CFTC takes enforcement action against three DeFi protocols, sounding the alarm for derivatives trading platforms

Written by: Web3 Xiaolu

On September 7, 2023, the U.S. Commodity Futures Trading Commission (CFTC) once again focused its enforcement efforts on the decentralized finance (DeFi) sector, penalizing three U.S.-based blockchain companies: Opyn, Inc., ZeroEx, Inc., and Deridex, Inc. The companies ultimately accepted the penalties and reached a settlement.

Before the industry could start enjoying the "fruits of victory" brought by Uniswap in court for the DeFi sector, the CFTC ruthlessly shattered it just a week later, directing its regulatory cannon straight at the DeFi derivatives market and the entire DeFi industry.

This article will analyze the background of this CFTC regulatory enforcement case and the internal dissent within the CFTC to assess the subsequent impact on the DeFi industry and potential response strategies.

TL;DR

• The CFTC may be a more fearsome regulator than the SEC, potentially targeting DeFi directly;

• The CFTC imposed regulatory penalties on developer companies for violations of derivatives trading regulations in DeFi;

• The CFTC attributes the actions of malicious third parties directly to developers, even if developers cannot control the actions of these malicious third parties;

• Gabriel Shapiro, General Counsel at Delphi Labs, stated: "100% of DeFi will be illegal."

• The SEC targets CeFi, the CFTC targets DeFi, and FinCEN focuses on global crypto asset circulation's KYC/AML/CTF; this should be the regulatory landscape for crypto assets before the 2024 U.S. election year.

（https://beincrypto.com/defi-illegal-us-cftc-case-charges-opyn-zeroex-deridex/）

1. Case Background

According to the CFTC press release, Opyn and Deridex developed and deployed their own blockchain-based protocols and websites, which provided token derivatives trading and perpetual contract trading, respectively. Such trading falls under swap/leverage/margin retail commodity trading, which can only be offered to retail users on registered exchanges compliant with the U.S. Commodity Exchange Act (CEA) and CFTC regulations. However, Opyn and Deridex never registered with the CFTC and illegally provided services without complying with the Bank Secrecy Act's customer identification program. Additionally, although Opyn implemented some measures to restrict U.S. users from accessing its services, these measures were ineffective, and Deridex took no action.

ZeroEx developed and deployed the 0x Protocol and the Matcha application, which is similar to a DEX, allowing users to trade between multiple tokens. However, there are some leveraged/margin tokens deployed by unrelated third parties on the DEX for investors to trade. The CFTC believes that such trading can only be offered to retail users on registered exchanges compliant with the CEA and CFTC regulations, and ZeroEx never registered with the CFTC and illegally provided services.

As a result, Deridex and Opyn were accused of failing to register as Swap Execution Facilities (SEF) or Designated Contract Markets (DCM); failing to register as Futures Commission Merchants (FCM); and failing to implement customer identification programs as required by FCM regulations (as part of compliance with the Bank Secrecy Act). Additionally, ZeroEx, Opyn, and Deridex were accused of illegally offering leveraged and margin retail commodity trading of crypto assets.

According to the accusations, the CFTC required Opyn, ZeroEx, and Deridex to pay civil fines of $250,000, $200,000, and $100,000, respectively, and demanded that they cease their violations. Under the settlement agreement, the three companies agreed to pay the civil fines to avoid further legal action.

CFTC Enforcement Director Ian McGinley stated: "There was once an inherent belief among DeFi project parties that in a decentralized environment, on-chain is a lawless land. However, this is not the case. The DeFi industry may be innovative, complex, and ever-evolving, but enforcement agencies will also keep pace and actively pursue those unregistered platforms that allow U.S. users to engage in derivatives trading."

2. Dissenting Opinions from CFTC Commissioners

2.1 Conflict with CFTC Regulatory Principles

Despite the CFTC's regulatory enforcement decision, Commissioner Summer K. Mersinger raised objections. She stated that this enforcement action targets DeFi protocols and applications in a decentralized environment, an area the CFTC had never previously ventured into. Therefore, the initial regulatory stance in this field is particularly important.

