the common meaning of ‘decentralized’ as applied to blockchain systems functions as a veil that covers over and prevents many from seeing the actions of key actors within the system. Hence, Hinman’s (and others’) inability to see the small groups of people who wield concentrated power in operating the blockchain protocol. In essence, if it’s decentralized, well, no particular people are doing things of consequence.In other words, it is a means for the system's insiders to evade responsibility for their actions.
Going further, if one believes that no particular people are doing things of consequence, and power is diffuse, then there is effectively no human agency within the system to hold accountable for anything.
If the system were truly decentralized, with a large number of insiders none of whom had significantly more power over it than any other, this veil might be effective. But this is never the case in the real world. As I described in Are Bloockchains Decentralized?, based on Prof. Walch's work, the report from Trail of Bits and Kwon et al's Impossibility of Full Decentralization in Permissionless Blockchains, there are always loci of control behind the veil for regulators to address.
Below the fold I discuss recent moves by US regulators that indicate they agree.
In its complaint, the regulator noted that the ETH sent to Balina was “validated by a network of nodes on the Ethereum blockchain, which are clustered more densely in the United States than in any other country.” The SEC then concludes: “As a result, those transactions took place in the United States.”
The SEC appears to be suggesting that, because more of Ethereum’s validating nodes currently operate in the United States than in any other country, all Ethereum transactions globally should be considered of American origin. Currently, 45.85% of all Ethereum nodes operate from the United States, according to Etherscan. The second-greatest density of nodes is in Germany, with only 19%, by comparison.
Under Gensler, the SEC has yet to take an official stance on Ethereum, despite leadership within the Commission under the previous administration suggesting that Ethereum was “sufficiently decentralized” and therefore not a security. But if the SEC were to ever claim that Ethereum was an unregistered security, Fyre doubts the courts would stand in its way.
“I can see judges absolutely accepting that, sure: Ethereum is substantially located in the United States, insofar as it's run on a bunch of computers, and a bunch of those computers are in the United States,” said Fyre. “That's events occurring in the United States. No problem.”
Staking is already as centralised as mining. The Lido staking pool plus the Coinbase exchange plus the Kraken exchange add up to over 54% of total stake.Coinbase and Kraken (and a number of other exchanges and pools) are US entities. It isn't just their location that provides leverage for the regulators, it is potentially also the legal status of Proof of Stake. Molly White reported that Hours after Ethereum transition to proof-of-stake, SEC Chair says PoS crypto could be classed as securities:
In the early hours of September 15, Ethereum completed "The Merge – the long-awaited transition from its original proof-of-work consensus mechanism to proof-of-stake. Later that day, SEC Chairman Gary Gensler pointed to the staking mechanism as a signal that an asset might be a security as determined by the Howey test.Lydia Beyoud's SEC Chair Gensler Raises Concerns Over ‘Staking’ Model on Ethereum added detail:
There has been much discussion over whether cryptocurrencies in general or individually should be considered securities, commodities, or possibly even something else. Broadly, people within the crypto community don't want to see the assets fall under SEC jurisdiction, as the SEC is seen as much less friendly to the industry than the CFTC.
On Thursday, Gensler took issue with a feature of Ethereum’s new upgraded blockchain, which has been dubbed the “Merge.” He said that a process known as “proof-of-stake,” in which coin holders can earn financial rewards by allowing a network to use some of their assets, could fall under securities rules. Ether had used the “proof-of-work” method that Bitcoin uses to run its blockchain.It seems obvious that staking, especially via an exchange or staking pool, satisfies the Howey test by generating income. It is less obvious that ETH itself is a security, as it doesn't generate income but rather, in its inevitable progress moonwards, capital gains. But many stocks clearly satisfy the Howey test despite not offering dividends.
Crypto firms are seeking to avoid the security label because it carries investor-protection requirements that many say are incompatible with with the asset class. “There is a full disclosure obligation on these projects,” Gensler told reporters.
Layered on top of the Ethereum and other blockchains are Decentralized Autonomous Organizations (DAOs) /vb such as DeFi protocols. Most try to maintain the illusion of decentralization by ceding control to the holders of "governance tokens", who must vote on the operations of the DAO. Consider a DAO 100% of whose governance tokens were held by a single entity, as would be the case at launch. Clearly, that entity would be responsible for the DAO. Similarly, an entity holding 51% of the governance tokens would be responsible. Again, consider a DAO 51% of whose governance tokens were held by three entities, who would be jointly responsible for the DAO.
