Decentralized Finance (“DeFi”) has grown in popularity due to its promise that it will, as its name suggests, disintermediate traditional finance structures. Total Value Locked, which represents all deposits in various DeFi platforms, grew from $1 billion in June 2020 to a peak of almost $200 billion in November 2021. As of April 2023, almost $54 billion is still deposited in DeFi platforms.
While centralized finance features actors like the Federal Reserve, banks, and payments processors, DeFi seeks to replace all intermediaries with code, known as “smart contracts.” Smart contracts are simply programs stored on a blockchain that run when predetermined conditions are met and users interact with them. DeFi platforms are usually a collection of smart contracts that offer a variety of services typically present in the traditional financial ecosystem, like lending and borrowing. Advocates of DeFi believe that the replacement of intermediaries will increase efficiency and reduce costs, increase transparency by recording transactions on the blockchain, and allow for true financial inclusion since anyone can access DeFi platforms.
DeFi comes in several forms. First, Decentralized Autonomous Organizations (“DAOs”), are blockchain based organizations that make decisions through smart-contracts and consensus votes of token-holders. They can be used to conduct a variety of DeFi functions, including lending, investing, and operating as exchanges. Second,, there are decentralized exchanges (“DEXs”) which allow the trading of cryptoassets. DeFi platforms offer some tokenized incentive system to encourage use, usually in the form of interest payments for depositing (known as “staking”) assets into the platform, or by being given governance tokens.
A few issues are present within DeFi. First, most crypto loans require the loan to be overcollateralized because parties utilizing smart contracts “cannot rely on the ex post remedial protections through the legal system,” as these contracts are generally not recognized by courts. The requirement to collateralize a crypto loan generally restricts access to DeFi loans to those who have sufficient crypto-assets to begin with and prevents the industry from achieving its goal of increasing financial inclusion. Second, transactions in DeFi are anonymous. This means it is impossible to assess a borrower’s credit risk, because you do not know who the borrower is, limiting the use of DeFi.
Despite the chaos surrounding the crypto winter and multiple bankruptcies of major players, DeFi platforms like Uniswap and Aave have continued to operate without major problems. As a result, after the failure of centralized crypto exchanges and lending platforms like FTX and Celsius, arguments that crypto should return to its initial promise of fully democratized finance in the form of DeFi are commonplace. This post will explore DeFi’s promise of decentralization and explain why it is largely a myth, while also suggesting regulatory structures that could enhance use cases for DeFi, specifically in the context of DEXs and DAOs.
DeFi’s Inevitable Centralization Problem
Most of DeFi is not truly decentralized. In the context of trading cryptoassets, centralized exchanges keep off-chain orders posted by traders, meaning there is no corresponding transaction on the blockchain, whereas DEXs promise true disintermediation in trading using Automated Market Makers (“AMMs”). AMMs are algorithms that price cryptoassets based on availability of a crypto asset in a liquidity pool and relative demand.
DeFi’s elimination of traditional intermediaries encourages new forms of intermediaries to take their place. Infura is a company that runs blockchain nodes that allow their customers to access data on the Ethereum blockchain. The service provides a simple way for companies to deploy decentralized applications onto the Ethereum blockchain, but its failure in 2020 resulted in major crypto exchanges like Binance having to halt withdrawals temporarily. As traditional intermediaries are eliminated, new platforms will “require the sufficient economic incentives and, thus, could be potentially more costly and risky than the monopoly rents extracted by today’s centralized intermediaries.” DeFi also requires trusted “oracles,” which are “complex computerized systems that connect data from the outside world (off-chain) with the blockchain world (on-chain).” Without oracles, smart contracts that rely on off-chain data would not be able to function because blockchains are self-contained systems. In this way, DeFi relies on oracles in the same way CeFi relies on third-party intermediaries to provide trustworthy information, making them a security vulnerability. One study explains“[c]onnecting the blockchain with a centralized point of failure, such as an oracle, would arguably cause a loss of decentralization.” Overall, DeFi’s promise lies more in reducing costs associated with intermediaries than fully replacing them.
Additionally, DeFi platforms typically have some form of centralized governance framework to fix errors and outline their operations. The Federal Reserve Bank of Boston found a “group that founded the [DeFi protocol] often still exercises substantial influence over its evolution,” due to stability concerns. As an example, should any error be discovered in the protocol, users need centralized points of contact to correct the protocol. This showcases that centralization is almost unavoidable, regardless of how decentralized most protocols claim to be.
