A developer and financial backers of a renowned decentralized finance protocol cannot be held liable to private litigants for the activities of unrelated bad actors that utilized the protocol to launch and offer for sale scam digital assets, ruled a federal district court judge in New York City on August 29, 2023.

Approximately one week later, however, the Commodity Futures Trading Commission took a different approach, commencing and settling an enforcement action against the developer of a DeFi protocol for activities apparently engaged in through an unrelated third-party DeFi application that purportedly were in violation of applicable law – the Commodity Exchange Act. Concurrently, the CFTC also commenced and settled enforcement actions against two other developers of DeFi protocols, for alleged violations of registration provisions of the CEA, as well as for failing to perform certain anti-money laundering activities.

On August 29, the Honorable Katherine Polk Failla, District Judge for the United States District Court, Southern District of New York, granted defendants’ motion to dismiss a putative securities class action filed against Uniswap Labs, its CEO and the inventor of the Uniswap protocol – a DeFi trading platform –, the Uniswap Foundation, and various venture capitalists purportedly associated with Labs and the Uniswap protocol. The plaintiffs had alleged that the various defendants were liable for scam tokens accessible on the Uniswap protocol pursuant to applicable securities laws (provisions of both the Securities Act of 1933 and the Securities Exchange Act of 1934). However, in response, Judge Failla held that the harm to plaintiffs of the scam token activity was effectuated by the token issuers not by the defendants. The fact that the identity of the legal or natural persons behind the scam tokens could not be identified did not authorize the various claims against the defendants to proceed. According to the Judge Failla,

Whether this anonymity is troublesome enough to merit regulation is not for the Court to decide, but for Congress. Indeed, “[t]he ultimate question [in these cases] is one of congressional intent, not one of whether this Court thinks it can improve upon the statutory scheme that Congress enacted in law.”

Taking a different approach, on September 7, 2023, the CFTC commenced and settled an enforcement action against ZeroEx, Inc., which developed and deployed a DeFi protocol – the Ox Protocol – that allowed users, including retail persons in the United States, to trade digital assets on a peer to peer basis “through the use of various blockchains,” as well as a front-end user interface, known as “Matcha.”

The CFTC charged ZeroEx with impermissibly offering leveraged digital assets to retail persons without actual delivery within 28 days – conduct that is prohibited under the CEA – even though it appears that neither ZeroEx, the Ox protocol nor Matcha were directly responsible for the allegedly prohibited activity. Instead, it appears that a third party developed and issued leveraged digital assets that could be accessed through Matcha. This was accomplished, said the CFTC, by the issuer deploying smart contracts that automatically borrowed stablecoins from third-party lending platforms and using the borrowed stablecoins in automated trading on other third-party decentralized exchanges (but not on Ox).

Concurrently with its enforcement action against ZeroEx, the CFTC also commenced and settled enforcement actions against two other companies that developed and deployed DeFi protocols – Opyn, Inc. and Deridex, Inc. According to the CFTC, each company engaged in activities allegedly requiring registration as an exchange (either a designated contract market or a swap execution facility) as well as a futures broker (i.e., a futures commission merchant) without being so registered. Each company was also charged with not conducting purportedly required anti-money laundering activity.

In a highly unusual dissent to all these enforcement actions, Commissioner Summer Mersinger, identified the ZeroEx case as particularly problematic – challenging whether the CFTC even had jurisdiction in the first instance to bring the action. According to Commissioner Mersinger, ZeroEx’s

…technology enabled users to execute spot trades in thousands of different digital asset trading pairs; the CFTC does not have regulatory jurisdiction over such spot trading, which is lawful activity under the CEA. The Commission nonetheless holds this Respondent liable because its protocol was used to trade some leverage digital assets issued by unaffiliated third parties, which could be created by utilizing a set of smart contracts designed and deployed by third parties that automatically executes a series of action on other third-party DeFi lending platforms and decentralized exchanges to generate leverage. This raises the questions: if a DeFi protocol is developed for lawful purposes but is used for purposes that violated the CEA, should the developer be held liable?

Commissioner Mersinger was clear in expressing her approval for the CFTC to be “vigilant in bringing enforcement cases in new areas where they are warranted – especially to fulfill our mandate from Congress to protect market participants from fraud and abuse.” However she noted that, in none of the enforcement actions against the three DeFi developers, was there any allegations of fraud or abuse. She said that the CFTC should be engaging with market participants and developing rules or equivalent guidance related to DeFi rather than by regulating principally through enforcement.

The three DeFi developers settled their CFTC enforcement actions by agreeing to pay fines from $100,000 to $250,000, and to cease and desist from future violations of the provisions of the CEA the CFTC claimed they had violated by their prior conduct.

Unrelated to these legal actions, on September 7, 2023, the International Organization of Securities Commissions issued policy recommendations to address risks it claims are posed by DeFi. Generally, in developing regulations related to DeFi, IOSCO advised regulators to consider nine specific recommendations, including to (1) ensure they understand applicable DeFi arrangements and structures; (2) seek to identify natural persons and entities that could be subject to applicable regulatory requirements, including persons “exercising control or sufficient influence over a DeFi arrangement or activity”; and (3) rely on existing frameworks of regulators to ensure the same outcomes for investor protection and market integrity that “are the same as, or consistent with, those that are required in traditional financial markets.”

Click here to access the Hon. Katherine Pol Failla’s opinion in Risley v. Uniswap Labs et al.

Click here to access the CFTC’s enforcement actions and settlements against ZeroEx, Inc., Opyn, Inc., and Deridex, Inc.

Click here to access CFTC Commissioner Summer Mersinger’s dissent to the three DeFi enforcement actions.

Click here to access IOSCO’s Policy Recommendations regarding DeFi.

“We at the CFTC are fortunate to have more than one “tool” to use in our oversight of the markets. I am concerned, however, that as it relates to DeFi innovation, if we continue swinging our enforcement “hammer” as if every DeFi project were a nail, we are neglecting the other tools in our toolbox that can enable us to achieve the diverse objectives that Congress tasked to us [under applicable law]." – CFTC Commissioner Summer Mersinger

www.cftc.gov/...