Though it may seem crypto and government have wildly different viewpoints, it is not actually so. Fundamentally we are all striving to create the same things: a safe, transparent, fair, and better financial system. The difference now is that we have both law AND code to make this happen.
I believe the time has come for the crypto industry to start putting forward our view of ideal DeFi regulation. Much effort has gone into ensuring DeFi is not killed in the US by being caught up in nonsensical-for-DeFi regulation. This is an important thing, but we must now shift the conversation to how DeFi should be regulated.
To policymakers: DeFi is fundamentally different from anything in the existing financial system. For the first time financial services can be offered by code and not intermediaries. We have an opportunity with DeFi to create a fundamentally better financial system. This will happen whether or not the US Government (or any other) steps up to create a reasonable regulatory environment. Given that, I would challenge policy makers to create new laws for DeFi both to help protect participants and so the US can continue to be the center of the global financial system long term.
To my crypto peers: your first reaction may be “Regulation?!?! Impossible, DeFi is just code!!”. To some extent, this is absolutely true. But common sense standards around things like self custody, disclosures, and security will make DeFi safer and more accessible to all. This proposal mostly reflects the standards the best DeFi protocols are already striving towards.
Principles
A principles-based approach allows regulation to adapt with the technology as it evolves. Principles-based approaches have precedent in financial regulation, for example the core principles outlined by the CFTC for DCMs & DCOs (i.e., exchanges and clearing organizations).
There is a lot of work to do to translate these principles into actual law. That will take time and effort, but I’m hopeful these will serve as a starting point for the conversation. I will focus on DeFi protocols rather than other aspects of crypto (including stablecoins, tokens, etc).
Consumer protection
User funds should be secured through safe and transparent mechanisms on DeFi protocols.
Self Custody
Users of DeFi protocols must be able to retain custody and control over their own assets at all times.
No central entity should be able to access user funds in a privileged way. No central entity should be able to deny users access to funds. DeFi protocols must publicly disclose the methods by which they achieve self custody for users, as well as any methods by which user funds can be influenced by a single or small number of central entities. Users may opt in to using third party custody solutions that fulfill applicable regulatory requirements.
Transparency
DeFi protocols must make reasonable efforts to provide tools to enable public third parties (including users, ecosystem participants, and law enforcement) to have a full understanding of the status of the protocol. This includes both financial soundness, metrics, user and protocol level auditability, and visibility into modifications to the DeFi protocol. This may come in the form of the data itself, or proofs guaranteeing the data (e.g. ZK proofs).
Open Source
Source code, including protocol and frontend, for DeFi protocols must be open source. Open source means that all source code is publicly available on a continuous basis. The open source code must match what is actively deployed. For any proposed code changes to DeFi protocols, the proposed new code must be open sourced in advance.
Sufficient Decentralization
Network participants of DeFi protocols must be sufficiently decentralized. Decentralized network participants refers to any network of entities that plays a critical role in the operation of the DeFi protocol. It may include, but is not limited to: miners/validators, keepers (liquidators, forwarders, etc.), governance token holders, and oracle price providers.
The required level of decentralization for each protocol and class of participant should vary based on the potential impact and structural feasibility of decentralization.
Disclosures
Users should have access to accurate and complete information about the DeFi protocols they can use.
Documentation
Easy to understand documentation that adequately describes the operation of both the protocol and any core technologies utilized by the protocol should be provided.
Documentation should match the actual operation of the protocol and its source code. If aspects of the DeFi protocol are modifiable via a governance or other mechanism, this must also be documented. Documentation must be made publicly available and kept up to date on a continuous basis.
Marketing Materials
Marketing materials distributed by key ecosystem participants (including DAOs, key network participants, investors, and core developers) must accurately reflect information about the DeFi protocol. Marketing materials must take care to only make claims that are not inconsistent with underlying source code, metrics, or usage of the protocol.
Data Accuracy
Data about DeFi protocol usage and metrics must be accurate. This includes both data that exists at the protocol level, as well as tools that make this data more human readable. Reasonable efforts should be made by developers of DeFi protocols to enable third party providers to surface relevant data from the protocol.