To determine the operations of a DeFi platform, investors or users of the platform are often given “governance tokens,” which enable them to vote or participate in decisions about the platform’s future. However, because most DeFi platforms utilize the Ethereum blockchain, which validates transactions through a proof-of-stake model, concentration of power in those who stake more relevant cryptocurrencies is a likely outcome of any DeFi protocol. Furthermore, initial coin allocations are often given to insiders or major investors of a relevant DeFi project, making collusion among developers or those given large governance stakes a major concern. As an example, Uniswap, one of the most popular DEXs, released the UNI governance token in 2020, but limits who can submit governance proposals to those who hold at least 1% of outstanding UNI. This effectively prevents over 99% of users of Uniswap from exercising any control over the protocol and showcases the decentralization illusion. Recently, Uniswap faced even more criticism due to the investment by the venture capital firm Andreessen Horowitz (a16z). The firm directly holds over 15 million UNI tokens and has delegated over 40 million UNI tokens to third parties for a total of 55 million UNI votes. The largest Uniswap vote only received 85 million votes– meaning this one entity could exercise control over the protocol, and could potentially force the protocol to partner with “multiple projects that might benefit from a business relationship with Uniswap.” Thus, some DeFi platforms do not live up to their promise of decentralization.
There are, however, some truly decentralized applications that will challenge regulators. Sifchain is a new company seeking to build an “Omni-chain” DEX that allows trading in various cryptoassets. Part of this project is the SifDAO, which will involve a “total transition of governance power over all aspects of the protocol,” to users away from any centralized party or figure. Additionally, the project is developing internationally without any home office or central place of business. Sushiswap also has operated without any official CEO, instead giving governance control over to its users. As one study explains, as control of a Decentralized Application (“DApp”) becomes more widely dispersed and therefore “truly” decentralized, there would be a gap for what individual or entity “supervisors [or regulators] could talk with and, if necessary, act against if they have prudential concerns about the dapp. If control is widely dispersed, the supervisors [or regulators] may not find anyone who they feel can remedy regulatory concerns.” As a result of wide dispersion of governance or cross-border development, regulators may find it difficult to apply regulation or supervision to certain DApps. For example, the question of which jurisdiction’s securities law to apply or where a lawsuit will occur are unclear.
Regulating DeFi Platforms
The most pressing issue for DeFi platforms is where to apply consumer and investor protections. Since DeFi protocols runs on smart contracts, the lack of central authority screening relevant code or proposed DeFi projects and investments means users are subject to scams. Current DeFi systems also allow pseudonymity, where an individual can see a blockchain address that sent or received assets, but not the actual identity of the person who did so. The responsibility for evaluating the risk of relying on new DeFi systems falls almost entirely on the user themselves, and the protocols they are using are not subject to any risk management requirements. SEC Commissioner Caroline Crenshawexplains that DeFi’s “current ‘buyer beware’ approach is not an adequate foundation on which to build reimagined financial markets.”
As an example, the crypto DEX Mango Markets was recently the target of a nearly $116 million market manipulation scam. The lack of central oversight of smart contracts “means a rogue trader can deploy enough money to exploit loopholes in any protocol without the risk of anyone stepping in to stop the attack before it takes place.” Within 10 minutes and using two accounts, the trader manipulated the price of Mango’s native MNGO token (which had very little trading volume) to go from 2 cents to nearly 91 cents. After garnering nearly $240 million in unrealized profits, the trader withdrew $116 million and effectively wiped all liquidity from the exchange. While the trader has been arrested by the Justice Department and faces civil actions by the CFTC and SEC, his “trades are an extreme example of the belief of some crypto enthusiasts that software should determine what is allowable and what isn’t—in other words, code is king.”This showcases the need to bring DeFi protocols within the regulatory perimeter to ensure effective oversight and protect consumers from market abuse. Two forms of regulation are possible: regulation by enforcement and regulation by accommodation.
Enforcement Actions by Regulators
Regulators have brought numerous enforcement actions against DeFi actors. The Commodities Futures and Trading Commission (“CFTC”) recently brought an enforcement action against a DAO which highlighted the lack of true decentralization within DeFi. The CFTC charged the bZx DeFi protocol with acting as an unregistered futures commission merchant (“FCM”) as required by law and alleged bZx didn’t comply with anti-money laundering requirements all FCMs are subject to regardless of registration. The CFTC, of note, didn’t sue the protocol itself, but rather charged bZeroX, LLC, which is a Delaware limited liability company which created and operated the protocol. Additionally, the CFTC “sued Tom Bean and Kyle Kistner, who founded, co-owned and controlled bZeroX.” The company “bZeroX transferred control of the bZx Protocol to bZx Dao, a DAO, that later renamed itself Ooki DAO (later, the Ooki DAO renamed the bZx Protocol the Ooki Protocol).” Here, the CFTC claimed that the DAO was an unincorporated association made up of the holders of the Ooki DAO tokens who voted those tokens to edit the DAO.
