API/RSS

Social

The tragedy of DeFi regulation, Uniswap in heaven, Tornado Cash in hell.

Web3小律

23-09-04 14:00

Read this article in 32 Minutes

AI summary

View the summary

Source: Web3 Xiao Lu

On August 29, 2023, the Southern District of New York (SDNY) dismissed a class action lawsuit against Uniswap. The plaintiffs accused Uniswap of allowing fraudulent tokens to be issued and traded on the protocol, causing harm to investors and seeking compensation. The judge ruled that the current regulatory framework for cryptocurrencies does not provide a basis for the plaintiffs' claims, and that Uniswap is not responsible for any harm caused by third-party use of the protocol.

Before Uniswap's "victory", in the same SDNY, the US Department of Justice and other regulatory agencies (DOJ) filed criminal charges against Tornado Cash founders Roman Storm and Roman Semenov, accusing them of conspiring to launder money, violating sanctions during the operation of Tornado Cash, and operating an unlicensed remittance business. The two will face at least 20 years in prison.

Why is there such a difference in regulatory treatment between Uniswap and Tornado Cash, both of which are smart contract protocols built on blockchain? This article will delve into two DeFi cases and analyze the underlying logic that causes such differential treatment by regulators.

TL;DR

Technology itself is not guilty, it is the people who use technology tools that are guilty; The ruling in the Uniswap case is good news for DeFi, that is, DEX will not be responsible for users' losses due to third-party issued tokens, which is actually a bigger impact than the Ripple case; Katherine Polk Failla, the judge who also presided over the SEC v. Coinbase case, responded to whether cryptocurrencies are securities: "This is not a decision for the court, but for Congress" and "ETH is a commodity", can this also be interpreted in the SEC v. Coinbase case? Although the Tornado Cash case was also caused by third-party reasons leading to regulatory intervention, the reason why the case was so serious was that the founder knowingly controlled the protocol to provide convenience for illegal elements on the network, and infringed on the national security interests; Uniswap's establishment in the United States, active cooperation with regulation, and the single governance function of its token provide a good example for other DeFi projects to deal with regulation.

One, investors sue Uniswap for investment fraud tokens

（https://uniswap.org/）

In April 2022, a group of investors collectively sued Uniswap's developers and investors - Uniswap Labs and its founder Hayden Adams, as well as its investment firms (Paradigm, Andreesen Horowitz, and Union Square Ventures) - accusing the defendants of not registering under the US Federal Securities Law and causing investor losses by listing "fraudulent tokens", and demanding compensation for damages.

The presiding judge, Katherine Polk Failla, stated that the true defendant in this case should be the issuer of the "fraudulent tokens", not the developers and investors of the Uniswap protocol. Due to the decentralized nature of the protocol, the identity of the issuer of the fraudulent tokens is unknown to the plaintiff (and therefore also unknown to the defendant). The plaintiff can only sue the defendant in the hope that the court can transfer their claim to the defendant. The reason for the lawsuit is that the defendant provided the issuer of the fraudulent tokens with a platform for issuance and trading in exchange for transaction fees.

In addition, the plaintiff also played the role of SEC Chairman Gary Gensler, believing that (1) the tokens sold on Uniswap are unregistered securities; (2) and Uniswap, as a decentralized exchange for trading securities tokens, should be registered with regulatory agencies as a securities exchange or broker. The court refused to extend securities laws to the plaintiff's allegations and concluded that the lack of relevant regulation was the reason for investors' concerns, stating that "it is better to raise concerns to Congress than to this court."

Overall, the judge believes that the current regulatory system for encryption cannot provide a basis for the plaintiff's claims. Furthermore, according to current US securities laws, Uniswap's developers and investors should not be held responsible for any damages caused by third-party use of the protocol. Therefore, the plaintiff's lawsuit has been dismissed.

二、Uniswap Case Dispute Focus

The presiding judge in this case, Katherine Polk Failla, is also the presiding judge in SEC v. Coinbase and has extensive experience in handling cryptocurrency cases. After reading the 51-page ruling in this case, it is clear that the judge has a deep understanding of the cryptocurrency industry.

The focus of the dispute in this case is: (1) whether Uniswap should be responsible for third-party use of the protocol; and (2) who should be responsible for the consequences of using the protocol.

2.1 Uniswap's underlying protocol should be distinguished from the issuer's token protocol, and the issuer who implements harmful behavior should be held responsible

Uniswap Labs previously stated that "Uniswap V3's decentralized liquidity pool model is entirely composed of underlying smart contracts and automatically executed. This model, due to its openness, permissionlessness, and inclusivity, can generate exponential growth in the ecosystem. The underlying protocol not only eliminates so-called transaction intermediaries, but also allows users to interact with the protocol in a simple and effective manner through various means, such as entering through the Dapp developed by Uniswap Labs."

