The pain of DeFi regulation, Uniswap in heaven, Tornado Cash in hell

Author: Web3 Lawyer

On August 29, 2023, the Southern District Court of New York (SDNY) dismissed a class action lawsuit against Uniswap, where the plaintiffs accused Uniswap of allowing fraudulent tokens to be issued and traded on the protocol, causing harm to investors and seeking compensation. The judge ruled that the current cryptocurrency regulatory framework does not provide a basis for the plaintiffs' claims, and Uniswap is not liable for any damages caused by third parties using the protocol.

Before Uniswap's "victory," the U.S. Department of Justice (DOJ) and other regulatory agencies also brought criminal charges against Tornado Cash founders Roman Storm and Roman Semenov, accusing them of conspiracy to launder money, violating sanctions, and operating an unlicensed money transmission business during Tornado Cash's operation. The two face at least 20 years in prison.

Both are smart contract protocols built on blockchain, yet why do Uniswap and Tornado Cash face such different regulatory treatments? This article will delve into the two DeFi cases and analyze the underlying logic that leads to such disparate regulatory approaches.

TL;DR

• The technology itself is not guilty; it is the individuals using the technological tools who are guilty;
• The ruling in the Uniswap case is favorable for DeFi, meaning that DEXs will not be held liable for losses incurred by users due to tokens issued by third parties, which is actually a greater impact than the Ripple case;
• Judge Katherine Polk Failla also presides over the SEC v. Coinbase case, and her response regarding whether crypto assets are securities was: "This is not a question for the courts, but for Congress," and "ETH is a crypto commodity." Can this also be interpreted similarly in the SEC v. Coinbase case?
• Although the Tornado Cash case also involved regulatory intervention due to third-party actions, the severity of the case stems from the founders knowingly controlling the protocol to facilitate illegal activities, infringing on national security interests;
• Uniswap's establishment in the U.S., active cooperation with regulators, and its token's singular governance function provide a good example for other DeFi projects in responding to regulation.

1. Investors Sue Uniswap Over Fraudulent Tokens

(https://uniswap.org/)

In April 2022, a group of investors collectively sued Uniswap's developers and investors—Uniswap Labs, its founder Hayden Adams, and its investment firms (Paradigm, Andreessen Horowitz, and Union Square Ventures)—claiming that the defendants failed to register under U.S. federal securities laws, causing harm to investors by listing "fraudulent tokens" and seeking damages.

Presiding Judge Katherine Polk Failla stated that the real defendants should be the issuers of the "fraudulent tokens," not the developers and investors of the Uniswap protocol. Due to the decentralized nature of the protocol, the identity of the fraudulent token issuers is unknown to the plaintiffs (and the defendants are also unknown). The plaintiffs can only sue the defendants, hoping the court can transfer their claims to the defendants. The basis for the lawsuit is that the defendants provided the means for the issuance and trading of fraudulent tokens in exchange for transaction fees generated by the exchange.

Additionally, the plaintiffs took on the role of SEC Chair Gary Gensler, arguing that (1) the tokens sold on Uniswap are unregistered securities; (2) and that Uniswap, as a decentralized exchange trading securities tokens, should register with regulators as a securities exchange and broker-dealer. The court refused to extend securities law to the actions alleged by the plaintiffs, concluding that the investors' concerns "are better addressed to Congress than to this court."

In summary, the judge concluded that the current cryptocurrency regulatory framework does not provide a basis for the plaintiffs' claims, and according to existing U.S. securities law, Uniswap's developers and investors should not be held liable for any damages caused by third parties using the protocol, thus dismissing the plaintiffs' lawsuit.

2. Controversial Focus of the Uniswap Case

The presiding judge, Katherine Polk Failla, also oversees the SEC v. Coinbase case and has extensive experience in adjudicating cryptocurrency cases. After reviewing the 51-page ruling of this case, it is evident that the judge has a deep understanding of the cryptocurrency industry.

The focus of the controversy in this case is: (1) Should Uniswap be held liable for third-party use of the protocol? (2) Who should bear the responsibility for the damages caused by the use of the protocol?

2.1 The underlying protocol of Uniswap should be distinguished from the token protocols of the issuers, and the issuers should bear responsibility for harmful actions.

Uniswap Labs previously stated: "The Uniswap V3 decentralized liquidity pool model is entirely composed of underlying smart contracts and is executed automatically. This model, due to its openness, permissionlessness, and inclusivity, can generate exponentially growing ecosystems. The underlying protocol not only eliminates so-called trading intermediaries but also allows users to interact with the protocol in various simple and effective ways (such as through Dapps developed by Uniswap Labs)."

