On September 7, 2023, the Commodity Futures Trading Commission (CFTC) announced the settlement of three separate enforcement actions in the decentralized finance (DeFi) space: namely, concerning the Opyn protocol and its Squeeth power perpetual products;¹ the Deridex protocol, an on-chain perpetual contract trading platform;² and the 0x protocol, Matcha (its user interface), and its use as a decentralized exchange (DEX) and DEX aggregator supporting trading in certain third-party leverage tokens.³

Although the three enforcement actions were announced in a single press release and grouped together as DeFi cases by the CFTC, they have important differences and particularities. In this client alert, we identify potential lessons and key takeaways for DeFi participants both inside and outside the US and provide a summary of the factual background, the specific nature of the alleged regulatory violations, and the penalties imposed in each of the three enforcement actions. Given that it is currently not feasible for most DeFi protocols to register with the CFTC as a swap execution facility (SEF), designated contract market (DCM), or futures commission merchant (FCM) — let alone to register in multiple such capacities simultaneously — the fundamental takeaway from these enforcement actions is that it is imperative for DeFi teams to be fastidious and take all steps possible to exclude US users if their protocol may facilitate trading in derivatives or on a leveraged or margined basis.

In this regard, it is noteworthy that these enforcement actions drew a strongly worded dissent from CFTC Commissioner Summer K. Mersinger, who lamented these cases as creating “an impossible environment for those who want to comply with the law, forcing them to either shut down or shut out US participants.” Commissioner Mersinger also noted that there was no indication in any of these three cases that customer funds had been misappropriated or that any market participants had been victimized. Indeed, the CFTC’s own press release acknowledged the substantive cooperation of each of the protocols in question. Against this backdrop, many industry voices have warned that these CFTC enforcement actions will continue to drive DeFi out of the US and stunt innovation.

Notable Takeaways

• The CFTC has well-established jurisdiction with respect to derivatives such as swaps and certain forms of leveraged or margined transactions in commodities (including digital assets that constitute commodities). The CFTC can apply these established aspects of its jurisdiction in novel contexts, including in the DeFi space. Certain activities with respect to such CFTC-regulated transactions require registration, which is currently not feasible for DeFi protocols.
• While each of the protocols in question in these enforcement actions was associated with a US entity or place of business, offshore teams should take note and carefully scrutinize their US nexus. In the absence of a path to registration with the CFTC, DeFi protocols that may facilitate trading in derivatives or on a leveraged or financed basis should prohibit US users in order to mitigate their U.S. regulatory risk.
• However, as the Opyn enforcement action in particular makes clear, merely blocking protocol access for users with US-based IP addresses will not suffice. Although imperfect and by no means infallible, other risk mitigants may include (i) robust prohibitions on U.S. users in protocol terms of use, (ii) obtaining affirmative non-U.S. person status representations upon wallet connection or with a signed wallet message, and (iii) potentially even blocking U.S.-based IP addresses from viewing any protocol-controlled website that promotes or advertises the DeFi protocol (i.e. beyond just geo-blocking wallet connections themselves).
• Unfortunately, while acknowledging subsequent remedial efforts made by Opyn, the CFTC did not provide any meaningful useful guidance on what other steps DeFi protocols can or should take to prevent access by US users.
• The Matcha enforcement action warrants particular attention for all DEXes, DEX aggregators, and other DeFi protocols, especially those that allow the permissionless addition of third-party tokens and trading pairs.
• Merely supporting trading in leverage tokens or tokenized derivatives designed and issued by a third party may be sufficient to run afoul of the CFTC’s registration expectations. This is the case even when, as in the Matcha enforcement action, the protocol in question was not specifically designed or marketed for trading in derivatives or on a leveraged or margined basis and would typically be viewed as a venue for spot or cash market trading of digital assets.
• While antithetical to the DeFi ethos and not feasible for permissionless protocols, DeFi protocols that are able and willing to do so should consider restricting use of their protocols for known leverage tokens or tokenized derivatives instruments (e.g., via allowlisting and blocklisting tokens). Indeed, the Matcha enforcement action referenced remedial efforts by the protocol to prevent trading in leverage tokens going forward.
• Notably, the Matcha enforcement action stands in stark contrast to the recent dismissal of a class action filed in the Southern District of New York against Uniswap and certain of its venture capital backers⁴, which sought to impose liability for losses associated with certain third-party scam tokens that were traded through Uniswap’s smart contracts. Albeit in the different context of securities law–based claims, District Judge Katherine Polk Failla questioned the logic of holding the drafter of a software platform or protocol liable for a third party’s misuse of that platform.

