The CFTC’s DeFi Trifecta: Lessons and Implications for DeFi Participants Inside and Outside the US | Goodwin

On Sep­tem­ber 7, 2023, the Com­mod­i­ty Futures Trad­ing Com­mis­sion (CFTC) announced the set­tle­ment of three sep­a­rate enforce­ment actions in the decen­tral­ized finance (DeFi) space: name­ly, con­cern­ing the Opyn pro­to­col and its Squeeth pow­er per­pet­u­al prod­ucts;¹ the Deridex pro­to­col, an on-chain per­pet­u­al con­tract trad­ing plat­form;² and the 0x pro­to­col, Matcha (its user inter­face), and its use as a decen­tral­ized exchange (DEX) and DEX aggre­ga­tor sup­port­ing trad­ing in cer­tain third-par­ty lever­age tokens.³

Although the three enforce­ment actions were announced in a sin­gle press release and grouped togeth­er as DeFi cas­es by the CFTC, they have impor­tant dif­fer­ences and par­tic­u­lar­i­ties. In this client alert, we iden­ti­fy poten­tial lessons and key take­aways for DeFi par­tic­i­pants both inside and out­side the US and pro­vide a sum­ma­ry of the fac­tu­al back­ground, the spe­cif­ic nature of the alleged reg­u­la­to­ry vio­la­tions, and the penal­ties imposed in each of the three enforce­ment actions. Giv­en that it is cur­rent­ly not fea­si­ble for most DeFi pro­to­cols to reg­is­ter with the CFTC as a swap exe­cu­tion facil­i­ty (SEF), des­ig­nat­ed con­tract mar­ket (DCM), or futures com­mis­sion mer­chant (FCM) — let alone to reg­is­ter in mul­ti­ple such capac­i­ties simul­ta­ne­ous­ly — the fun­da­men­tal take­away from these enforce­ment actions is that it is imper­a­tive for DeFi teams to be fas­tid­i­ous and take all steps pos­si­ble to exclude US users if their pro­to­col may facil­i­tate trad­ing in deriv­a­tives or on a lever­aged or mar­gin­ed basis.

In this regard, it is note­wor­thy that these enforce­ment actions drew a strong­ly word­ed dis­sent from CFTC Com­mis­sion­er Sum­mer K. Mersinger, who lament­ed these cas­es as cre­at­ing “an impos­si­ble envi­ron­ment for those who want to com­ply with the law, forc­ing them to either shut down or shut out US par­tic­i­pants.” Com­mis­sion­er Mersinger also not­ed that there was no indi­ca­tion in any of these three cas­es that cus­tomer funds had been mis­ap­pro­pri­at­ed or that any mar­ket par­tic­i­pants had been vic­tim­ized. Indeed, the CFTC’s own press release acknowl­edged the sub­stan­tive coop­er­a­tion of each of the pro­to­cols in ques­tion. Against this back­drop, many indus­try voic­es have warned that these CFTC enforce­ment actions will con­tin­ue to dri­ve DeFi out of the US and stunt innovation.