Issuers based on the aforementioned Uniswap underlying protocol can anonymously launch tokens without any form of behavioral verification or background checks, creating and establishing liquidity pool trading pairs (such as their own ERC-20 token/ETH) for investors to trade.

(https://www.docdroid.net/APrJolt/risley-v-uniswap-PDF)

The decentralized nature of Uniswap means that the protocol cannot control which tokens are issued on the platform or with whom they interact. The judge stated: "These underlying foundational smart contracts are distinct from the token contracts created by issuers unique to each liquidity pool. The protocol relevant to the plaintiffs' claims is not the underlying protocol provided by the defendants, but rather the liquidity pool trading pair agreements or token agreements drafted by the issuers themselves."

To better illustrate, the judge made several analogies: "It's like holding the developer of a self-driving car responsible for a traffic accident or bank robbery committed by a third party using that car, regardless of whether the fault lies with the developer." The judge also compared it to payment applications Venmo and Zelle, stating, "The plaintiffs' lawsuit is akin to trying to hold these payment platforms liable instead of drug dealers, because the drug dealers used the payment platforms to transfer funds for drug transactions."

In these cases, the responsibility should be attributed to the individuals committing the harmful actions rather than the developers of the software program.

2.2 The First Ruling in the Context of Decentralized Smart Contracts

The judge acknowledged the current lack of judicial precedents related to DeFi protocols, noting that no court has ruled in the context of decentralized protocols' smart contracts, nor has there been a way to hold the defendants legally accountable under securities law.

The judge found that in this case, the Uniswap protocol's smart contracts could indeed operate lawfully, just as they do for trading crypto commodities like ETH and BTC (Court finds that the smart contracts here were themselves able to be carried out lawfully, as with the exchange of crypto commodities ETH and Bitcoin).

In this statement, the judge specifically mentioned the commodity nature of ETH, albeit in just one sentence.

2.3 Investor Protection Under Securities Law

Section 12(a)(1) of the Securities Act grants investors the right to sue for damages due to the seller's violation of Section 5 of the Securities Act (registration and exemption of securities). Since this claim is based on the regulatory challenge of whether crypto assets are securities, the judge stated: "This is not a question for the courts, but for Congress." The court refused to extend securities law to the actions alleged by the plaintiffs, concluding that "investors' concerns are better addressed to Congress than to this court."

2.4 Summary

Although SEC Chair Gary Gensler has so far avoided labeling ETH as a security, Judge Katherine Polk Failla directly referred to it as a commodity (Crypto Commodities) in this case and refused to expand the application of securities law to cover the actions alleged by the plaintiffs against Uniswap.

Considering that Judge Katherine Polk Failla also presides over the SEC v. Coinbase case, her response regarding whether crypto assets are securities—"This is not a question for the courts, but for Congress," and "ETH is a crypto commodity"—can it also be interpreted similarly in the SEC v. Coinbase case?

Regardless, while laws regarding DeFi are being formulated, regulators may one day address this gray area. However, the Uniswap case indeed provides a good example for the crypto DeFi world in responding to regulation, indicating that decentralized exchanges (DEXs) cannot be held liable for losses incurred by users due to tokens issued by third parties. This impact is actually greater than that of the Ripple case, favoring DeFi.

(https://twitter.com/dyorexchange/status/1697332141938389281)

3. Tornado Cash and Its Founders in Dire Straits

Similarly deployed on the blockchain, the DeFi protocol Tornado Cash, which provides mixing services, seems to be in a less than ideal situation. On August 23, 2023, the U.S. Department of Justice (DOJ) charged Tornado Cash founders Roman Storm and Roman Semenov with criminal offenses, accusing them of conspiracy to launder money, violating sanctions, and operating an unlicensed money transmission business.

Tornado Cash was once a well-known mixing application on Ethereum, aimed at providing users with privacy protection for their transactions by obfuscating the sources, destinations, and counterparties of cryptocurrency transactions, thereby achieving privacy and anonymity in trading. On August 8, 2022, Tornado Cash was sanctioned by the U.S. Office of Foreign Assets Control (OFAC), with some on-chain addresses associated with Tornado Cash being placed on the SDN list, meaning that any entity or individual interacting with the on-chain addresses on the SDN list is illegal.

In a press release, OFAC stated that since 2019, over $7 billion in funds have been laundered using Tornado Cash, which has provided substantial assistance, sponsorship, or financial and technical support for illegal online activities both within and outside the U.S., posing significant threats to U.S. national security, foreign policy, economic health, and financial stability, thus leading to OFAC sanctions.