The Opyn Enforcement Action

As alleged by the CFTC, Opyn, Inc. (Opyn), a Delaware corporation with a principal place of business in California, developed and operated a digital asset trading platform that allowed for trading in power perpetuals. These instruments allowed users to enter into long and short positions the value of which were based on the price of a particular digital asset squared (i.e., to the power of two) relative to the stablecoin USDC. For example, users of the Opyn protocol could enter into a long position by buying the ERC-20 token known as oSQTH to obtain exposure to an index that tracked the price of ETH squared. Users could also establish short positions by minting and then selling oSQTH, subject to maintaining a particular collateralization ratio with sufficient assets locked in the Opyn protocol’s smart contracts. The CFTC alleged that although Opyn took certain steps to exclude US persons from accessing the Opyn protocol, these steps were “not sufficient” to actually block US users from such access.

The Opyn enforcement action contains a number of alleged violations against Opyn, each beginning from the premise that both ETH and stablecoins such as USDC constitute “commodities” for purposes of the Commodity Exchange Act (CEA) and the regulations of the CFTC thereunder (CFTC Rules). The CFTC then reasoned that the “power perpetuals” supported by the Opyn protocols constituted “swaps” for CFTC regulatory purposes, a term that is broadly defined in the CEA and CFTC Rules to encompass almost any instrument that derives its value from some other underlying commodity.⁵ In addition, the CFTC reasoned that the trading in oSQTH supported by the Opyn protocol amounted to an offering of leveraged or margined trading in commodities to retail customers (i.e., noneligible contract participants, in CFTC parlance). Such transactions are subject to regulation as if they were futures contracts unless they result in actual delivery of the underlying commodity within 28 days.

From these premises, the CFTC found that Opyn had engaged in a number of violations of the CEA and CFTC Rules:

• By operating a multiple-to-multiple trading platform for executing or trading in swaps (here, the power perpetuals), Opyn engaged in the activity of a SEF without registering as such (or as a DCM).
• By offering leveraged or margined commodity trading to retail users, Opyn violated the CEA and CFTC rules in that such transactions are subject to regulation as if they were futures and may be lawfully offered only on a DCM (i.e., a regulated futures exchange).
• By (i) soliciting and accepting orders for swaps and leveraged or margined transactions and (ii) accepting assets to margin or collateralize such trades, Opyn engaged in the activity of an FCM without registering as such. In addition, in acting as an unregistered FCM, Opyn failed to comply with the “customer identification program” obligations applicable to FCMs, which are intended to facilitate know-your-customer (KYC) diligence.

The settlement of the Opyn enforcement action ultimately provided for Opyn to pay a civil monetary penalty of $250,000.

The Deridex Enforcement Action

As alleged by the CFTC, Deridex, Inc. (Deridex), a Delaware corporation with a principal place of business in Charlotte, North Carolina, developed and operated a digital asset trading platform involving a collection of smart contracts deployed on the Algorand blockchain. By accessing the Deridex protocol, any person with a digital asset wallet could contribute margin collateral to open a position in a “perpetual contract” that provided for the exchange of one or more payments based on the relative value of STBL2, a stablecoin under the Algorand Standard Assets technical standard, and some other digital asset. Such positions could be entered into on a leveraged basis up to a maximum leverage ratio of 15 times at position establishment, subject to the user depositing collateral of at least one-fifteenth of the position’s value. The remainder of the leveraged position was financed through borrowing from a liquidity pool supplied by other Deridex protocol users, with Deridex and the liquidity providers each receiving a portion of the interest paid by users on such leveraged positions. The CFTC alleged that Deridex did not take any action to prevent access by US users or retail customers.