There is a reasonable argument that the holders of a DAO's governance tokens are jointly and severally responsible for it. If there were a large number of holders none with significantly more than any others it would be difficult to enforce regulation upon them. But the extreme Gini Coefficients of cryptocurrencies and the need for most users to operate via exchanges, which hold tokens on their behalf, mean that in practice only a small number of holders effectively control the DAO. Enforcing against these few whales is feasible, and would drag the smaller holders in.
The industry friendly CFTC appears to agree. They recently took action against a centralized platform:
The Commodity Futures Trading Commission today issued an order simultaneously filing and settling charges against respondent bZeroX, LLC (bZeroX) and its founders Tom Bean (Bean) and Kyle Kistner (Kistner) (collectively, respondents) for illegally offering leveraged and margined retail commodity transactions in digital assets; engaging in activities only registered futures commission merchants (FCM) can perform; and failing to adopt a customer identification program as part of a Bank Secrecy Act compliance program, as required of FCMs.bZeroX wasn't really decentralized, being an LLC. But they tried to evade regulation by adding decentralization, to no avail:
The respondents engaged in these activities in connection with a decentralized blockchain-based software protocol that functioned similarly to a trading platform. The order requires the respondents to pay a $250,000 civil monetary penalty and to cease and desist from further violations of the Commodity Exchange Act (CEA) and CFTC regulations, as charged.
Simultaneously, the CFTC filed a federal civil enforcement action in the U.S. District Court for the Northern District of California charging the Ooki DAO—a decentralized autonomous organization and successor to bZeroX that operated the same software protocol as bZeroX—with violating the same laws as the respondents. The CFTC seeks restitution, disgorgement, civil monetary penalties, trading and registration bans, and injunctions against further violations of the CEA and CFTC regulations, as charged.I don't know what proportion of the Ooki governance tokens were held by Bean and Kistner, but any other holders were probably also "actively participating members" of the "unincorporated association", at least if they ever cast a vote.
As the order finds and as alleged in the complaint, on approximately August 23, 2021, bZeroX transferred control of the bZx Protocol to the bZx DAO, which subsequently renamed itself and is currently doing business as the Ooki DAO. The Ooki DAO operates the Ooki Protocol (formerly the bZx Protocol) in the exact same manner as bZeroX and thus is continuing to violate the law in the same manner as bZeroX. By transferring control to a DAO, bZeroX’s founders touted to bZeroX community members the operations would be enforcement-proof—allowing the Ooki DAO to violate the CEA and CFTC regulations with impunity, as alleged in the federal court action. The order finds the DAO was an unincorporated association of which Bean and Kistner were actively participating members and liable for the Ooki DAO’s violations of the CEA and CFTC regulations.
Note also that, as I discussed in Responsible Disclosure Policies, there is almost certainly some mechanism for controlling (or at least stopping) the Ooki DAO that operates faster than a governance vote. If there isn't, the first vulnerability discovered in its code base will result in its HOLD-ings being stolen. Those in control of such a mechanism would be prime candidates for being "actively participating members".