Last year, the CFTC indicated in its 2022-2026 strategic plan that it would increase stakeholder engagement in DeFi regulation and acknowledge that innovative sectors like DeFi require broad stakeholder participation. However, this regulatory enforcement action is entirely different from the strategic plan. The CFTC's "first enforce, then communicate" approach contradicts its strategic plan and the congressional mandate for "responsible innovation."

She noted that there was no indication in this case that customer funds were misappropriated, nor was there evidence that any market participants were harmed by the DeFi protocols/applications. While the CFTC's unreasonable regulatory mindset may protect "imaginary" investors, it does not promote responsible innovation and will only drive the DeFi industry out of the U.S. market.

2.2 Conflict with Uniswap Case Precedent

Furthermore, through the regulatory enforcement against ZeroEx, she raised a very practical question: If a DeFi protocol is developed and deployed for legitimate purposes but is used by unrelated third parties to violate the CEA and CFTC regulations, who should bear responsibility? Should the developers of the DeFi protocol be held liable indefinitely?

These questions were actually addressed in the previous Uniswap case (refer to the article: The Pain of DeFi Regulation, Uniswap in Heaven, Tornado Cash in Hell), where the court indicated that Uniswap's developers and investors should not be held liable for any damages caused by third parties using the protocol, as the underlying smart contracts of Uniswap and the token contracts deployed by third parties are entirely different.

Therefore, I believe that the Uniswap precedent should also apply to the regulatory enforcement against ZeroEx, as the CFTC's enforcement actions completely contradict judicial precedents.

2.3 No Compliance Path for DeFi under CFTC Regulations

Commissioner Summer K. Mersinger stated in her dissent that existing CFTC regulations are aimed at centralized intermediary institutions, requiring these centralized entities to register as compliant intermediaries (such as Futures Commission Merchants, FCM) and then comply with the Bank Secrecy Act's KYC/AML/CTF procedures and relevant business compliance requirements.

Such regulatory requirements are not suitable for decentralized, disintermediated DeFi protocols. How can a DeFi protocol be required to register as a futures commission merchant (FCM) designed for intermediary institutions in a decentralized environment? This is a question that remains unresolved, and the CFTC's regulatory enforcement did not address it directly.

However, regardless of how strong the dissenting voices are, the CFTC's regulatory enforcement continues.

3. Significant Impact on Derivatives Trading Markets

3.1 CFTC May Be a More Fearsome Regulator than SEC

Due to the SEC's previous regulatory enforcement and legal challenges in the crypto industry, people mistakenly believed that the CFTC might be a more friendly regulator towards the crypto sector, suggesting that more regulatory authority should be given to the CFTC. However, in the recent regulatory enforcement against DeFi projects, the CFTC has gradually revealed its true nature—CFTC could potentially destroy the entire DeFi industry.

The CFTC's regulatory enforcement has sounded the alarm for DeFi protocols engaged in derivatives trading or possessing derivatives trading functionalities (including DEX based on AMM mechanisms). If these protocols provide services to U.S. users, they may be directly exposed to the CFTC's regulatory scrutiny. Gabriel Shapiro from Delphi Labs even stated: "100% of DeFi will be illegal in the U.S."

In an interview, he stated that first, DeFi protocols with derivatives trading functionalities have already come under the CFTC's watch, whether in the CFTC v. Ooki DAO case (refer to the article: The Pain of DeFi Regulation, Uniswap in Heaven, Tornado Cash in Hell) or in this regulatory enforcement, both targeted DeFi protocols for non-compliance with CEA and CFTC regulations.

Secondly, according to the CEA and CFTC regulations: "Individuals or entities cannot engage in leveraged/margin/financing trading of commodities unless they obtain the relevant registration or license from the CFTC." However, virtually all DeFi protocols engage in leveraged/margin/financing trading of crypto assets (Crypto Commodity), and commodity swap trading can be understood as a type of derivatives contract arrangement, with its value based on the underlying commodity's value. Therefore, DeFi protocols like Lido, which stake ETH to produce wETH, fit the definition of commodity swap trading.

Thus, theoretically, virtually all DeFi should fall under the CFTC's regulatory scope. This is a very frightening theory; currently, the CFTC is only initially targeting three small-scale DeFi protocols (based in the U.S. for easier regulatory enforcement), but it may aim at larger ones in the future.