User Privacy
Public disclosures about what user data is public versus private should be provided. No central entity should have privileged access to user data that is not publicly available.
Protocol Disclosures
Disclosures related to risks, soundness, documentation, and privacy should be given on interfaces end users use to access a DeFi protocol. Frontend products should provide links to third party or decentralized tools that users can access to access information about the protocol, their accounts, and their transactions.
Decentralization
The level of decentralization for all relevant network participants (see “Sufficient decentralization”) should be publicly disclosed. Any areas of centralization (such as multisignature admin wallets or single sequencers) must be disclosed.
Market Integrity
DeFi protocols should be financially and technically secure.
Financial Soundness
DeFi protocols should publish documentation on all significant financial mechanisms used. This documentation should include sufficient explanations of financial soundness for these mechanisms. It should also include disclosures of any significant financial risks assumed by users of the protocol, and how the protocol mitigates these risks.
There should exist independent third party Self Regulatory Organizations that provide impartial analysis both to the public and regulators on the financial soundness risk level of popularly used DeFi mechanisms. Independent review of financial soundness should be required for major mechanisms of significantly used DeFi protocols. Results of reviews should be made public.
Robust Protections Against Manipulation
Developers of DeFi protocols must make reasonable efforts to minimize or eliminate the risk of manipulation of either the entire protocol or individual transactions. Disclosures for DeFi protocols must disclose known manipulation risk vectors and how they are mitigated by the protocol. Manipulation includes potential ways actors (e.g. malicious traders, validators, MEV extractors) could negatively impact the financial health of individual user accounts or the DeFi protocol as a whole.
For significantly-used DeFi protocols, independent third party review of potential manipulation vectors should be required. Results of reviews should be made public.
Code Correctness
Developers of source code must publicly disclose internal testing and code auditing practices that meet a high standard. All deployed code that may impact user funds must meet these standards.
Critical code that may impact user funds should be audited by an unaffiliated third party firm that meets reasonable industry standards. Developers of DeFi code should respond to all medium or high severity issues identified by auditors. Security audit reports should be made publicly available. Security auditors of code must publicly disclose all testing methods and issues found during a code audit.
Cybersecurity
Significant bug bounties commensurate with the scale of the DeFi protocol should be offered by core developers and/or other ecosystem participants. Legal protections should be given to “white hat” actors who act in good faith to responsibly disclose critical issues.
Equality of Access
All users should have equal access to DeFi protocols.
No Advantaged Participants
Developers of DeFi protocols should make all reasonable efforts to provide equal access to all market participants, subject to applicable legal restrictions. DeFi protocols should make publicly and equally available all major functionalities.
MEV
DeFi protocols should be developed to minimize, reallocate, or eliminate MEV. In places this is technologically or structurally impossible, this should be publicly disclosed and mitigation techniques should be described.
Criminal Activity
DeFi protocols should empower law enforcement, and be able to best recover from incidents.
Ease of Auditability
DeFi protocols should provide public tools that can be used by both law enforcement and independent third parties to understand usage and data that exists on the protocol. These tools should be sufficient to empower law enforcement to use verifiable data surfaced by the community to reasonably identify unlawful bad actors.
National Security
Entities hosting user interfaces for DeFi protocols should implement appropriate tools, such as wallet scanning and blockchain monitoring, in order to detect and deter bad actors. DeFi protocols should disclose publicly what measures they are taking, as well as what risk factors exist by nature of the technology.
Incident Disclosures
Developers of DeFi protocols must disclose on a reasonable timeline any incidents that have occurred on the protocol. This includes theft or loss of user funds, downtime of the network, significant manipulation of the protocol, and generally anything that materially affects in any way the normal and expected functionality of a DeFi protocol.
Incident Response
Core developers of DeFi protocols must publish disclosures on how they will handle significant classes of critical issues that may arise on their software. Developers and/or ecosystem participants of DeFi protocols should develop and test predefined procedures for responding to such incidents. In the event of an unlawful incident on a DeFi protocol, core developers and ecosystem participants should be prepared to provide expertise and guidance to law enforcement.