The alleged violations in the Deridex enforcement action mirror those in the Opyn enforcement action. Beginning from the premise that the STBL2 stablecoin and other digital assets constitute “commodities” for purposes of the CEA and CFTC Rules, the CFTC reasoned that the perpetual contracts supported by the Deridex protocol constituted both “swaps” and an offering of leveraged or margined trading in commodities to retail customers. As a result, the CFTC found that Deridex had engaged in a number of violations of the CEA and CFTC Rules:

• By offering leveraged or margined commodity trading to U.S. retail users, Deridex violated the CEA and CFTC Rules in that such transactions are subject to regulation as if they were futures that and may be lawfully offered only on a registered DCM. The CFTC also specifically alleged that Deridex conducted an office or business in the US for the purposes of soliciting, accepting, or otherwise dealing in such transactions.
• Through the Deridex protocol and Deridex’s website, Deridex operated a multiple-to-multiple trading platform for executing or trading in swaps (here, the perpetual contracts) without registering as a SEF or DCM.
• By (i) soliciting and accepting orders for swaps and leveraged or margined transactions and (ii) accepting assets to margin or collateralize such trades, Deridex engaged in the activity of an FCM without registering as such. In addition, in acting as an unregistered FCM, Deridex failed to comply with the “customer identification program” obligations applicable to FCMs, which are intended to facilitate KYC diligence.

The settlement of the Deridex enforcement action ultimately provided for Deridex to pay a civil monetary penalty of $100,000, with the CFTC emphasizing that Deridex took prompt remedial action upon the Division of Enforcement’s inquiry. In particular, Deridex took steps to place the Deridex protocol into wind-down mode so that no new deposits or positions could be established.

The Matcha Enforcement Action – One of These Three Is Not Like the Others …

As alleged by the CFTC, ZeroEx, Inc. (ZeroEx), a Delaware corporation with a principal place of business in San Francisco, developed and deployed the 0x protocol and its related front-end user interface, Matcha. Together, the 0x protocol and Matcha could be used as a DEX to buy or sell one digital asset for another digital asset. The 0x protocol and Matcha interface also functioned as a DEX aggregator, compiling price data from multiple other DEXes. Thus, by interacting with the 0x protocol and the Matcha interface, users could trade in digital assets from multiple sources of liquidity for thousands of different digital asset trading pairs.

Among the thousands of trading pairs that users could trade through the 0x protocol and Matcha interface, the CFTC focused on certain leveraged tokens developed and issued by a third party unaffiliated with ZeroEx. In particular, the CFTC referenced tokens issued on both the Ethereum and Polygon networks providing leveraged exposure that was twice the price of BTC and ETH and that could be bought and sold through the 0x protocol and Matcha interface. The CFTC recited that Matcha users transacted approximately $117 million in trade volume in such leveraged tokens, but acknowledged that ZeroEx did not charge trading fees on such transactions.

Focusing on these leverage tokens, the CFTC alleged that ZeroEx had conducted an office or business in the US for the purpose of soliciting or accepting orders for off-exchange leveraged or margined commodity transactions from retail users (i.e., noneligible contract participants). Under the CEA and CFTC Rules, absent actual delivery of the relevant commodity within 28 days, such transactions are regulated as if they were futures contracts and may be lawfully offered only on or pursuant to the rules of a DCM (i.e., on a regulated futures exchange).

Significantly, the CFTC found ZeroEx to be in violation of the CEA and CFTC Rules notwithstanding that the leverage tokens in question were designed and issued by an unaffiliated third party. In this regard, the CFTC referenced its own prior interpretive guidance that the “offeror” of such transactions includes persons who present, solicit, or facilitate the use of margin, leverage, or financing arrangements. The CFTC concluded that by deploying a decentralized protocol (i.e., the 0x protocol) and operating a front-end user interface (i.e., the Matcha interface), ZeroEx facilitated and provided a purchaser with the ability to source financing or leverage from other users or third parties.

The settlement of the Matcha enforcement action ultimately provided for ZeroEx to pay a civil monetary penalty of $200,000.

^[1] In re Opyn, Inc., CFTC No. 23-40 (Sept. 7, 2023), available at https://www.cftc.gov/media/9211/enfopynorder090723/download.

^[2] In re Deridex, Inc., CFTC No. 23-42 (Sept. 7, 2023), available at https://www.cftc.gov/media/9221/enfderidexorder090723/download.

^[3] In re ZeroEx, Inc., CFTC No. 23-41 (Sept. 7, 2023), available at https://www.cftc.gov/media/9216/enfzeroexorder090723/download.

^[4] Risley v. Universal Navigation Inc. dba Uniswap Labs et al., No. 1:22-cv-02780 (S.D.N.Y. Aug. 29, 2023).

^[5] T7 U.S.C. § 1a(47).

^[6] Retail Commodity Transactions Involving Certain Digital Assets, 85 Fed. Reg. at 37,737 n.63, 37,736 n.164.

[View source.]