Decentralized Finance—Risks, Regulation, and the Road Ahead

Even those who are most suspicious of the rise of cryptocurrency will likely admit that the underlying blockchain technology and its potential uses are exciting. One use of this technology, decentralized finance, or DeFi, is on the cusp of major growth. Regulators are aware of this growth and are moving to act accordingly. As a possible preview of the coming regulatory efforts, this past spring Treasury Secretary Janet Yellen urged regulators to accelerate their establishment of a regulatory framework for stablecoins, a rapidly growing class of digital currencies which, among other things, can be used on DeFi platforms to temper pricing volatility.

Since Secretary Yellen’s comments, Securities and Exchange Commission Chair Gary Gensler has made it clear that the regulation of DeFi platforms and stablecoins is on the SEC’s agenda.² Earlier this month, he wrote to Senator Elizabeth Warren that both should be among Congress’ legislative priorities, adding that “[r]egulators would benefit from additional plenary authority to write rules for and attach guardrails to crypto trading and lending.”³ The SEC also brought its first enforcement case against a DeFi platform this month.⁴

In this piece, we briefly explore the risks of DeFi as it grows, and, in turn, draws increasing scrutiny from regulators.

DEFI BASICS

DeFi describes blockchain-based alternative finance systems. DeFi platforms enable users to engage in traditional financial transactions like lending and borrowing through direct peer-to-peer exchanges, eliminating the role of traditional financial intermediaries by directly mediating the transfer of value. Transactions are settled on a public blockchain, rather than through a bank or other central institution. DeFi services use a non-custodial design, meaning assets issued or managed on DeFi platforms theoretically cannot be moved or expropriated unilaterally by parties other than the account owners.⁵ The use of open-source code—meaning code designed to be publicly accessible—allows participants to view and verify protocols directly as well as create derivative or competitive services.⁶ The composability⁷ of DeFi’s programmatic components allows financial instruments and services to incorporate multiple DeFi services and protocols, which distinguishes DeFi from private services or standalone digital assets.⁸

To effectuate transactions, DeFi uses open protocols⁹ and decentralized applications, or DApps.¹⁰ These protocols and DApps are powered by smart contracts—programs that automatically run when certain conditions are met, which are generally built on existing blockchains such as Ethereum.¹¹ Smart contracts replace the intermediary role of centralized financial institutions with self-executing lines of code built into a blockchain.¹²

DeFi has experienced fast-paced growth since mid-2020. As of August 2021, the “total value locked” in DeFi sits around $75 billion.¹³ This value represents the amount of assets that are currently being staked across all DeFi protocols (i.e., pledged, loaned, or otherwise provided to the network to fund DeFi transactions). And even that figure may only be a fraction of its future potential.¹⁴

DEFI RISKS

Despite DeFi’s rapid growth, its open-source ecosystem with the potential to democratize banking and finance, and its potential efficiencies, there are significant risks for industry participants to consider. These can be categorized into three buckets: technological risk, asset risk, and compliance/legal risk.

Technological Risk

The technological risks implicated by DeFi are rooted in the current limitations of blockchain technology. Many DeFi protocols are powered by Ethereum, including nine of the largest DeFi projects.¹⁵ The Ethereum public blockchain infrastructure is far from infallible: increased customer adoptions of DeFi has led to a corresponding increase in attacks, bugs, and network congestion. These can lead to high network transaction fees, failed transactions, and liquidation issues. In some cases, extreme network congestion has led DeFi apps to stop functioning altogether. In March 2020, for example, network congestion caused a major DeFi app to malfunction, leading to over $8.32 million worth of cryptocurrency being auctioned off for nothing.¹⁶

In addition to scalability challenges, DeFi platforms—like other forms of financial services operations—also face major cybersecurity threats. Smart contract security has improved since the notorious decentralized autonomous organization (“DAO”) hack of 2016, in which $50 million in Ether was stolen.¹⁷ Nonetheless, several major players have recently experienced cybersecurity attacks, resulting in significant losses. Hackers stole about $120 million from DeFi protocols in 2020 in 15 separate attacks—less than half was later recovered.¹⁸ By the midpoint of this year, there had been at least 23 attacks, netting hackers more than $400 million in value.¹⁹ And that was before one major DeFi platform disclosed on August 10 that hackers had stolen digital assets worth more than $600 million from its platform.²⁰ Many of the major DeFi “hacks” have been so-called “flash loan attacks”²¹ that sometimes take advantage of temporary defects in price feeds.²² Other examples have seen attackers exploit bugs or flaws within a protocol code.²³

Further, even if the smart contracts are technologically sound, hackers can target other vulnerabilities. For example, in April 2021, hackers targeted one DeFi protocol by stealing access to the code from the founder’s computer. The situation resulted in losses of around $80 million.²⁴