Notable Takeaways

• The CFTC has well-estab­lished juris­dic­tion with respect to deriv­a­tives such as swaps and cer­tain forms of lever­aged or mar­gin­ed trans­ac­tions in com­modi­ties (includ­ing dig­i­tal assets that con­sti­tute com­modi­ties). The CFTC can apply these estab­lished aspects of its juris­dic­tion in nov­el con­texts, includ­ing in the DeFi space. Cer­tain activ­i­ties with respect to such CFTC-reg­u­lat­ed trans­ac­tions require reg­is­tra­tion, which is cur­rent­ly not fea­si­ble for DeFi protocols.
• While each of the pro­to­cols in ques­tion in these enforce­ment actions was asso­ci­at­ed with a US enti­ty or place of busi­ness, off­shore teams should take note and care­ful­ly scru­ti­nize their US nexus. In the absence of a path to reg­is­tra­tion with the CFTC, DeFi pro­to­cols that may facil­i­tate trad­ing in deriv­a­tives or on a lever­aged or financed basis should pro­hib­it US users in order to mit­i­gate their U.S. reg­u­la­to­ry risk.
• How­ev­er, as the Opyn enforce­ment action in par­tic­u­lar makes clear, mere­ly block­ing pro­to­col access for users with US-based IP address­es will not suf­fice. Although imper­fect and by no means infal­li­ble, oth­er risk mit­i­gants may include (i) robust pro­hi­bi­tions on U.S. users in pro­to­col terms of use, (ii) obtain­ing affir­ma­tive non‑U.S. per­son sta­tus rep­re­sen­ta­tions upon wal­let con­nec­tion or with a signed wal­let mes­sage, and (iii) poten­tial­ly even block­ing U.S.-based IP address­es from view­ing any pro­to­col-con­trolled web­site that pro­motes or adver­tis­es the DeFi pro­to­col (i.e. beyond just geo-block­ing wal­let con­nec­tions themselves).
• Unfor­tu­nate­ly, while acknowl­edg­ing sub­se­quent reme­di­al efforts made by Opyn, the CFTC did not pro­vide any mean­ing­ful use­ful guid­ance on what oth­er steps DeFi pro­to­cols can or should take to pre­vent access by US users.
• The Matcha enforce­ment action war­rants par­tic­u­lar atten­tion for all DEX­es, DEX aggre­ga­tors, and oth­er DeFi pro­to­cols, espe­cial­ly those that allow the per­mis­sion­less addi­tion of third-par­ty tokens and trad­ing pairs.
• Mere­ly sup­port­ing trad­ing in lever­age tokens or tok­enized deriv­a­tives designed and issued by a third par­ty may be suf­fi­cient to run afoul of the CFTC’s reg­is­tra­tion expec­ta­tions. This is the case even when, as in the Matcha enforce­ment action, the pro­to­col in ques­tion was not specif­i­cal­ly designed or mar­ket­ed for trad­ing in deriv­a­tives or on a lever­aged or mar­gin­ed basis and would typ­i­cal­ly be viewed as a venue for spot or cash mar­ket trad­ing of dig­i­tal assets.
• While anti­thet­i­cal to the DeFi ethos and not fea­si­ble for per­mis­sion­less pro­to­cols, DeFi pro­to­cols that are able and will­ing to do so should con­sid­er restrict­ing use of their pro­to­cols for known lever­age tokens or tok­enized deriv­a­tives instru­ments (e.g., via allowlist­ing and block­list­ing tokens). Indeed, the Matcha enforce­ment action ref­er­enced reme­di­al efforts by the pro­to­col to pre­vent trad­ing in lever­age tokens going forward.
• Notably, the Matcha enforce­ment action stands in stark con­trast to the recent dis­missal of a class action filed in the South­ern Dis­trict of New York against Uniswap and cer­tain of its ven­ture cap­i­tal back­ers⁴, which sought to impose lia­bil­i­ty for loss­es asso­ci­at­ed with cer­tain third-par­ty scam tokens that were trad­ed through Uniswap’s smart con­tracts. Albeit in the dif­fer­ent con­text of secu­ri­ties law–based claims, Dis­trict Judge Kather­ine Polk Fail­la ques­tioned the log­ic of hold­ing the drafter of a soft­ware plat­form or pro­to­col liable for a third party’s mis­use of that platform.

The Opyn Enforcement Action

As alleged by the CFTC, Opyn, Inc. (Opyn), a Delaware cor­po­ra­tion with a prin­ci­pal place of busi­ness in Cal­i­for­nia, devel­oped and oper­at­ed a dig­i­tal asset trad­ing plat­form that allowed for trad­ing in pow­er per­pet­u­als. These instru­ments allowed users to enter into long and short posi­tions the val­ue of which were based on the price of a par­tic­u­lar dig­i­tal asset squared (i.e., to the pow­er of two) rel­a­tive to the sta­ble­coin USDC. For exam­ple, users of the Opyn pro­to­col could enter into a long posi­tion by buy­ing the ERC-20 token known as oSQTH to obtain expo­sure to an index that tracked the price of ETH squared. Users could also estab­lish short posi­tions by mint­ing and then sell­ing oSQTH, sub­ject to main­tain­ing a par­tic­u­lar col­lat­er­al­iza­tion ratio with suf­fi­cient assets locked in the Opyn protocol’s smart con­tracts. The CFTC alleged that although Opyn took cer­tain steps to exclude US per­sons from access­ing the Opyn pro­to­col, these steps were “not suf­fi­cient” to actu­al­ly block US users from such access.