Although Gabriel Shapiro's theory is quite alarming, in practice, unilateral regulatory enforcement by agencies like the SEC, CFTC, and DOJ can still be addressed through judicial and legislative means. Because regulation cannot interpret the law, nor can it create law.

3.2 What Regulations Were Violated, and Who Bears Responsibility?

Since the CFTC has the ability to fire at DeFi protocols within its jurisdiction, what is the rationale? Who bears responsibility?

Commissioner Summer K. Mersinger noted that there was no indication in this case that customer funds were misappropriated, nor was there evidence that any market participants were harmed by the DeFi protocols. The CFTC only stated that the violations pertained to compliance registration requirements under the CEA and CFTC.

The CFTC's theoretical basis can refer to a speech by Brian D. Quintenz (former CFTC commissioner, now a16z partner) in 2018: For smart contract protocols, first clarify what kind of protocol it is, whether it falls under swaps/futures/options agreements, and whether it is aimed at U.S. users. If so, then regardless of whether it is software code or any form, it should comply with CFTC regulatory requirements.

If regulatory requirements are violated, who should bear responsibility?

There is a significant space for discussion and debate here. Most lawyers share the perspective of the Uniswap case judge, asserting that the malicious third party should bear responsibility for the damages caused, rather than the developers who cannot control the malicious actions of third parties; the developers merely submit code.

However, in light of the U.S. Department of Justice's criminal charges against the founder of Tornado Cash, the CFTC v. Ooki DAO case, and the CFTC's recent regulatory enforcement, it is clear that regulators do not share this view. The CFTC will still attribute the responsibility of malicious third parties to the developers, even if the developers cannot control the occurrence of these malicious actions. For instance, in the regulatory enforcement against ZeroEx, the regulators did not consider whether the protocol developers had any connection to the launched derivative tokens or whether the developers had the ability to control the launch of the derivative tokens.

4. How Should DeFi Projects Operate Going Forward?

The most straightforward answer is: Get out of the U.S. and block U.S. users.

Of course, how to block is also crucial. For instance, although Opyn implemented some measures to restrict U.S. users from accessing its services, these measures were ineffective, leading to penalties from the CFTC. Simply blocking U.S. IPs may not be sufficient; it may also be necessary to block U.S. VPNs or wallets from the U.S. These technical measures can be relatively easy to implement.

Additionally, several factors related to the U.S. should be noted:

(1) Can be accessed by U.S. users (including accounts, wallets, trading, etc.);

(2) The website or product uses U.S. servers (AWS?);

(3) Services are promoted or marketed in the U.S.;

(4) Company, employees, executives, agents, etc., are U.S. citizens;

(5) Interactions with third-party service providers in the U.S.;

(6) Involves U.S. financial accounts.

In summary:

(1) Blocking should be comprehensive, including statements in the Terms of Use to avoid falling into regulatory scrutiny;

(2) Strive for legal packaging of the development team and DAO to avoid individual liability for the DeFi protocol;**

(3) Get out of the U.S.** Even giants like Coinbase are cautious about engaging in derivatives business under U.S. regulation, opting to conduct offshore derivatives business while actively applying for licenses from the CFTC.

The scope of applicable operations is very broad and should be assessed on a case-by-case basis.

5. Final Thoughts

The CFTC, through the Ooki DAO case, has established the recognition of violations in DeFi business and the accountability of on-chain DAOs and DAO token voting members. Previously, it was noted in the article "CFTC Wins Against Ooki DAO, Setting a Precedent for DAO Legal Accountability" that "Once DAOs can be sued, on-chain is no longer a lawless land; regulatory enforcement agencies can use this as a breakthrough to regulate on-chain DAOs, DeFi, and DEX projects." But it seems no one is paying attention???

Thus, this CFTC regulatory enforcement precisely confirms the above viewpoint, as the CFTC directly tramples on the three DeFi protocols using the Ooki DAO case as a precedent and demands that the developer companies bear primary responsibility for the same violations.

The SEC targets CeFi, the CFTC targets DeFi, and FinCEN focuses on global crypto asset circulation's KYC/AML/CTF; this should be the regulatory landscape for crypto assets before the 2024 U.S. election year.