token voting members within the DAO.CFTC wins case against Ooki DAO, setting precedent for DAOs to be held legally accountable"The article also wrote:After DAO can be sued, the chain is no longer a lawless place. Regulatory and law enforcement agencies can use this as a breakthrough to supervise DAO, DeFi, and DEX projects on the chain."But no one seems to take it seriously???

This time, the CFTC's regulatory enforcement just confirmed the above point of view. The CFTC directly stepped on the three DeFi protocols based on the Ooki DAO case, and required the developer companies to bear the main responsibility for the same violation reasons.

The SEC is targeting CeFi, the CFTC is targeting DeFi, and FinCEN is focusing on KYC/AML/CTF for the global circulation of crypto assets. This should be the regulatory landscape for crypto assets before the 2024 US presidential election.

The article comes from the Internet:CFTC enforces three DeFi protocols, sounding the alarm for all derivatives trading platforms

Related recommendation: Interpreting Vitalik’s latest paper: Privacy Pools, so that compliance no longer comes at the expense of privacy and centralization

We urgently need a way to prove and convince regulators that the source of my funds is clean and legal without exposing privacy and decentralization. Yesterday, Vitalik and some scholars from the University of Basel jointly published an article titled "BlockchainBlockchain Privacy and Regulatory Compliance: Towards a Practical Balance