The issuer is based on the underlying Uniswap protocol mentioned above. According to the unique AMM mechanism of DEX, anonymous token issuance can be carried out without any form of behavioral verification or background investigation. The issuer can create and establish liquidity pool trading pairs (such as its own ERC-20 tokens/ETH) for investors to trade.

（https://www.docdroid.net/APrJolt/risley-v-uniswap-PDF）

The decentralized nature of Uniswap means that the protocol cannot control which tokens are issued on the platform or who interacts with them. The judge stated: "These underlying basic smart contracts are different from the token contracts created by the issuers that are unique to each liquidity pool. The protocol relevant to the plaintiff's claim is not the underlying protocol provided by the defendant, but rather the liquidity pool trading pair protocol or token protocol (the pair or token contracts drafted by the issuers themselves)."

In order to better explain, the judge also made several analogies: "Just like making the developer of an autonomous driving car responsible for third-party use of the car in traffic accidents or bank robberies, regardless of whether the fault lies with the developer." The judge also analogized payment apps Venmo and Zelle, "the plaintiff's lawsuit is trying to make these payment platforms responsible, not drug dealers, because drug dealers use payment platforms to transfer funds for drug transactions."

In these cases, it is necessary to hold individuals responsible for the harmful actions they have committed rather than the software developers.

2.2 The First Judge in the Background of Decentralized Smart Contracts

The judge acknowledges the current lack of judicial precedents related to DeFi protocols. There have been no court rulings made under the background of smart contracts in decentralized protocols, and no avenues have been found to hold defendants legally responsible under securities laws.

The judge believes that in this case, the Uniswap protocol's smart contract can indeed operate legally, just like providing transactions for crypto commodities ETH and BTC (Court finds that the smart contracts here were themselves able to be carried out lawfully, as with the exchange of crypto commodities ETH and Bitcoin).

In this statement, the judge specifically mentioned the commodity attributes of ETH, although it was only one sentence.

2.3 Investor Protection under Securities Law

Article 12(a)(1) of the Securities Law grants investors the right to sue for damages against the seller for violating Article 5 of the Securities Law (registration and exemption of securities). Due to the regulatory challenge of whether or not cryptocurrency assets are securities, the judge stated: "This is not a decision for the court, but for Congress." The court refused to extend the Securities Law to the plaintiff's allegations, and concluded that there was a lack of relevant regulatory basis, stating that "investor concerns are best addressed to Congress, not to this court."

2.4 Summary

Although SEC Chairman Gary Gensler has so far avoided calling ETH a security, Judge Katherine Polk Failla referred to it directly as a commodity (Crypto Commodities) in the case and refused to expand the scope of securities law in the case against Uniswap to cover the conduct alleged by the plaintiff.

Considering that Judge Katherine Polk Failla also presided over the SEC v. Coinbase case, her response to whether or not cryptocurrencies are securities - "This is not a determination that the court will make, it's a determination that Congress will make" - and her statement that "ETH is a commodity" - can these be interpreted similarly in the SEC v. Coinbase case?

Regardless of how it goes, although laws are currently being formulated around DeFi, regulatory agencies may one day solve this gray area. However, the Uniswap case does provide a sample for the encrypted DeFi world to deal with regulation, that is, decentralized exchanges (DEX) cannot be held responsible for users' losses due to third-party issued tokens. This is actually a bigger positive impact than the Ripple case, which is good news for DeFi.

（https://twitter.com/dyorexchange/status/1697332141938389281）

Three, Tornado Cash in the depths of hell and its founder

As a DeFi protocol deployed on the blockchain that provides coin mixing services, Tornado Cash seems to be in a less than ideal situation. On August 23, 2023, the US Department of Justice (DOJ) filed criminal charges against Tornado Cash founders Roman Storm and Roman Semenov, accusing them of conspiring to launder money, violating sanctions regulations, and operating an unlicensed money transfer business during the operation of Tornado Cash.

Tornado Cash is a well-known mixing application on Ethereum that aims to provide users with privacy protection for their transaction behavior. It achieves privacy and anonymity in transactions by obfuscating the source, destination, and counterparty of cryptocurrency transactions. On August 8, 2022, Tornado Cash was sanctioned by the US Office of Foreign Assets Control (OFAC), and some on-chain addresses related to Tornado Cash were included in the SDN list. This means that any entity or individual who interacts with on-chain addresses in the SDN list is illegal.