And beyond hackers, investors risk being targeted by exit scams, such as “rug pulls.” Exit scams are typically understood in the context of an initial coin offering (“ICO”), where promoters take off with investors’ money during or after the ICO. DeFi rug pulls are a new form of exit scam where a developer abandons a project and leaves with the funds.²⁵ Harkening back to more traditional forms of offering fraud, anonymous team members on social media promise a large APY to retail liquidity providers, and, as soon as enough funds have been locked into a smart contract, the developer withdraws all the funds from the liquidity pool and disappears, causing the token’s price to crash to zero.²⁶

Given the ever-growing scale of financial transactions in this space, even minor instability or hiccups in data security could result in significant losses for individual investors. As a result, insurance brokers are also beginning to get involved, providing users with insurance against losses due to hacks or malfunctioning software.²⁷

Asset Risk

DeFi applications are often built on the Ethereum blockchain, and the collateral pledged in DeFi transactions is typically cryptocurrency. Given the volatility of digital assets, it is possible for the value of that collateral to decline sharply, causing associated liquidity risks. This, in turn, can fuel a broader sell-off, and this uncertainty and instability can lead to catastrophic “bank runs” that send token values plummeting.

The volatility of the crypto market is well-known. In 2018, for instance, Bitcoin dropped more than 80%, nearing its worst ever bear market before rebounding.²⁸ And the market can be heavily influenced by unexpected outside factors like social media. For example, after Tesla CEO and crypto enthusiast Elon Musk tweeted a meme interpreted by many to mean Tesla might scale back its Bitcoin holdings, Bitcoin dropped significantly.²⁹ As one investor put it, “the market movement post-Musk’s tweets continues to show how nascent this asset class is.”³⁰

While panic buying results in major spikes, driving up value beyond the true underlying value, panic selling of DeFi tokens can likewise result in major crashes that would be highly unusual with fiat currency. For example, in June 2021, tokens including Galaxium and Crypto Village Accelerator each lost more than 60 percent over the course of 24 hours.³¹ Even more established tokens such as Uniswap lost 7% in the same 24-hour period, which although not as extreme as the headline-grabbing 60% loss for less established tokens, still points to significant volatility of the kind that would be highly unusual with fiat currencies like the U.S. dollar.³²

Sophisticated investors are not immune from this volatility and associated risks. For example, entrepreneur Mark Cuban called for regulation of DeFi after a DeFi token he held crashed to zero in one day as a result of a “bank run” on the token.³³

Some individuals have sought to use stablecoins, which are backed by an asset (often fiat currency), to minimize this risk. Early on, DeFi apps would attract new users and deposits by offering high yields that were typically paid out in the native token of the protocol, which were typically very volatile. Stablecoins, as the name would suggest, are designed to be more stable, in some cases thanks to being collateralized by the value of an underlying asset like U.S. dollar cash and cash equivalents. Basing transactions on these familiar units is appealing to some investors more comfortable with traditional financial services. But with great risk comes potentially great reward. Although using stablecoins theoretically dampens volatility as compared to other tokens, their use is often associated with lower returns because of lower risk, due at least in part to their tie to fiat currencies.³⁴

Compliance Risk

DeFi is still in its infancy. Many DeFi services are offered by unincorporated entities that operate outside of regulatory structures that exist around more traditional financial products. Most of the services in the space are software programs that automate financial transactions and replace the traditional role of the bank as an intermediary. This creates several risks and results in an uncertain regulatory environment. The lack of intermediaries, the anonymity of peer-to-peer transactions, and the global reach of DeFi present potentially amplified compliance risks for participants in the space. In the absence of clear, direct guidance from regulatory agencies, DeFi platforms face potentially vast and confusing compliance and legal obligations. Their operations can implicate a host of considerations, ranging from anti-money laundering to consumer protection.

To address these issues, investors, experts, and regulators alike have called for greater regulatory clarity in the realm of DeFi. All eyes are on the federal financial regulators and Congress as those groups of policymakers attempt to navigate a novel and highly complex arena and to construct a workable regulatory regime. To date, much of the guidance provided so far on digital assets has focused on areas such as initial coin offerings, and not necessarily on DeFi. Although, if the recent public comments, enforcement interest, and stablecoin conversations among financial regulators are signs, that may change in the near-to-medium term.

REGULATORY ENVIRONMENT

Several regulators have weighed in with guidance relevant to DeFi developers and users. But the decentralized nature of DeFi makes it uniquely hard to regulate as rule makers are faced with the question of who, what, where, and how to regulate a rapidly changing space.

