On September 7th, 2023, the U.S. Commodity Futures Trading Commission (“CFTC”) announced settlement orders against three operators of decentralized finance (“DeFi”) protocols: Opyn, Inc. (“Opyn”), Deridex, Inc. (“Deridex”), and ZeroEx, Inc. (“ZeroEx”). The announcement is a clear message that the CFTC will be asserting jurisdiction in the DeFi space, and may be as much a signal to the SEC as it is a message to the DeFi industry that the CFTC is claiming crypto regulatory territory.
Despite the CFTC’s claim that the actions reflect a “continued focus” on DeFi, they are the CFTC’s first enforcement actions targeting DeFi since its suit against Ooki DAO in September 2022. As discussed in our related post here, the district court issued an order in favor of the CFTC by holding that a decentralized autonomous organization (“DAO”), such as Ooki DAO, is a “person” under the Commodity Exchange Act (“CEA”) and can be held liable for violations of the CEA. However, as Commissioner Mersinger noted in her dissent to the CFTC orders, these latest actions present an entirely new set of circumstances for the CFTC— “technology that was decentralized in conception and operation.” The pressing question is whether the actions are a signal of more to come, and, if so, where does DeFi in the U.S. go from here?
Despite being lumped together, the CFTC actions do not reflect a sweep of a particular type of DeFi protocol, a term the CFTC broadly describes in these actions as including a collection of smart contracts on either the Ethereum (Opyn and ZeroEx) or Algorand (Deridex) blockchains that either:
(a) functioned as a blockchain-based digital asset trading platform (ZeroEx and Deridex); or
(b) related to the creation, purchase, sale, and trading of a blockchain-based derivative (Opyn).
Opyn developed and deployed the Opyn Protocol on the Ethereum blockchain relating to the creation of, and transactions involving, oSQTH, a derivative token minted by Opyn whose value is based on an index created by Opyn that tracked the price of ether (“ETH”) squared—i.e., to the power of two—relative to USDC (the “Squeeth Index”). Retail customers were able to take short and long positions in oSQTH, but short positions required the depositing of collateral to the Opyn Protocol and minting oSQTH, thereby resulting in the extension of a form of margin. According to the CFTC, Opyn retained a “degree” control over the Opyn Protocol including by retaining the ability to impose transaction fees and to effectively shut down the protocol.
Deridex developed, deployed, and maintained the Deridex Protocol, which enabled retail and institutional users to contribute collateral (margin) and open leveraged derivative positions (perpetual contracts) based on the value of STABL2 and another “virtual currency.” According to the CFTC, Deridex retained “substantial” control over the Deridex Protocol, including the ability to update relevant smart contract code, and suspend users or prevent users’ ability to deposit margin.
ZeroEx developed and deployed the 0x Protocol, which offered U.S. retail and institutional users the ability to trade digital assets on a peer-to-peer basis. ZeroEx also operated a front-end user interface, “Matcha,” that utilized the ZeroEx Protocol to run a decentralized exchange (“DEX”) enabling users to transact in digital assets on a peer-to-peer basis in both leveraged and unleveraged tokens.
All three DeFi protocol operators were charged with violations of the CEA for enabling transactions in leveraged retail commodity transactions with non-ECPs (eligible contract participants). This was the only alleged CEA violation by ZeroEx. In contrast, the CFTC also alleged violations by both Opyn and Deridex of a number of other CEA provisions, including the failure to register as a swap execution facility (“SEF”) or designated contract market (“DCM”). Further, the CFTC claimed that both Opyn and Deridex failed to register as futures commission merchants (“FCM”) for soliciting and accepting orders via their protocols, and, as a result, also failed to conduct KYC diligence on the protocol users as part of a customer identification program required to be maintained by FCMs.
For the above violations, Opyn and Deridex agreed to civil penalties of $250,000 and $100,000, respectively, and ZeroEx agreed to a civil penalty of $200,000. These penalties represent reduced amounts due to the cooperation of all organizations in the CFTC’s investigations.
CFTC and SEC Crypto Turf War
Coupled with other recent regulatory and enforcement activity by the SEC and CFTC, these recent CFTC actions highlight the crypto regulatory turf war brewing between both regulators with respect to DEXs and stablecoins.
We expect the regulation of DEXs in the U.S. to be a particular area of focus for both the CFTC and the SEC for the foreseeable future. Both regulators have shown a keen interest in this area of DeFi. The SEC has, so far, expressed its interest primarily through public statements by SEC Chair Gary Gensler, and a controversial rule proposal issued in April 2023 seeking to amend the definition of an “exchange” under the Securities Exchange Act of 1934. See our related post here. The CFTC, on the other hand, has now shown a regulation-by-enforcement trend targeting DEXs as evidenced by the Ooki DAO case and these recent actions.
Complicating matters, a recent federal district court decision resulted in the dismissal of a private class action involving Uniswap Labs, holding that the creators of a DEX do not violate the federal securities laws when third parties use the DEX to trade unregistered securities. While that case involved securities laws, it would seem the principle underlying the dismissal could equally be applied to the CEA.
Additionally, the actions reflect the CFTC’s view that stablecoins are commodities subject to its jurisdiction—USDC (an Ethereum-based stablecoin) and STABL2 (an Algorand-based stablecoin). There, too, however, a turf war might be brewing in that commentators have speculated that the SEC also may be targeting stablecoins as securities, pointing to Chairman Gensler’s equating at least some stablecoins to money market mutual funds subject to the jurisdiction of the SEC. Of course, it is worth noting that the CFTC also continues to view ETH as a commodity, while the SEC position on ETH as a security or a commodity remains murky at best.
According to the CFTC orders, while Deridex did not restrict user access to its protocol, Opyn sought to limit its exposure to U.S. jurisdiction by blocking users with U.S. IP addresses. The CFTC claimed that U.S. users nevertheless were able to obtain oSQTH, and did not elaborate on what other methods, if any, may be sufficient for blocking access by U.S. persons. Thus, while DeFi protocols seeking to avoid CFTC jurisdiction should consider additional measures for blocking U.S. persons, the effectiveness of those measures may be subject to second-guessing by the CFTC. While this regulatory approach provides the CFTC with an easier path for claiming US jurisdiction, the ambiguity makes it difficult for implementing as a practical matter. The actions here all involved US organized entities, but what about operators of DeFi or other crypto services organized, operated and marketed entirely outside the US? The implication is that a US person with the technological wherewithal to bypass such an organization’s systems can cause that organization to be subject to US jurisdiction through no reasonable fault of its own.
Setting the cross border jurisdictional issue aside, these orders make clear that the CFTC considers enabling others to transact in digital asset with leverage or margin, regardless of whether offered through a centralized or decentralized medium, to be an activity that may be subject to the CEA. While reactions amongst commentators are ranging from business-as-usual to pronouncing the death of DeFi, it is unclear whether these actions are just the beginning the CFTC’s regulation of DeFi. However, CFTC Director of Enforcement Ian McGinley may have foreshadowed the regulatory body’s enforcement approach, stating that “…the Division of Enforcement will continue to evolve with [DeFi] and aggressively pursue those who operate unregistered platforms that allow U.S. persons to trade digital asset derivatives.”