The Opyn enforce­ment action con­tains a num­ber of alleged vio­la­tions against Opyn, each begin­ning from the premise that both ETH and sta­ble­coins such as USDC con­sti­tute “com­modi­ties” for pur­pos­es of the Com­mod­i­ty Exchange Act (CEA) and the reg­u­la­tions of the CFTC there­un­der (CFTC Rules). The CFTC then rea­soned that the “pow­er per­pet­u­als” sup­port­ed by the Opyn pro­to­cols con­sti­tut­ed “swaps” for CFTC reg­u­la­to­ry pur­pos­es, a term that is broad­ly defined in the CEA and CFTC Rules to encom­pass almost any instru­ment that derives its val­ue from some oth­er under­ly­ing com­mod­i­ty.⁵ In addi­tion, the CFTC rea­soned that the trad­ing in oSQTH sup­port­ed by the Opyn pro­to­col amount­ed to an offer­ing of lever­aged or mar­gin­ed trad­ing in com­modi­ties to retail cus­tomers (i.e., nonel­i­gi­ble con­tract par­tic­i­pants, in CFTC par­lance). Such trans­ac­tions are sub­ject to reg­u­la­tion as if they were futures con­tracts unless they result in actu­al deliv­ery of the under­ly­ing com­mod­i­ty with­in 28 days.

From these premis­es, the CFTC found that Opyn had engaged in a num­ber of vio­la­tions of the CEA and CFTC Rules:

• By oper­at­ing a mul­ti­ple-to-mul­ti­ple trad­ing plat­form for exe­cut­ing or trad­ing in swaps (here, the pow­er per­pet­u­als), Opyn engaged in the activ­i­ty of a SEF with­out reg­is­ter­ing as such (or as a DCM).
• By offer­ing lever­aged or mar­gin­ed com­mod­i­ty trad­ing to retail users, Opyn vio­lat­ed the CEA and CFTC rules in that such trans­ac­tions are sub­ject to reg­u­la­tion as if they were futures and may be law­ful­ly offered only on a DCM (i.e., a reg­u­lat­ed futures exchange).
• By (i) solic­it­ing and accept­ing orders for swaps and lever­aged or mar­gin­ed trans­ac­tions and (ii) accept­ing assets to mar­gin or col­lat­er­al­ize such trades, Opyn engaged in the activ­i­ty of an FCM with­out reg­is­ter­ing as such. In addi­tion, in act­ing as an unreg­is­tered FCM, Opyn failed to com­ply with the “cus­tomer iden­ti­fi­ca­tion pro­gram” oblig­a­tions applic­a­ble to FCMs, which are intend­ed to facil­i­tate know-your-cus­tomer (KYC) diligence.

The set­tle­ment of the Opyn enforce­ment action ulti­mate­ly pro­vid­ed for Opyn to pay a civ­il mon­e­tary penal­ty of $250,000.

