On September 7, 2023, the Commodities Futures Trading Commission (CFTC) announced settlements of enforcement actions with 3 decentralized exchanges (DEXs): Opyn, ZeroEx, and Deridex.

The CFTC grouped the enforcement actions together, even though each has different facts. The CFTC charged Deridex and Opyn with operating unregistered commodities futures exchanges because they offered swaps via perpetual futures (on Deridex) and oSQTH (on Opyn), a token that tracked the price of ETH squared (Squeeth) relative to USDC. The CFTC also charged Deridex and Opyn with failing to implement anti-money laundering controls.

The CFTC charged all 3 DEXs with illegally offering leveraged and margined crypto commodity transactions to retail users. But notably, ZeroEx did not itself offer such leveraged or margined transactions. Instead, the CFTC held ZeroEx responsible for developing and deploying a protocol and front-end that others used for leveraged trading of BTC and ETH.

None of the 3 DEXs was accused of misappropriating customer funds, or otherwise harming market participants. The CFTC recognized each DEX’s substantial cooperation in its enforcement investigations, and reduced their civil penalties accordingly to a combined total of $550,000.

Key Takeaways

1 - The CFTC is looking to expand its jurisdiction over crypto.

The CFTC moved fast and stretched the law to stake its claim to regulate DeFi.

The CFTC quickly went after Dervidex. Dervidex developed its protocol mid-2022, and launched it January 1, 2023. Rarely does a regulator move so fast to have completed and settled an investigation 9 months after product launch.

The CFTC also stretched the law. To make its case against ZeroEx, the CFTC expanded the definition of “offeror” under the Commodity Exchange Act to include anyone who “facilitates the use of margin, leverage or financing arrangements.” 0x was built for pure spot trading of crypto commodities—legal, unregulated activity. But the CFTC’s broadened definition captured the 0x protocol and front-end (Matcha) because they facilitated users’ ability to source financing or leverage from other users.

The CFTC might have trouble convincing a judge that this interpretation of the law is correct. But in the context of an enforcement settlement, whatever terms the CFTC got the protocols to agree to will stick. This could put developers on the hook for future uses of their protocol that they never contemplated.

Even the way that the CFTC lumped together these 3 distinct enforcement actions for Commission consideration, voting, and public announcement sends a strong message to DeFi that the CFTC will aggressively enforce its interpretation of the Commodity Exchange Act.

2 - Anti-money laundering remains a top regulatory priority.

The CFTC found that both Opyn and Deridex violated anti-money laundering requirements. Neither DEX adopted a customer identification program. That the DEXs operated via smart contracts, which are accessible by anyone—including via a “blockchain explorer”—was no excuse.

But the CFTC offered no guidance as to how DeFi protocols could comply with applicable anti-money laundering rules, or other Commodity Exchange Act requirements. Commissioner Mersinger recognized in her dissent the difficulties that DeFi protocols face in trying to implement such compliance, and urged that the CFTC take up rulemaking to bridge those gaps.

3 - Banning US users requires more than blocking US IP addresses.

The CFTC found that Opyn took certain steps to exclude US persons from accessing the Opyn Protocol, including blocking US IP addresses. The CFTC states that those steps were insufficient, but offers no guidance of what would be sufficient to effectively block US users from the Opyn protocol.

How can founders of DeFi protocols reduce US regulatory risk?

Regulatory frameworks like the Commodity Exchange Act rely on centralized intermediaries. Regulators impose on those entities rules to follow, and obligations to share information. But DeFi is fundamentally about disintermediation. This puts DeFi directly at odds with the CFTC’s regulatory framework.

As Commissioner Mersigner stated in her dissent, the CFTC must do the hard work to protect market participants while promoting responsible innovation, including via decentralization. Until the CFTC takes up rulemaking or softens its aggressive enforcement stance, DeFi founders face tough choices for their protocols, especially if they want to continue to operate in the US.

Some ways for founders to reduce their US regulatory risk include:

• Take extra steps to block US users beyond just by IP address. For example, deploy middleware that can correlate IPs to addresses, and block addresses if there are 3 or more correlations of the address to a US IP.

• Don’t operate a front end. Have only unrelated third parties do so.

• Decentralize more and control less. Give parameter controls to users or oracles that may direct certain aspects of the transactions. Sacrifice full control and upgradeability.

• Identify all US touchpoints. Explore possibilities to relocate outside the US, including through offshore entities.

None of these options are ideal. The best approach now is to fight for laws and regulations that make sense for DeFi. Get involved in the policymaking process and educate stakeholders.

• Call your Congressperson and explain why crypto and DeFi are important. Not sure who to contact? Find out who represents you here.

• Vote. Tools like Coinbase’s legislative portal show US policymakers’ stance on crypto.

• Want to engage directly? Let us know if you’d like to meet with policymakers in Washington, D.C., key states (e.g., CA, NY, TX), and/or other jurisdictions ex-US (e.g., UK, EU, Singapore). We’re part of various policy initiatives that are always looking for developer input and participation.