The CFTC then named, in a parallel action, the Ooki DAO. The CFTC is seeking sanctions against “all members of the Ooki DAO”, which is comprised of all Ooki Token holders who actually voted their tokens to govern the Ooki DAO by, “for example, directing the operation of the Ooki Protocol.” This has major implications for DeFi, as anyone who voted their DAO tokens could potentially be held liable for the DAO’s violations of the Commodity Exchange Act or CFTC regulations, regardless of how minor their individual participation. This emphasizes the tradeoff DeFi faces – either have a centralized entity responsible for compliance with relevant laws or recognize that anyone holding governance tokens may be held responsible for regulatory and legal violations.
On December 12th, 2022, a judge required the CFTC to serve notice of the lawsuit on the DAO’s two founders (Bean and Kistner). The CFTC had initially served notice through the DAO’s help chat box along with its online forum. The judge noted that although he believed the DAO did have actual notice of the litigation, “‘to provide the best practicable notice, the CFTC should serve at least one identifiable Token Holder if that is possible.’” Given the decentralized nature of many DAOs, it is important precedent that the court approved service of process through the Ooki DAO’s forum and chat box. Importantly, the court also held that “the DAO is in fact an unincorporated association which can be sued for alleged violations of law.”
Regulators have also begun to target platforms that pose money laundering and terrorist financing risks. In August 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) sanctioned Tornado Cash, a virtual currency mixer. These mixers, also known as “blenders,” help users remain anonymous in their transactions by mixing data on the parties, initiation, and destination of a cryptoasset transfer. The total amount laundered through this service is estimated at $7 billion, and Treasury officials explained that hackers like the Lazarus Group, a North Korean state-backed hacking group, have utilized Tornado Cash to launder money in the form of cryptocurrency. Like some DeFi platforms, Tornado Cash poses regulatory issues because there’s no single person or entity behind the protocol. For example, anyone who seeks to utilize this service, even without ill intention, could face criminal penalties. The tension between users’ desire to keep their identity anonymous and the need for regulation to identify specific individuals or entities also showcases the difficulty of regulating these types of platforms.
Regulation by Accommodation
Rather than regulating by enforcement, regulators could develop rules specifically for DeFi. Sam Bankman Fried, prior to FTX’s collapse and his subsequent arrest, had published proposals for regulating DeFi. These included a “suitability test” similar to qualified investor rules based on net worth and other factors, which would restrict access to DeFi. Additionally, he called for a licensing system for sites that interact with DeFi platforms and adhering to blacklists to keep sanctioned entities or individuals from accessing DeFi. However, these proposals were more about centralized entities seeking to interact with DeFi compared to regulating DeFi platforms themselves.
In the wake of the FTX collapse and relevant enforcement actions, DeFi and crypto advocates have pushed back heavily against proposed regulation. Erik Vorhees, a leader in the crypto industry, emphasized his view that DeFi is the future of crypto. He calls DeFi the “shining city on the hill” and believes “[e]verything good and beautiful about crypto has been a step in this direction: an open, borderless, immutable economic foundation for the world.” But in order to achieve that reality, Vorhees argues that “no law [should] ever be made in America or any nation of free people whereby it is legally mandatory for blockchains or code itself (i.e. smart contracts) to enforce any blacklist whatsoever,” and added that regulating code in this way would likely violate the First Amendment. Vorhees also pushed back against any form of mandatory standardized disclosure regime for token issuers, describing the requirements as they exist in traditional finance as “disclosure theater.”
Regulation by accommodation is already progressing at the state level. Some states have attempted to regulate DAOs as legal entities through legislation to help provide them with legal certainty. A Wyoming law, active as of July 2021, allows DAOs to register as a DAO limited liability corporation (“LLC”). By doing so, the law “formalizes protection for DAO developers by prohibiting lawsuits against DAOs as general partnerships as well as enforcing the rights of DAOs as legal persons in state court, thereby protecting the developers individually.” Similar to the CFTC’s action against Ooki DAO, most states in the U.S. would likely treat DAO participants that hold governance tokens as “partners” in a common law partnership, which “exposes a participant’s personal assets to the DAO’s lawsuit settlements and liabilities.” The Wyoming law, by recognizing a DAO as a unique form of an LLC, provides the DAO’s members with limited individual liability. However, major regulatory gaps still exist, including whether the DAO would maintain its legal status in federal court and whether the DAO could be subject to SEC rules in the event it traded in securities. Tennessee followed Wyoming’s lead and passed its own DAO legislation in April 2022. Tennessee and Wyoming both require a DAO to identify the public address of smart contracts that will be used for its management and operations. While imperfect, these laws emphasize the need to recognize how DeFi platforms have some element of centralization and need to be registered as some form of corporate entity to ensure compliance with relevant jurisdictional laws and regulations.