The Deridex Enforcement Action

As alleged by the CFTC, Deridex, Inc. (Deridex), a Delaware cor­po­ra­tion with a prin­ci­pal place of busi­ness in Char­lotte, North Car­oli­na, devel­oped and oper­at­ed a dig­i­tal asset trad­ing plat­form involv­ing a col­lec­tion of smart con­tracts deployed on the Algo­rand blockchain. By access­ing the Deridex pro­to­col, any per­son with a dig­i­tal asset wal­let could con­tribute mar­gin col­lat­er­al to open a posi­tion in a “per­pet­u­al con­tract” that pro­vid­ed for the exchange of one or more pay­ments based on the rel­a­tive val­ue of STBL2, a sta­ble­coin under the Algo­rand Stan­dard Assets tech­ni­cal stan­dard, and some oth­er dig­i­tal asset. Such posi­tions could be entered into on a lever­aged basis up to a max­i­mum lever­age ratio of 15 times at posi­tion estab­lish­ment, sub­ject to the user deposit­ing col­lat­er­al of at least one-fif­teenth of the position’s val­ue. The remain­der of the lever­aged posi­tion was financed through bor­row­ing from a liq­uid­i­ty pool sup­plied by oth­er Deridex pro­to­col users, with Deridex and the liq­uid­i­ty providers each receiv­ing a por­tion of the inter­est paid by users on such lever­aged posi­tions. The CFTC alleged that Deridex did not take any action to pre­vent access by US users or retail customers.

The alleged vio­la­tions in the Deridex enforce­ment action mir­ror those in the Opyn enforce­ment action. Begin­ning from the premise that the STBL2 sta­ble­coin and oth­er dig­i­tal assets con­sti­tute “com­modi­ties” for pur­pos­es of the CEA and CFTC Rules, the CFTC rea­soned that the per­pet­u­al con­tracts sup­port­ed by the Deridex pro­to­col con­sti­tut­ed both “swaps” and an offer­ing of lever­aged or mar­gin­ed trad­ing in com­modi­ties to retail cus­tomers. As a result, the CFTC found that Deridex had engaged in a num­ber of vio­la­tions of the CEA and CFTC Rules:

• By offer­ing lever­aged or mar­gin­ed com­mod­i­ty trad­ing to U.S. retail users, Deridex vio­lat­ed the CEA and CFTC Rules in that such trans­ac­tions are sub­ject to reg­u­la­tion as if they were futures that and may be law­ful­ly offered only on a reg­is­tered DCM. The CFTC also specif­i­cal­ly alleged that Deridex con­duct­ed an office or busi­ness in the US for the pur­pos­es of solic­it­ing, accept­ing, or oth­er­wise deal­ing in such transactions.
• Through the Deridex pro­to­col and Deridex’s web­site, Deridex oper­at­ed a mul­ti­ple-to-mul­ti­ple trad­ing plat­form for exe­cut­ing or trad­ing in swaps (here, the per­pet­u­al con­tracts) with­out reg­is­ter­ing as a SEF or DCM.
• By (i) solic­it­ing and accept­ing orders for swaps and lever­aged or mar­gin­ed trans­ac­tions and (ii) accept­ing assets to mar­gin or col­lat­er­al­ize such trades, Deridex engaged in the activ­i­ty of an FCM with­out reg­is­ter­ing as such. In addi­tion, in act­ing as an unreg­is­tered FCM, Deridex failed to com­ply with the “cus­tomer iden­ti­fi­ca­tion pro­gram” oblig­a­tions applic­a­ble to FCMs, which are intend­ed to facil­i­tate KYC diligence.

The set­tle­ment of the Deridex enforce­ment action ulti­mate­ly pro­vid­ed for Deridex to pay a civ­il mon­e­tary penal­ty of $100,000, with the CFTC empha­siz­ing that Deridex took prompt reme­di­al action upon the Divi­sion of Enforcement’s inquiry. In par­tic­u­lar, Deridex took steps to place the Deridex pro­to­col into wind-down mode so that no new deposits or posi­tions could be established.

The Matcha Enforcement Action – One of These Three Is Not Like the Others …

As alleged by the CFTC, ZeroEx, Inc. (ZeroEx), a Delaware cor­po­ra­tion with a prin­ci­pal place of busi­ness in San Fran­cis­co, devel­oped and deployed the 0x pro­to­col and its relat­ed front-end user inter­face, Matcha. Togeth­er, the 0x pro­to­col and Matcha could be used as a DEX to buy or sell one dig­i­tal asset for anoth­er dig­i­tal asset. The 0x pro­to­col and Matcha inter­face also func­tioned as a DEX aggre­ga­tor, com­pil­ing price data from mul­ti­ple oth­er DEX­es. Thus, by inter­act­ing with the 0x pro­to­col and the Matcha inter­face, users could trade in dig­i­tal assets from mul­ti­ple sources of liq­uid­i­ty for thou­sands of dif­fer­ent dig­i­tal asset trad­ing pairs.

