Part A of this post offered a high-level overview of DeFi by focusing on one particular DeFi project, Sushiswap. In this Part B, the post will explore legal and compliance considerations that are made particularly salient by the unique characteristics of DeFi projects.
III. The Novel Legal Issues Posed by Sushiswap
A. Securities Law Issues
A primary legal consideration in these projects is the application of the federal securities laws. Though an in-depth discussion of the securities law status of Sushiswap, as a trading platform, or SUSHI, as a digital asset, is beyond the scope of this article, the project raises a similar fact pattern as many previous projects: a centralized team creating a platform and selling a blockchain-based asset to use on the platform, which then experiences an enormous increase and subsequent implosion in price. The assets associated with these types of projects are at risk of being deemed securities under the Howey test, the by-now familiar test to determine if novel assets are ‘investment contracts’ and thus securities for purposes of US federal securities laws.
Sushiswap poses several novel twists to this familiar fact pattern. For example, SUSHI was issued to users in return for providing liquidity for certain trading pairs on Uniswap. Does providing liquidity to a decentralized exchange, in which the underlying tokens can be withdrawn at any time, constitute an investment of money under Howey? Is there an expectation of profit where a liquidity provider receives pro-rata transaction fees for trades in their liquidity pools or LP tokens that can be monetized on other platforms (eg, by using them as collateral for leveraged trading)? Similarly, is there an expectation of profit where a platform awards governance tokens merely for past use of the platform, as several other DeFi platforms have done? Even outside of the Howey context, governance tokens, which give holders the ability to direct the decision-making of an enterprise, present a similarity to traditional securities like common stock.
Additionally, as designed, SUSHI would become more valuable as more users provided SUSHI-based liquidity on Uniswap. Does this mean that the efforts of NomiChef, arguably limited to merely designing a Uniswap fork and then releasing it into the wild, were dwarfed by the efforts of SUSHI holders themselves? This could bear on the expectation-of-profit element of Howey, as SUSHI holders’ expectations of profits were arguably focused on the efforts of a decentralized group of users rather than on the efforts of an identifiable founding team. If Sushiswap or other DeFi projects come under SEC scrutiny, they will likely employ these types of decentralization points to argue that their tokens are not securities, but in practice (and despite their name) DeFi projects exhibit certain centralized features. All of the Sushiswap smart contracts were, for example, controlled by NomiChef and SUSHI holders were focused on NomiChef’s behavior, evidenced by the decision of many SUSHI holders to sell their stakes when NomiChef sold his. The fact that Sushiswap is built on an existing open source code, as opposed to being built on a new code, may be a factor that a regulator takes into account, but such factor will not dissuade a regulator from employing the Howey test and scrutinizing whether a centralized group of developers performed or oversaw tasks that are necessary for the network (or its governance token) to achieve or retain its intended functionality.
If SUSHI were deemed a security, this would have severe effects on NomiChef, Sushiswap and other participants in the ecosystem. For example, NomiChef’s issuing of SUSHI would therefore be an illegal offering of unregistered securities in violation of Section 5 of the Securities Act, which requires registration statements to accompany and offer or sale of securities unless an exemption applies.
Further, users buying and reselling SUSHI could be at risk of acting as statutory underwriters—persons who have ‘purchased [a security] with a view to [the security’s] distribution’, whose sales would also be prohibited under the federal securities laws (Securities Act Section 2(a)(11)). Depending on the extent of their SUSHI trading activities, users could also be at risk of operating as unregistered brokers, persons ‘engaged in the business of effecting securities for the account of others’, or dealers, persons who are ‘engaged in the business of buying and selling securities…for the person’s own account’ as part of their ‘regular business’, in violation of Section 15 of the Exchange Act.
Sushiswap itself could be found to be operating an unregistered securities exchange. The Exchange Act defines an exchange as an entity that ‘constitutes, maintains, or provides a market place or facilities for bringing together purchasers and sellers of securities’, with certain exceptions not applicable here (Exchange Act Section 3(a)(1)). Obviously, if SUSHI were deemed a security, the way that Sushiswap connects SUSHI buyers and sellers could fall into the definition of an exchange. And even if SUSHI were not deemed a security, Sushiswap could still be an ‘exchange’ if any of the tokens for which it connects buyers and sellers were deemed to be securities. These same activities could also cause Sushiswap to be deemed a broker or dealer, under the definitions provided above. And there is already significant precedent for the SEC’s application of the Exchange Act to these types of activities—in 2018, it brought an action against the founder of EtherDelta, a DEX that facilitated millions of ERC 20 token transactions, for operating an unregistered securities exchange, and in 2019, it filed a complaint against ICOBox and its founder for operating as an operating broker for its clients’ ICOs.