Another way to effectively bring DeFi protocols into the regulatory perimeter is to expand the definitions of exchange and dealer. The SEC recently proposed changes to Exchange Act Rule 3b-16, Regulation ATS (Alternative Trading Systems), and Regulation SCI (Systems Compliance and Integrity). The current definition of exchange includes “An organization, association, or group of persons” that “(1) Brings together the orders for securities of multiple buyers and sellers; and 2) Uses established, non-discretionary methods under which such orders interact with each other, and the buyers and sellers entering such orders agree to the terms of a trade.” The change to Rule 3b-16 would bring “communication protocol systems” that include simply showcasing interest in buying or selling a security, in addition to orders, within the definition of an exchange. The proposed amendments would also define “communication protocols” as “an established method that an organization, association, or group of persons can provide to bring together buyers and sellers of securities.”
On April 14th, 2023, the SEC re-opened the comment period to the proposed amendments to Exchange Act Rule 3b-16. The SEC “reiterated the applicability of existing rules to platforms that trade crypto asset securities, including so-called ‘DeFi’ systems,” and provided supplemental guidance. The guidance highlighted that any:
“organization, association, or group of persons that uses any form or forms of technology (e.g., [Distributed Ledger Technology (“DLT”)], including technologies used by so-called “DeFi” trading systems…) that constitutes, maintains, or provides a market place for bringing together purchasers and sellers of securities, including crypto asset securities… would be required to register as a national securities exchange or comply with the conditions of Regulation ATS.”
The SEC explained at length that the use of new technology like smart contracts or AMMs does not change the analysis for whether a DeFi platform is operating as an exchange. Further, the SEC guidance on whether persons or groups of persons would be considered to maintain control over a DeFi platform is subject to multiple factors, such as ownership interest or “the extent to which a person acts with an agreement (formal or informal) to constitute, maintain, or provide a market place.” Individuals who could determine or modify smart contracts would also be considered to have control over the DeFi platform, likely making them subject to the Exchange Act. Finally, the SEC explained that “use of DLT, or any other technology, does not make compliance incompatible with the federal securities laws,” when addressing concerns that DeFi exchanges may have issues complying with securities laws.
The implication of this definition and the updated guidance is that DEXs and other DeFi platforms would be covered and therefore subject to registration. The Blockchain Association, in a comment letter pushing back against this expansive definition of an exchange, explained that it may not be feasible to have “persons such as software developers who write the code underlying Decentralized Protocols, maintainers of websites that provide access to Decentralized Protocols, and other participants in the decentralized finance ecosystem to register as broker-dealers or alternative trading systems and comply with the relevant regulations.” While the Blockchain Association is against such regulation, it identifies individuals or entities where such regulation could be applied if the cost was acceptable. The SEC’s updated guidance directly addresses who could be considered as part of the group operating an exchange that must comply with federal securities laws. In the event DeFi platforms begin offering security tokens, tokenized securities, or other forms of tokens/NFTs/etc. that are classified as securities, they would be required to register as an exchange.
The SEC also recently proposed changes to what constitutes a dealer under SEC rules. The expanded definition of “dealer” would include persons and entities that “use automated and algorithmic trading technology to execute trades and provide market liquidity,” which would likely capture users providing liquidity to digital asset exchanges and DeFi platforms to the extent they are dealing with securities. Critically, Chairman Gensler has emphasized that tailored regulations for crypto companies is a possibility. This means DeFi platforms operating as exchanges or dealers could have tailored disclosure and other requirements that would limit compliance costs while still providing a regulated trading market. A recent European Commission study noted that traditional financial regulation is not sufficient for DeFi regulation and recommended a tailored approach for the industry.
Who regulators should target in the event of noncompliance with laws or regulations since smart contracts handle the transactions automatically is currently up for debate. To help solve this problem, regulators should focus on regulating the various “intermediaries” within the DeFi system. As the CFTC’s Ooki DAO suit showed, targeting enforcement actions at every member holding and voting with governance tokens sends a clear message that regulators are not going to let DeFi platforms and their users escape potential liability, but such an action may go beyond the scope of the CFTC’s authority. Former Federal Reserve Vice-Chair Lael Brainard emphasized that DeFi platforms and activities should be within the regulatory framework despite the dispersion of control making it more difficult to hold a relevant DeFi intermediary accountable, since an intermediary must bear the costs of keeping a relevant financial system safe. In the context of DeFi, Vice-Chair Brainard suggested that protocol developers and transaction validators may be accountable for ensuring offered products are both safe and compliant with relevant laws.