SEC Guidance

Given the wide range of regulators that oversee various corners of traditional financial services products, creating a robust DeFi regulatory framework will likely involve a significant amount of coordination among regulators.

In May, SEC Chair Gensler highlighted the number of challenges for investors and SEC staff posed by “[c]rypto lending platforms and so-called decentralized finance (‘DeFi’) platforms.”³⁵ Gensler also signaled that the SEC under his watch would “be ready to bring cases involving issues such as crypto, cyber and fintech,” in a speech to FINRA conference attendees.³⁶ Although much of the activity in DeFi is more akin to banking in nature (i.e. a significant amount of activity to date centers around borrowing, lending, and to a lesser extent, insurance), they involve a number of aspects that could bring them within SEC jurisdiction.³⁷ Gensler stated as much in his August 3 speech and August 5 letter to Sen. Warren, which directly asked for lawmakers to give the SEC more power to oversee crypto lending and DeFi platforms.³⁸

Aside from Chair Gensler, SEC Commissioner Hester Peirce has stood out among the commissioners in expressing views publicly about DeFi. Peirce, in comments pre-dating but similar to Gensler’s recent remarks, has stated that if a protocol intends to mimic securities or relate to asset management, it could be within the SEC’s purview. In March 2021, for example, Peirce stated, “if you set up some sort of decentralized exchange (DEX) or automated market maker (AMM) that is trading securities among other things, then you have to think about what the implications are there.”³⁹ (Commissioner Peirce has also proposed a three-year safe harbor proposal for token sales, although this proposal has not yet taken hold.⁴⁰)

The SEC’s enforcement activity also sheds light on the Commission’s thinking about Fintech, digital assets, and DeFi. In 2017, the SEC’s “DAO Report,” which stemmed from an investigation conducted by the SEC’s Enforcement Division, stated that offers and sales of digital assets could be subject to federal securities laws.⁴¹ What followed was a significant uptick in enforcement activity around the initial coin offering (“ICO”) boom. Between 2017 and 2021, the SEC brought close to 80 crypto-related enforcement actions, over half of which related to ICOs.⁴²

The SEC has so far only announced one enforcement action against a DeFi platform, and that case was really focused on the platform misrepresenting to investors how the platform was operating.⁴³ But the SEC also alleged unregistered sales of securities—violations of Sections 5(a) and 5(c) of the Securities Act of 1933—common allegations in the many enforcement actions brought against other digital asset businesses in recent years. Commentators in the space have noted that the SEC is looking very carefully at a number of DeFi projects, and as such, DeFi app developers should be mindful of the SEC’s understanding of, and approach to decentralization to avoid SEC scrutiny.⁴⁴

CFTC Guidance

The CFTC has also taken an interest in DeFi projects, some of which are within the CFTC’s regulatory purview. The CFTC first announced jurisdiction over digital assets in its 2015 CoinFlip order, in which it stated that it considered virtual currencies to be “commodities” as defined by the Commodity Exchange Act (CEA).⁴⁵ The CFTC’s jurisdiction over digital assets deemed commodities is not as far reaching as the SEC’s jurisdiction over securities. For example, the CFTC has exercised anti-fraud and anti-manipulation authority over virtual currencies that are traded as a commodity in interstate commerce or that are traded for future delivery, rather than immediate delivery. It also has more limited regulatory oversight over virtual currency spot markets that use margin, leverage, or financing.⁴⁶

In October 2020, the CFTC brought an enforcement action against BitMEX, one of the world’s largest crypto-based derivatives exchanges.⁴⁷ BitMEX was accused of allowing U.S. residents to transact without registering with the CFTC and failing to implement key safeguards required by the CEA and CFTC’s regulations. While BitMEX was not a DeFi project per se, charges against BitMEX for weak anti-money laundering and know-your-customer policies were warning signs for the world of decentralized finance.⁴⁸ Shortly thereafter, now-former CFTC chairman Heath Tarbert said during a CoinDesk event that the agency might be looking at other noncompliant cryptocurrency exchanges and DeFi projects.⁴⁹ On August 10, a federal court entered a consent order in the case that required five BitMEX entities to pay a $100 million civil monetary penalty.⁵⁰

Earlier this summer, Commissioner Dan Berkovitz also said in a public speech that unlicensed DeFi markets may be operating illegally in the United States.⁵¹ Berkovitz noted that the “CEA requires futures contracts to be traded on a designated contract market (DCM) licensed and regulated by the CFTC.” Berkovitz noted that there were no DeFi platforms registered as DCMs at that point. In July, Berkovitz noted that the DeFi space is getting a CFTC-wide review and that companies seeking to participate in the DeFi ecosystem should be consulting with regulators.