Finally, transactions in SUSHI would be subject to the Exchange Act’s antifraud statutes, Section 10(b) and Rule 10b-5, which prohibit fraud and manipulation in securities transactions. This could include, for example, purchases or sales of SUSHI by Sushiswap insiders who were aware of and did not disclose material non-public information about the project, or any untrue statements of material facts about the project by NomiChef made in connection with SUSHI transactions (or transactions in any other security).
It is worth noting that Sushiswap shares certain aspects of its design with many other DeFi actors (not only because it is a fork of Uniswap). For example, many other DEXs and DeFi projects offer governance tokens in exchange for liquidity provision, which, like SUSHI, are structured to increase in price as they are more widely used for this purpose. If SUSHI or similar tokens are deemed to be securities, this would not only jeopardize those similar projects but also earlier DEXs like Uniswap, which facilitate transactions in those tokens. As a result, securities law questions will almost certainly be confronted by the DeFi ecosystem in some way or another.
B. Money Transmission
Sushiswap and other DEXs facilitate trades in virtual currencies that are ‘convertible virtual currencies’ (‘CVCs’) under guidance issued by the Financial Crimes Enforcement Network (‘FinCEN’). This suggests that these platforms could implicate federal money-transmission laws.
CVCs are virtual currencies that have ‘an equivalent value in real currency’ or which ‘act […] as a substitute for real currency’. CVCs can include virtual currencies with a centralized issuer or those issued according to a decentralized mechanism. Generally, federal money-transmission compliance obligations apply to an ‘exchanger’, a person engaged as a business in the exchange of virtual currencies for real or virtual currencies, or an ‘administrator’, a person engaged as a business in issuing a virtual currency and who has the ability to redeem such virtual currency, if the exchanger or administrator accepts and transmits CVC or buys or sells CVC. A DEX that enables users to exchange virtual currencies, including CVCs, and which operates as a business could therefore be construed as a money transmitter under federal law.
FinCEN’s guidance, however, notes that DEXs may be exempt from these laws if they merely ‘provide […] a forum where buyers and sellers of CVC post their bids and offers (with or without automatic matching of counterparties)’, and the parties to the transaction settle using unhosted wallets. This would appear to apply to many DEXs, but the guidance warns that exemptions like this one are ‘interpret[ed] strictly’, and an exemption will not be available if a certain DEX business model or activity ‘does not conform fully to an exemption’. DEX operators should therefore ensure that their platforms match all of the details described in the guidance.
C. Commodity Law and Bank Secrecy Act Issues
Recently, the US Commodity Futures Trading Commission (the ‘CFTC’) and the US Department of Justice (the ‘DOJ’) have brought civil and criminal charges, respectively, against BitMEX, a centralized cryptocurrency exchange, for failure to register with the CFTC as a derivatives trading platform and violation of the US Bank Secrecy Act. A careful analysis must be done with respect to the operations of each DEX to determine whether any of its activities, functionalities or trading mechanisms would constitute a regulated activity of a futures commission merchant (‘FCM’). An FCM by definition is a ‘financial institution’ under the US Bank Secrecy Act, which is required to comply with the US Bank Secrecy Act, including implementing and maintaining an adequate anti-money laundering program (31 USC §5311 ff). Individuals responsible for managing a DEX that is deemed an FCM may be found criminally liable to the extent they have caused such DEX to not comply with the US Bank Secrecy Act.
D. Enforcement Considerations
The relevance of all of the above observations will ultimately depend on the ability of regulators or law enforcement to locate NomiChef and the various other participants in Sushiswap. It is doubtful that Sushiswap has organized itself using any kind of formal corporate structure, and though there have been rumors about NomiChef’s identity, no identity has yet been confirmed.
Regulators would therefore need to track down relevant individuals using other methods. For example, DeFi projects suffering hacks have had success identifying their attackers by analyzing on-chain activity. Most recently, bZx suffered an $8 million hack but was able to identify the hacker and convince him or her to return the stolen funds. Regulators could perform similar analyses to discover major Sushiswap participants, including by using forensic blockchain analysis tools to review on-chain transactions or scrutinizing fiat off-ramps used to monetize project insiders’ crypto-denominated profits, but Sushiswap would nonetheless be a somewhat more complex enforcement target.
IV. DeFi and the Evolution of Blockchains
Sushiswap demonstrates the need for more effective governance controls around DeFi projects, even (and especially) if projects are run by anonymous teams. Effective governance for these projects will require a greater range of mechanisms than simply multi-sig smart contracts, which require multiple pre-designated key-holders to sign off on changes to the project. While multi-sig smart contracts are useful for allocating control over a given project, a goal for the ecosystem should be to enable different types of control for its various stakeholders. For example, the governance goals of a project’s founding team can diverge from the project’s tokenholders’, as NomiChef’s decision to abscond with ecosystem funds dramatically demonstrates.