Holding the development team of a DeFi protocol accountable for fraud or abuse under SEC or CFTC regulations, like the CFTC’s Ooki DAO case, makes sense given the current decentralization illusion of most DeFi protocols. Chairman Gensler explained that “[c]rypto intermediaries… often are an amalgam of services that typically are separated from each other in the rest of the securities markets…” and are essentially operating as exchanges. Chairman Gensler further elaborated that these intermediaries are not “a dispersed, unidentified group of individuals in an ‘ecosystem,’” rather they are a collection of individuals launching a DeFi protocol. These individuals should be required to register their protocol either as an exchange or dealer in order to effectively bring DeFi into the regulatory perimeter and provide for investor protection. As discussed previously, regulators may find it difficult to regulate entities like Sifchain, which are developed in a decentralized manner internationally.
Regulating validators also could make sense in the DeFi context to build trust. Validators control network protocols by, as the name suggests, validating relevant transactions into blocks on blockchains. Studies have shown that while validators could in theory be individuals or small entities, the economic incentives provided for validating transactions on blockchains has led to a high concentration of validating power. Validating entities would be required to verify identities and confirm users hold the relevant cryptoassets, be subject to fines if they validate transactions that do not involve certified crypto addresses, and be subject to audits by a regulator. Given the power validators hold over DeFi protocols, providing for oversight at this level makes sense to ensure transactions are valid.
With that in mind, KYC/AML regulation is necessary regardless of what individual or entity is regulated within DeFi. One proposal suggests creating a decentralized identifying credential and relevant documentation that would serve as a user’s entry point into various DeFi protocols to ensure that interactions with the individual are trustworthy, while also allowing the protocols to comply with KYC/AML regulations. Relevant regulators should be focused on imposing KYC/AML requirements on DeFi platforms to prevent fraud, scams, and market manipulation, or at the very least making it clear to investors which platforms impose such requirements. To truly democratize finance, DeFi has to abandon anonymity or pseudonymity, and there must be legal recourse in the event of fraud or other illegal activity.
Last fall, the Senate Ag Committee introduced a bill that would give the CFTC expanded authority to regulate cryptocurrency markets. This was met with heavy pushback by some within the crypto community, as “many of crypto’s true believers are more concerned about protecting DeFi trading and payment systems that mimic — but are not specifically controlled by – a centralized exchange or brokerage.” Some DeFi advocates view the bill as giving centralized crypto exchanges greater power and leverage over smaller DeFi projects, which would hamper their growth. While the bill is unlikely to advance, it showcases the continued debate over how to regulate DeFi platforms and the inevitable battle over which regulator will have more oversight of cryptocurrency.
The continued success of DeFi platforms in the wake of the crypto winter has led to a call for crypto to return to its peer-to-peer roots. DeFi is viewed by crypto advocates as the best way to achieve crypto’s promise, while remaining unregulated. But as SEC Chairman Gensler notes, in the 1930s, when the Exchange Act was passed, claims that US capital markets would collapse because of overly burdensome registration and regulation requirements were unfounded. Instead, every major stock exchange went through the registration process and was brought into the regulatory perimeter. DeFi advocates are pushing back against regulation with claims that it would be overly costly and defeat the true purpose of DeFi. However, scams and fraud continue to run rampant in the DeFi ecosystem, exposing the need for some form of oversight for DeFi to ever replace traditional intermediaries. By providing DeFi platforms with a corporate structure, bringing the platforms into the regulatory perimeter, applying tailored regulation to relevant individuals and entities, and requiring KYC/AML compliance, DeFi can begin to operate in a regulated manner that increases investor trust and allows the industry to highlight its use cases for replacing traditional finance and engage in real economic activity.
Robert Bourret is a J.D. Candidate at Duke University School of Law, expected May, 2023.
 A16z maintains that the third parties it has delegated UNI tokens to are independent. Id.
 This refers to the ability to conduct cross-chain transactions on various blockchains.
 The regulation of code as a free speech issue is outside the scope of this post.
 Id. at 24. The SEC explains that the group of persons which “constitutes, maintains, or provides a market place or facilities for bringing together buyers and sellers of securities or performs with respect to securities the functions commonly performed by a stock exchange, and is thus an exchange, would collectively have the responsibility for compliance with federal securities laws.” Id. at 26.