OFAC stated in the press release that since 2019, the amount of funds involved in money laundering crimes using Tornado Cash has exceeded $7 billion. Tornado Cash has provided substantial assistance, sponsorship, or financial and technological support for illegal network activities both inside and outside the United States, which may pose significant threats to US national security, foreign policy, economic health, and financial stability. Therefore, it has been sanctioned by OFAC.

(https://www.researchgate.net/figure/Example-of-the-Tornado-Cash-1-ETH-pool-addresses-A-through-F-deposit-to-and-withdraw_fig1_357925591)

3.1 Criminal Charges Against Tornado Cash and Its Two Founders

DOJ stated in a press release on August 23 that the defendant and their accomplices created the core functionality of Tornado Cash Service, paid for the operation of critical infrastructure to promote the service, and received millions of dollars in return. The defendant knowingly chose not to comply with legal requirements for Know Your Customer (KYC) and Anti-Money Laundering (AML) measures despite being aware of the illegality of the transactions.

In April and May 2022, Tornado Cash was used by Lazarus Group (a sanctioned North Korean cybercrime organization) to launder hundreds of millions of dollars in hacker profits. It is alleged that the defendants knew these were money laundering transactions and made changes to the service so that they could publicly claim to be compliant, but privately agreed that the changes were ineffective. The defendants continued to operate the service and further facilitated illegal transactions, helping Lazarus Group transfer criminal proceeds from crypto wallets designated as blocked property by OFAC.

The defendants are charged with one count of conspiracy to commit money laundering and one count of conspiracy to violate the International Emergency Economic Powers Act, both of which carry a maximum sentence of 20 years in prison. They are also charged with conspiring to operate an unlicensed money transmitting business, which carries a maximum sentence of five years in prison. The federal district court judge will decide how to sentence them after considering the US Sentencing Guidelines and other statutory factors.

3.2 Definition of Money Transmitting Business

It should be noted that the Financial Crimes Enforcement Network (FinCEN), a subsidiary of the US Department of the Treasury, has not filed a civil lawsuit against Tornado Cash and its founder for operating an unlicensed money transmission business. If Tornado Cash falls under the definition of a money transmitter, this definition would also apply to other similar DeFi projects. Once confirmed, these projects would need to register with FinCEN and go through the KYC/AML/CFT process, which would have a huge impact on the DeFi world.

FinCEN released guidance in 2019 (2019 FinCEN Virtual Currency Guidance) that categorizes the business models of cryptocurrency activities and determines whether they fall under the definition of a money transmitter based on the type of business.

3.2.1 An Anonymizing Software Provider

Coin Center's Peter Van Valkenburgh said that the only accusation in the indictment regarding the defendant's unlicensed operation of a currency transmission business is that they engage in the business of transferring funds on behalf of the public and have not registered with FinCEN. However, Tornado Cash is actually a provider of anonymous software and only provides "delivery, communication, or network access services for currency senders to support currency transmission services."

In 2019, the guidelines clarified that an Anonymizing Software Provider is not considered a Money Transmitter, while an anonymous Service Provider is.

3.2.2 Cryptocurrency Wallet Service Provider (CVC Wallet)

Top-tier law firm Cravath, Swaine & Moore LLP also released a report, drawing an analogy to the only business defined as a money transmitter in the 2019 guidelines - the cryptocurrency wallet service provider (CVC Wallet), to derive the rigid requirements for money transmitters - they must have total independent control over the value being transmitted, and this control is necessary and sufficient.

In this case, the indictment states how the defendant controlled the Tornado Cash software/protocol, but it does not specify how the defendant controlled the transfer of funds. The report analyzed the process of fund transfer in Tornado Cash and ultimately showed that it cannot fully control the transfer of funds like a cryptocurrency wallet service provider, as the transfer of funds still requires user interaction through a key. Therefore, it should not fall under the definition of "fund transferor".

3.2.3 DApps

Delphi Labs' French CEO @_gabrielShapir0 disagrees with Cravath's viewpoint, believing that Cravath overlooks another business model for cryptocurrency activities in the 2019 guidelines - Decentralized Applications (DApps).

（https://twitter.com/lex_node/status/1698024388572963047）

Here is FinCEN's view on DApps: "The owner/operator of a DApp may deploy it to perform various functions, but when the DApp engages in money transmission, the definition of money transmitter will apply to the DApp, or to the owner/operator of the DApp, or both."