A related observation is the surprising effectiveness of informal governance mechanisms in DeFi. For example, the Sushiswap community was able to convince NomiChef to return the funds it attempted to cash out of the project, and bZx was similarly able to convince its hacker to return the stolen funds. Sushiswap was also able to transition to multi-sig governance in an ad-hoc, community-defined process, and now appears to be enjoying a relative period of stability. The growth of DeFi will likely drive the adoption of governance through dispute resolution processes for DeFi communities, enabling these projects to manage unexpected events like smart contract bugs or engage in more sophisticated types of governance than pure tokenholder. The use of third-party audits is another type of informal governance mechanism, but many DeFi projects—including Sushiswap—reject the idea that projects must have audits before launch, under a ‘do your own research’ mentality. And even where projects are audited, audits may not uncover critical technology issues, such as in the case of the bZx hack (see eg, here).
As DeFi has continued its enormous growth, the Ethereum network—where most DeFi activity is taking place—is struggling to keep up. Most or all mechanics of any given DeFi project occur through on-chain activities, and each such activity costs gas. On Ethereum, gas functions somewhat like an auction for the right to use the Ethereum blockchain for executing smart contracts. As the number of DeFi projects have proliferated rapidly, gas prices—representing demand for the right to use the blockchain—have grown at an equally rapid pace. This has made it too expensive for many non-DeFi projects to interact with the blockchain and makes certain DeFi-related activities prohibitively expensive.
For example, many of the existing DeFi governance mechanics described above, like token-holder voting, cost gas, exacerbating the governance challenges faced by the projects. Projects like Sushiswap raise the question of whether the majority of DeFi activity is a worthwhile use of limited network resources, or if some DeFi projects are a kind of spam optimized to attract as much attention (and capital) as possible in an extremely short amount of time, with no underlying purpose other than a profitable exit for early sellers.
Fortunately, the community is now extremely focused on creating ‘Layer 2’ solutions to Ethereum’s network congestion. These would enable projects to interact with Ethereum in more efficient ways (eg, by netting certain operations and sending the result to the blockchain, rather than sending each individual sub-operation to the blockchain). And even more broadly, the community is starting to consider new Layer 1 options to address Ethereum’s underlying scalability limitations. Both initiatives could empower the evolution of more sophisticated DeFi governance mechanisms, described above.
The technologies driving DeFi are the same that have enabled past periods of rapid innovations in the industry, but also massive speculative manias and prolific violations of law. While some may argue that the participant base of DeFi fundamentally differs from that of the 2017-2018 ICO, this argument falls short of being persuasive since retail investors are generally able to purchase and sell governance tokens at centralized exchanges. And like the 2017-2018 ICO bubble, the underlying lesson for DeFi projects is the same—new technologies are nonetheless subject to existing law. Teams considering whether to launch DeFi projects should make compliance with applicable law a priority.
But there is another, more hopeful theme that unites today’s DeFi craze with the ICO bubble: periods of high innovation result in lasting technological improvements. For example, the ICO bubble resulted in the emergence of the ERC-20 standard as a way to easily launch new products on top of Ethereum, which has fueled a substantial amount of growth for that platform. Similarly, DeFi could drive the emergence of a dominant governance standard, serving as the foundation for new types of blockchain-based communities, or more efficient ways to manage gas prices, enabling a wider variety of projects to access Ethereum. Ultimately, however, the usefulness of these innovations will depend on whether today’s innovators structure their projects in legally compliant ways.
Joon Kim is General Counsel of O(1) Labs. O(1) Labs leads the building of Mina (formerly known as Coda), which is a lightweight Layer 1 blockchain protocol focused on payment.
 See In the Matter of Zachary Coburn, Exchange Act Release No. 84553 (Nov 8, 2018).
 See Complaint at ¶ 1, SEC v. ICOBox, No. 2:19-cv-08066 (C D Cal Sept 18, 2019).
 An FCM is an individual, association, partnership, corporation, or trust that is (i) engaged in soliciting or in accepting orders for regulated transactions including futures, swaps, commodity options, or retail commodity transactions, or (ii) acts as a counterparty to retail commodity transactions; and which, in connection with these activities, ‘accepts any money, securities, or property (or extends credit in lieu thereof) to margin, guarantee, or secure any trades or contracts that result or may result therefrom.’ Section la(28)(A) of the Act, 7 U S C § la(28)(A) (2018).