(https://www.researchgate.net/figure/Example-of-the-Tornado-Cash-1-ETH-pool-addresses-A-through-F-deposit-to-and-withdrawfig1357925591)

3.1 Criminal Charges Against Tornado Cash and Its Two Founders

In a press release on August 23, the DOJ stated: the defendants and their co-conspirators created the core functionality of Tornado Cash Service, paid operational costs for key infrastructure to promote the service, and profited millions of dollars from it. The defendants knowingly chose not to implement the legally required Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance measures, aware of the illegality of the transactions.

In April and May 2022, Tornado Cash services were used by the Lazarus Group (a sanctioned North Korean cybercrime organization) to launder hundreds of millions of dollars in hacker proceeds. It is alleged that the defendants were aware that these were laundering transactions and modified the service so they could publicly claim they were "apparently" complying with regulatory requirements, but in their private chats, they unanimously believed that this modification was ineffective. Subsequently, the defendants continued to operate the service and further facilitated illegal transactions, helping the Lazarus Group transfer criminal proceeds from cryptocurrency wallets designated as blocked property by OFAC.

The defendants are charged with one count of conspiracy to launder money and one count of conspiracy to violate the International Emergency Economic Powers Act, each carrying a maximum sentence of 20 years in prison. They are also charged with conspiracy to operate an unlicensed money transmitting business, which carries a maximum sentence of five years in prison. A federal district court judge will decide how to rule after considering U.S. sentencing guidelines and other statutory factors.

3.2 Definition of Money Transmitting Business

It is important to note that the Financial Crimes Enforcement Network (FinCEN) under the U.S. Treasury has not filed a civil lawsuit against Tornado Cash and its founders for operating an unlicensed money transmitting business. If Tornado Cash falls under the definition of a money transmitter, this means that the definition would also apply to other similar DeFi projects. Once established, these projects would need to register with FinCEN and undergo KYC/AML/CFT processes, which would have a significant impact on the DeFi world.

FinCEN's 2019 guidance classified business models involving cryptocurrency activities and determined whether they fell under the definition of a money transmitter based on the type of business.

3.2.1 Anonymizing Software Provider

Peter Van Valkenburgh from Coin Center stated: the only accusation in the indictment regarding the defendants operating an unlicensed money transmitting business is that they engaged in the business of transferring funds on behalf of the public without registering with FinCEN. However, Tornado Cash is essentially an anonymizing software provider; it merely provides "delivery, communication, or network access services used by money senders to support money transmission services."

The 2019 guidance clearly states that anonymizing software providers do not fall under the definition of money transmitters (An Anonymizing Software Provider is Not a Money Transmitter), while service providers do.

3.2.2 Cryptocurrency Wallet Service Provider (CVC Wallet)

The top law firm Cravath, Swaine & Moore LLP also published a report comparing the only business model explicitly defined as a money transmitter in the 2019 guidance—cryptocurrency wallet service providers (CVC Wallet)—to derive rigid requirements for money transmitters, which must have total independent control over the value being transmitted, and this control must be necessary and sufficient.

In this case, the indictment states how the defendants control the Tornado Cash software/protocol, but it does not specify how the defendants control the transmission of funds. The report analyzed the process of fund transmission in Tornado Cash, ultimately indicating that it cannot control the transmission of funds as completely as a cryptocurrency wallet service provider, because the transmission of funds still requires user interaction through keys, thus it should not fall under the definition of "money transmitters."

3.2.3 DApps

Gabriel Shapiro, General Counsel at Delphi Labs, disagrees with Cravath's view, arguing that Cravath overlooks another business model for cryptocurrency activities in the 2019 guidance—Decentralized Applications (DApps).

(https://twitter.com/lex_node/status/1698024388572963047)

FinCEN's view on DApps is as follows: "DApp owners/operators can deploy it to perform various functions, but when a DApp engages in money transmission, the definition of money transmitters will apply to the DApp, its owner/operator, or both."

The indictment is based on the understanding of DApps in the 2019 guidance to define operating an unlicensed money transmitting business, meaning that when an entity (individual, corporation, or unincorporated organization) operates a money transmission business through smart contracts/DApps, FinCEN's rules will apply.

If FinCEN's 2019 guidance indeed states this, then we must question why it has not taken any enforcement actions against DeFi since its release to clarify this interpretation. Given that DeFi should involve some form of fund transfer, theoretically, it could apply to every DeFi application (since they all transfer funds in some way).