The complaint is based on the 2019 guidance on DApps to define unlicensed money transmission businesses. When a subject (individual, legal person, non-legal person organization) conducts money transmission business through smart contracts/DApps, FinCEN's rules will apply.

If FinCEN did state the above in their 2019 guidance, then we have to wonder why they have not taken any enforcement action against DeFi to clarify this interpretation since its release. Given that DeFi should all involve some form of fund transfer, theoretically it could apply to every DeFi application (as they all involve some form of fund transfer).

3.3 Summary

FinCEN's 2019 guidance is ultimately just guidance. It is not binding on the Department of Justice and has no legal effect. However, in the current absence of a comprehensive regulatory framework for cryptocurrency in the United States, the guidance remains the best document reflecting regulatory attitudes.

However, the DOJ's actions have left unresolved important issues for the future of decentralized protocols, including whether individual actors should be responsible for actions taken by third parties or resolutions resulting from loose community voting. The American defendant, Roman Storm, will appear in court for the first time in the coming days and will be subject to trial. The court may have the opportunity to address these outstanding issues.

The Attorney General, Merrick Garland, stated: "This indictment serves as a warning to those who believe they can use cryptocurrency to conceal their crimes." FBI Director, Christopher Wray, added that "the FBI will continue to dismantle the infrastructure used by cyber criminals to commit crimes and profit from them, and hold accountable anyone who assists these criminals." This demonstrates the firm stance of regulators on AML/CTF.

(https://techcrunch.com/2023/08/23/two-founders-behind-russian-crypto-mixer-tornado-cash-charged-by-u-s-federal-courts/)

Four, why are there heaven and hell distinctions among DeFi protocols?

The commonalities between the Uniswap and Tornado Cash cases are: (1) both are smart contracts deployed on the blockchain and can operate autonomously; (2) both have faced regulatory intervention due to third-party non-compliant/illegal use of the smart contract; (3) both are now facing the question of who should be held responsible for the damages caused by non-compliant/illegal behavior?

The difference lies in:

In the Uniswap case, the judge believed that (1) the underlying smart contracts on the blockchain are different from the token contracts deployed by the issuer, and the underlying smart contracts can operate legally without any issues, (2) the token contracts deployed by the issuer caused harm to investors, and (3) therefore, the issuer's responsibility needs to be investigated.

In the Tornado Cash case, the complaint alleges that although regulatory intervention was also caused by the illegal use of third parties, the difference is that the founder of Tornado Cash had the ability to control the protocol and provide convenience for network criminals in full knowledge of the situation, and the infringement was on the national security interests. As for who should take responsibility, it goes without saying.

Five, in conclusion

On April 6, 2023, the US Department of Treasury released the 2023 DeFi Illegal Financial Activities Assessment Report, which is the world's first assessment report on illegal financial activities based on DeFi. The report recommends strengthening the supervision of AML/CFT in the United States and, where possible, strengthening enforcement of crypto asset activities (including DeFi services) to improve compliance with US banking secrecy law obligations by crypto asset service providers.

It can be seen that the US regulators also follow this approach, regulating the inflow and outflow of encrypted assets from the perspective of KYC/AML/CTF, controlling the source, such as Tornado Cash providing money laundering convenience for network criminals; and then regulating the compliance of specific project business from the perspective of investor protection, such as in the case of CFTC v. Ooki DAO, where the regulator intervened in regulatory enforcement on the grounds that Ooki DAO's business violated CFTC regulations; and in the case of Tornado Cash, the regulator intervened in regulatory enforcement on the grounds that it violated FinCEN's currency transmission regulations.

Although the regulatory framework for cryptocurrency in the United States is unclear, it appears that Uniswap has established operating entities and foundations in the country and actively cooperates with regulatory agencies to implement risk control measures (blocking certain tokens). Its UNI token has always only had governance functions (rather than being involved in the controversy over security tokens). These actions provide a good example for other DeFi projects to respond to regulation.

Technology itself is not guilty, it is the people who use technological tools that are guilty. The Uniswap and Tornado Cash cases have both provided the same answer.

REFERENCE:

[1] Risley v. Uniswap Case 1:22-cv-02780-KPF

https://www.docdroid.net/APrJolt/risley-v-uniswap-pdf

[2] DOJ, Tornado Cash Founders Charged with Money Laundering and Sanctions Violations

https://www.justice.gov/opa/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations

[3] The International Academy of Financial Crime Litigators Publishes Working Paper by Cravath Lawyers on Tornado Cash Indictment

https://www.cravath.com/news/the-international-academy-of-financial-crime-litigators-publishes-working-paper-by-cravath-lawyers-on-tornado-cash-indictment.html