Among the thou­sands of trad­ing pairs that users could trade through the 0x pro­to­col and Matcha inter­face, the CFTC focused on cer­tain lever­aged tokens devel­oped and issued by a third par­ty unaf­fil­i­at­ed with ZeroEx. In par­tic­u­lar, the CFTC ref­er­enced tokens issued on both the Ethereum and Poly­gon net­works pro­vid­ing lever­aged expo­sure that was twice the price of BTC and ETH and that could be bought and sold through the 0x pro­to­col and Matcha inter­face. The CFTC recit­ed that Matcha users trans­act­ed approx­i­mate­ly $117 mil­lion in trade vol­ume in such lever­aged tokens, but acknowl­edged that ZeroEx did not charge trad­ing fees on such transactions.

Focus­ing on these lever­age tokens, the CFTC alleged that ZeroEx had con­duct­ed an office or busi­ness in the US for the pur­pose of solic­it­ing or accept­ing orders for off-exchange lever­aged or mar­gin­ed com­mod­i­ty trans­ac­tions from retail users (i.e., nonel­i­gi­ble con­tract par­tic­i­pants). Under the CEA and CFTC Rules, absent actu­al deliv­ery of the rel­e­vant com­mod­i­ty with­in 28 days, such trans­ac­tions are reg­u­lat­ed as if they were futures con­tracts and may be law­ful­ly offered only on or pur­suant to the rules of a DCM (i.e., on a reg­u­lat­ed futures exchange).

Sig­nif­i­cant­ly, the CFTC found ZeroEx to be in vio­la­tion of the CEA and CFTC Rules notwith­stand­ing that the lever­age tokens in ques­tion were designed and issued by an unaf­fil­i­at­ed third par­ty. In this regard, the CFTC ref­er­enced its own pri­or inter­pre­tive guid­ance that the “offer­or” of such trans­ac­tions includes per­sons who present, solic­it, or facil­i­tate the use of mar­gin, lever­age, or financ­ing arrange­ments. The CFTC con­clud­ed that by deploy­ing a decen­tral­ized pro­to­col (i.e., the 0x pro­to­col) and oper­at­ing a front-end user inter­face (i.e., the Matcha inter­face), ZeroEx facil­i­tat­ed and pro­vid­ed a pur­chas­er with the abil­i­ty to source financ­ing or lever­age from oth­er users or third parties.

The set­tle­ment of the Matcha enforce­ment action ulti­mate­ly pro­vid­ed for ZeroEx to pay a civ­il mon­e­tary penal­ty of $200,000.

^[1] In re Opyn, Inc., CFTC No. 23–40 (Sept. 7, 2023), avail­able at https://www.cftc.gov/media/9211/enfopynorder090723/download.

^[2] In re Deridex, Inc., CFTC No. 23–42 (Sept. 7, 2023), avail­able at https://www.cftc.gov/media/9221/enfderidexorder090723/download.

^[3] In re ZeroEx, Inc., CFTC No. 23–41 (Sept. 7, 2023), avail­able at https://www.cftc.gov/media/9216/enfzeroexorder090723/download.

^[4] Ris­ley v. Uni­ver­sal Nav­i­ga­tion Inc. dba Uniswap Labs et al., No. 1:22-cv-02780 (S.D.N.Y. Aug. 29, 2023).

^[5] T7 U.S.C. § 1a(47).

^[6] Retail Com­mod­i­ty Trans­ac­tions Involv­ing Cer­tain Dig­i­tal Assets, 85 Fed. Reg. at 37,737 n.63, 37,736 n.164.

[View source.]