3.3 Summary

FinCEN's 2019 guidance is ultimately just guidance. It is not binding on the DOJ and has no legal effect. However, in the current absence of a clear U.S. cryptocurrency regulatory framework, this guidance remains the best document reflecting regulatory attitudes.

Nonetheless, the DOJ's actions leave unresolved important questions for the future of decentralized protocols, including whether individual actors should be held accountable for actions taken by third parties or resolutions arising from loosely organized community votes. U.S. defendant Roman Storm will appear in court for the first time in the coming days for a hearing. Following this, the court may have the opportunity to address these outstanding issues.

Attorney General Merrick Garland stated: "This indictment serves as a warning to those who think they can use cryptocurrency to conceal their crimes." FBI Director Christopher Wray added, "The FBI will continue to dismantle the infrastructure used by cybercriminals to commit crimes and profit from them, and hold accountable anyone who assists these criminals." This demonstrates the regulatory commitment to AML/CTF.

(https://techcrunch.com/2023/08/23/two-founders-behind-russian-crypto-mixer-tornado-cash-charged-by-u-s-federal-courts/)

4. Why Is There a Heaven and Hell for DeFi Protocols?

The commonality between the Uniswap and Tornado Cash cases is that: (1) both are smart contracts deployed on the blockchain and can operate autonomously; (2) both faced regulatory intervention due to third-party non-compliance/illegal use of the smart contracts; (3) both now face the question of who should bear responsibility for the damages caused by non-compliance/illegal actions?

The distinction lies in:

In the Uniswap case, the judge found that (1) the underlying smart contracts on the blockchain are distinct from the token contracts deployed by the issuers themselves, and the underlying smart contracts operate lawfully; (2) the token contracts deployed by the issuers caused harm to investors; (3) therefore, the responsibility of the issuers needs to be pursued.

In the Tornado Cash case, the indictment pointed out that although regulatory intervention was also caused by third-party illegal use, the difference is that the founders of Tornado Cash knowingly had the ability to control the protocol and provided convenience for illegal actors on the network, infringing on national security interests. As for who should bear responsibility, that is self-evident.

5. Final Thoughts

On April 6, 2023, the U.S. Treasury released the 2023 DeFi Illegal Financial Activity Assessment Report, the world's first assessment report on illegal financial activities based on DeFi. The report recommends strengthening U.S. AML/CFT regulation and, where possible, enhancing enforcement of business-level activities involving crypto assets (including DeFi services) to improve compliance of crypto asset service providers with obligations under U.S. Bank Secrecy Act.

It is evident that U.S. regulation follows this approach, regulating the inflow and outflow of crypto assets from the perspective of KYC/AML/CTF, controlling the source, as Tornado Cash provided laundering convenience for illegal actors; and then regulating the compliance of specific projects' business from the perspective of investor protection, such as in the CFTC v. Ooki DAO case, where regulators intervened based on Ooki DAO's business violating CFTC regulations; or in the Tornado Cash case, where regulators intervened based on its violation of FinCEN's money transmission regulations.

Although the U.S. cryptocurrency regulatory framework is unclear, it appears that Uniswap's establishment of an operational entity and foundation in the U.S., active cooperation with regulators to implement risk control measures (blocking certain tokens), and its UNI token's governance-only function (rather than getting involved in disputes over securities tokens) are all providing a good example for other DeFi projects in responding to regulation.

The technology itself is not guilty; it is the individuals using the technological tools who are guilty. Both the Uniswap and Tornado Cash cases provide the same answer.

REFERENCE:

[1] Risley v. Uniswap Case 1:22-cv-02780-KPF

https://www.docdroid.net/APrJolt/risley-v-uniswap-pdf

[2] DOJ, Tornado Cash Founders Charged with Money Laundering and Sanctions Violations

https://www.justice.gov/opa/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations

[3] The International Academy of Financial Crime Litigators Publishes Working Paper by Cravath Lawyers on Tornado Cash Indictment

https://www.cravath.com/news/the-international-academy-of-financial-crime-litigators-publishes-working-paper-by-cravath-lawyers-on-tornado-cash-indictment.html

[4] Peter Van Valkenburgh, New Tornado Cash indictments seem to run counter to FinCEN guidance

https://www.coincenter.org/new-tornado-cash-indictments-seem-to-run-counter-to-fincen-guidance/

[5] Application of FinCEN's Regulations to Certain Business Models Involving Convertible Virtual Currencies, 2019

https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models