Matt Levine reports on another SEC enforcement action, this time against The Hydrogen Technology Corporation:
The SEC’s complaint alleges that starting in January 2018, [former CEO Michael Ross] Kane and Hydrogen, a New York-based financial technology company, created its Hydro token and then publicly distributed the token through various methods: an “airdrop,” which is essentially giving away Hydro to the public; bounty programs, which paid the token to individuals in exchange for promoting it; employee compensation; and direct sales on crypto asset trading platforms. The complaint further alleges that, after distributing the token in those ways, Kane and Hydrogen hired Moonwalkers, a South Africa-based firm, in October 2018, to create the false appearance of robust market activity for Hydro through the use of its customized trading software or “bot” and then selling Hydro into that artificially inflated market for profit on Hydrogen’s behalf. Hydrogen allegedly reaped profits of more than $2 million as a result of the defendants’ conduct.John Reed Stark, a former Chief of the SEC's Office of Internet Enforcement now lecturing at Duke University Law School, lays out An SEC Enforcement Program For Policing WEB3 now the:
newly renamed Crypto Assets and Cyber Unit (formerly known as the Cyber Unit) in the SEC Division of Enforcement will grow to 50 dedicated positions.He proposes a:
multi-faceted SEC Web3 enforcement program focusing on 1) aggressive enforcement, with sweeps, SWAT teams, and the use of expedited and omnibus formal orders; 2) heightened Web3 surveillance; 3) coordinated regulatory cooperation and law enforcement liaison efforts; 4) nationwide educational initiatives; and 5) incentivized self-policing.His discussion of self-policing is especially interesting:
self-policing in the context of Web3 securities fraud has proven a valuable source of help in discovering Web3-related frauds. A remarkable online culture of self-policing exists among individual users who resent the intrusion of crooks and thieves. The SEC must tap into this culture, encouraging users to report dubious Web3-related conduct, offerings, or other suspicious behavior.The focus of the Financial Stability Oversight Council's recent Digital Asset Financial Stability Risks and Regulation is on regulating the markets and the players in them, not on regulating the underlying technology. Their Fact Sheet about the report explains that they identified three regulatory gaps:
Not only do users typically include the relevant names, addresses, phone numbers, and other pertinent information concerning the persons and entities involved, but complainants have also often undertaken some cyber sleuthing of their own (using all the latest available Internet tools), adding digital reams of useful and even inculpatory evidence).
For example, while Reddit, Telegram, and Twitter initially helped drive the meme-stock craze, now users on the sites channel that same energy into helping victims. Users routinely report diligently on several crypto bankruptcy cases, including Celsius and Voyager, “tapping into the huge social media communities that already exist for both platforms, urging users to write letters to the judge overseeing Celsius’s case, pooling funds for legal representation as well as sharing news and advice.”
The most important development of all relating to self-policing is the SEC’s whistleblower rewards program, which has become an extraordinary success and a notable supplement to the SEC’s investigative wherewithal. The SEC’s whistleblower provisions have even spawned the creation of a cottage industry of former SEC lawyers who now work on a contingency fee basis, helping whistleblowers navigate the complaint submission process.
Note that they understand that, in practice, access to the underlying technology is mediated by platforms and businesses that are necessarily centralized and subject to regulation, once some legislative loopholes are closed. They recommend:
- First, the spot markets for crypto-assets that are not securities are subject to limited direct federal regulation. As a result, those markets may not feature robust rules and regulations designed to ensure orderly and transparent trading, prevent conflicts of interest and market manipulation, and protect investors and the economy more broadly.
- Second, crypto-asset businesses do not have a consistent or comprehensive regulatory framework and can engage in regulatory arbitrage. Some crypto-asset businesses may have affiliates or subsidiaries operating under different regulatory frameworks, and no single regulator may have visibility into the risks across the entire business.
- Third, a number of crypto-asset trading platforms have proposed offering retail customers direct access to markets by vertically integrating the services provided by intermediaries such as broker-dealers or futures commission merchants. Financial stability and investor protection implications may arise from retail investors’ exposure to certain practices commonly proposed by vertically integrated trading platforms, such as automated liquidation.
Alas, as Allyson Versprille reports in Crypto Overhaul Fizzles in Congress, Leaving Industry and Investors in Limbo Congress is as usual incapable of effective action:
- the passage of legislation providing for rulemaking authority for federal financial regulators over the spot market for crypto-assets that are not securities;
- steps to address regulatory arbitrage including coordination, legislation regarding risks posed by stablecoins, legislation relating to regulators’ authorities to have visibility into, and otherwise supervise, the activities of all of the affiliates and subsidiaries of cryptoasset entities, and appropriate service provider regulation; and
- study of potential vertical integration by crypto-asset firms."
US lawmakers’ efforts to pass significant crypto legislation by the end of the year are on life support, leaving in place Washington’s scattershot approach to digital coins.
Several high-profile, bipartisan bills that once seemed to have a promising shot of passing before the end of 2022 are held up, with congressional committees pushing off important votes. And now with lawmakers squarely focused on next month’s elections, their chances of becoming law in 2022 have all but evaporated.