A surprise regulatory order last week signals Washington has run out of patience with decentralized finance’s skirting of rules around tying customer identity to transactions.
Why it matters: The crypto industry has been, from its earliest days, a protest against the rules tying all financial transactions to real identities. Such rules became the norm after 9/11, but fans of bitcoin and subsequent technologies have been partly motivated by seeing how far they could push them.
Driving the news: The Commodities Futures Trading Commission (CFTC) Thursday said it settled charges against bZeroX, LLC, the maker of a blockchain-based software protocol, and its successor decentralized autonomous organization, Ooki DAO.
- The CFTC’s complaint specifically cites the failure to collect customer identities as one of its three counts against the parties.
The big picture: The news follows last month’s sanctioning of Tornado Cash, making it illegal for anyone in the U.S. to use that anonymity technology for financial transactions.
- Because bZeroX didn’t go nearly so far as Tornado Cash, the CFTC’s order suggests the government is ready to demand much more compliance from crypto.
The intrigue: The crypto industry has long considered the CFTC as the “friendlier” crypto agency, which has led members of the industry to support the Digital Commodities Consumer Protection Act, which leans more in that agency’s favor, rather than backing the Securities and Exchange Commission.
Details: The CFTC presented evidence that the creators of the protocol, bZx, marketed it as a service where traders could transact without posting their identity.
- Be smart: Smart contract blockchains don’t provide perfect anonymity, but, for a sophisticated user determined to hide, it can take considerable resources to match a blockchain address with a person.
Context: The bZx protocol allows anyone to make leveraged bets on the future value of a token in a trustless fashion — meaning without an intermediary.
- It was able to do this with smart contracts on a blockchain, secured by the traders’ own crypto collateral. By using a smart contract, the trade was operated automatically, and everything about it was transparent to all users.
Typically, the CFTC monitors markets like that in the U.S., but the complaint alleges that the creators of the bZx protocol attempted to skirt those rules.
- They did it, the CFTC contends, by turning the software over to a decentralized autonomous organization (DAO), controlled by those who held its associated governance token.
Between the lines: There are two kinds of smart contracts on the original smart contract blockchain, Ethereum — those that can be upgraded or changed, and those that can’t.
- The creators turned control of the bZx protocol over to a DAO in August 2021, but the team that created it controlled a significant amount of the token that governed it, BZRX.
- After the DAO launched, there was a lot of token juggling and token issuing (as noted in footnote 9 of the consent order) making it tough to follow from the outside.
Flashback: The bZx protocol has been robbed several times. Attackers manipulated it to unfairly take profits as if the market had made moves that it hadn’t actually made.
- Attackers made off with about $1 million worth of ether across two separate incidents in February 2020. There was an $8 million breach later that year, but all funds were subsequently recovered.
- The largest incident occurred in late 2021, when $55 million was stolen.
- Of note: Each of these incidents required the attacker to make trades on the protocol. The CFTC argued that if user identities had been required, then the cyber criminals’ identities in each case would have been known.
State of play: The founders and their company, bZeroX, had to pay a $250,000 fine and quit participation in the Ooki DAO.
- The founders, under terms of their settlement, declined to comment to Axios.
- One of the commissioners, Summer K. Mersinger, dissented from the decision, but not on the grounds of requiring identity. In fact, she notes in her dissent that she has no problem with such findings.
What we’re watching: More orders could come down on other DeFi protocols built and operated from the U.S. that don’t require users to name themselves.
- Or, they could simply begin complying without being asked.
The bottom line: Companies are lining up to profit if DeFi decides it likes money more than cypherpunk principles.