Innovation
DeFi should be able to be freely developed to promote competition.
National Competitiveness
The US should provide the clearest and most compelling regulatory environment to develop and operate DeFi protocols. It should aim to foster innovation here in the US, as well as create jobs. Proposed regulations should realize that DeFi is an inherently global technology, and that if the US is not competitive innovation and influence on DeFi’s growth will move overseas.
Permissionless
Proposed regulations should embrace the permissionless nature of DeFi. This includes allowing software development of DeFi protocols in a way that is not encumbered by requiring upfront registration, but rather through adherence to stated principles and regulations. The transparent nature of DeFi protocols makes it clear whether protocols are complying without the need for registration. Permissionless development and usage of DeFi protocols is a powerful force for innovation within finance and should be protected.
Competition
Regulation that encourages competition between DeFi protocols and intermediated financial systems should be encouraged. This will result in the best outcome and most choice for end users of the financial system.
Requirements for New Protocols
For DeFi protocols that have existed for less than two years and do not yet have significant user activity (“new DeFi protocols”), there should exist lower standards for certain requirements. This is to encourage innovation and encourage the power of permissionless development that is uniquely enabled by DeFi.
Access to user funds via multisig wallets may be used for new DeFi protocols. Generally, admin multisig wallets that can access user funds must not be used for more than a year post the launch of a given DeFi protocol. When multisig admin wallets are used, where and how they are used must be clearly publicly disclosed alongside their risks. A minimum quorum of at least 4 of 7 non legally affiliated entities must be used for multisig wallets that have access to user funds on DeFi protocols.
Independent review of financial soundness should not be required for new DeFi protocols. They should still be required to publish documentation on their proposed mechanisms and financial soundness.
The reward amounts for bug bounties offered by new DeFi protocols should be lower. Bug bounties and responsible disclosure programs should still be offered.
Requirements around MEV for new DeFi protocols should be lower. Disclosures for how MEV can affect the protocol should still be given.
Open Questions
DeFi is a fundamentally new form of finance. Given this, it’s impossible to provide proposed policy answers to every open question in this post. Here are some of the big ones I will aim to tackle in further posts:
Which entities should be responsible for the requirements outlined for DeFi protocols?
Should it be core developers, DAOs / governance participants, other ecosystem participants, someone else? Likely this will be different entities for different responsibilities.
What is the best strategy for translating these principles into law?
Can we define the terms used with more specificity? Are there edge cases this does not account for?
How should sufficient decentralization be defined?
How should we support the creation of Self Regulatory Organizations?
How do existing legitimate DeFi protocols fit into these proposed principles, and how do they compare to traditional market players?
Next Steps
I welcome all comments on my proposed principles, and will work to understand major feedback points both from lawmakers and the crypto community, and incorporate into future versions.
DeFi is early and isn’t going anywhere. This means we have a significant opportunity to take the time we need, and get this right. If we do, the US (and other jurisdictions that lead) will remain the center of influence for this new and growing area of finance.
DeFi will grow into a major sector of the global financial system in the next 10-20 years. New technologies usually take longer to build than people initially think. They also explode into significance fast when they do take off. DeFi already represents trillions of dollars of value transfer, and is just getting started. Let’s figure out together how to build DeFi into a safe, fair, and better financial system for both the US and the world.
Disclaimer
The views expressed are my own and should not be construed as legal, investment, or any other form of professional advice. The principles described above are meant to contribute to the global crypto policy conversation, and do not describe the current functioning of any particular DeFi protocol. For information about the open source dYdX protocol software, please consult the documentation available here. dYdX Trading Inc. (“dYdX”) does not operate or control any particular deployment of its v4 software, and use of dYdX software is subject to the dYdX Terms of Use and v4 Terms of Use. dYdX products are restricted in the United States, Canada, and in certain other jurisdictions as described in the Terms of Use.