IOSCO DeFi WG Report

Below the fold is the discussion of Policy Reccomendations for Decentralized Finance (DeFi): Colsultation Report that in promised in Brief Remarks to IOSCO DeFi WG.

I concluded my remarks by saying:

It would seem to be an existential issue for regulators if they can be rendered ineffective simply by smearing operations out across a large number of supposedly but not actually independent computers.

The core of this report is that IOSCO took on board the message that they got from many of the experts that they consulted, including me, namely that "decentralization" is, in Prof. Angela Walch's words:

the common meaning of ‘decentralized’ as applied to blockchain systems functions as a veil that covers over and prevents many from seeing the actions of key actors within the system.

This is evident in Recommendation 2 – Identify Responsible Persons on Page 26:

A regulator should aim to identify the natural persons and entities of a purported DeFi arrangement or activity that could be subject to its applicable regulatory framework (Responsible Person(s)). These Responsible Person(s) include those exercising control or sufficient influence over a DeFi arrangement or activity.

Footnote 44 cites the Financial Action Task Force:

Indicia of control or influence can include, for example, ownership interest; significant financial interest; significant voting rights; management of or the ability to impact the operations of the protocol at an enterprise or fundamental level; the ability to set permissions or access rights for users of the protocol, or to otherwise impact the rights of other users of the protocol; control over user assets; and the ability to enter into agreements for the protocol or enterprise.

Thus the report is not fooled by the claim of "decentralization" but suggests a wide range of criteria for identifying the loci of control over a DeFi protocol.

In conducting this analysis, a regulator should carefully examine any claim that the arrangement or activity is purportedly decentralized to the point that no persons or entities are responsible and should subject Responsible Persons to its applicable regulatory framework.

The report notices that "decentralizing" governance of a protocol via, for example, voting among holers of a governance token doesn't absolve Responsible Persons of responibility:

When considering persons and entities that may be Responsible Persons, it is important to note that governance mechanisms currently used for DeFi arrangements are not self- implementing. Human involvement typically is necessary to effectuate governance decisions, or to translate and implement proposals to make changes to a project’s protocol, smart contracts or other code into usable code. So those making such proposals often must rely on others with technical control and skill (i.e., administrative access and requisite technical capability) to implement governance decisions. Code could also be designed and updated through the deployment of automated methodologies – including those that utilize artificial intelligence or other technologies. For such cases, the person or entity that is responsible for deploying or using such methodologies could also be considered in the assessment of Responsible Persons.

Recommendation 4 concerns cryptocurrency's epidemic problem of conflicts of interest:

Many DeFi arrangements and activities today are being conducted in a manner that presents conflicts of interest. DeFi participants may be acting in roles and capacities that create conflicts of interest. Such conflicts can arise, for example, if the provider of a DeFi product or service itself has a financial interest derived from user or third-party activities, an ownership interest in a related third-party, or a favorable arrangement with a particular related party. In particular, the provider may take advantage of their control or influence over the governance of the DeFi arrangement to promote proposals or initiatives that inure to their benefit financially. Conflicts could also arise if the provider is engaged in multiple activities in a vertically integrated matter, either themselves or with affiliated parties. For example, the provider may operate a trading platform while simultaneously being a counterparty to transactions with a user as a market maker or employ technologies like bots or algorithms to transact with users. Indeed, a fundamental conflict may exist if developers, founders and early investors lack the incentive to maintain a project after receiving an initial investment and are instead incentivized to exit the project.

See List And Dump Schemes for examples of the last sentence. These conflicts of interest normally explain why the Resposible Persons want to retain "control or influence" behind the veil of decentralization; they are how they make money rip off retail customers.

One of the conflicts of interest the report discusses in detail, on Page 32 and in Annex B, is Miners' Extractable Value (MEV):

the ability to reorder, insert, and otherwise control transactions enables conduct that in traditional markets would be considered manipulative and unlawful.

See Miners' Extractable Value for a discussion of how MEV became a feature not a bug (spoiler: because there was no way to stop it).

Recommendation 5 concerns operational risks:

DeFi arrangements and activities introduce unique operational and technological risks, including those stemming from the underlying DLT, smart contracts and protocols, governance structures, oracles, and bridges. These risks can arise from any one layer of the tech stack that underlies DeFi, as well as from interdependencies between and among those layers of the tech stack. ... These include, among others, risks arising from the operational interconnectedness of DeFi, due in part to the composability and modularity inherent to DeFi protocols; the proliferation of exploits targeting vulnerable code across protocols’ similar code; and a concentration of critical service providers and other participants within DeFi.

Molly White's Web3 is Going Just Great provides an invaluable resource tracking, among others, attacks on bridges and oracles. I'm planning a post on The oracle problem and the future of DeFi by Chanelle Duley et al from the Bank for International Settlements. Citing Chainalysis, they note that:

In 2022, DeFi protocols lost $403.2 million in 41 separate oracle manipulation attacks

The report cites Chainalysis as estimating that:

64% of the $3.1 billion stolen from DeFi protocols in 2022 was attributable to cross-chain bridges

The report's Annex E discusses these risks in detail; all the Annexes are well worth reading..

The body of the report ends with a set of 10 questions for public comment. Those to which I have a substantive response are:

4. Do you agree with the risks and issues around DeFi protocols identified in this Report? ... How can market participants help address these risks and/or issues, including through the use of technology? There are two big problems with this question:
   
   • The whole point of cryptocurrencies and DeFi in particular is to evade regulation. The "risks and issues" are the things that make "market participants" profitable. Thus "market particpants" are not motivated to address them.
   • The "risks and issues" cannot be mitigated by applying technological fixes, because their cause is economic not technical. They are fundamental to any permissionless system. Because the security of the system depends upon its being expensive, economies of scale will be very powerful and will inevitably lead to centralization. Centralized systems whose loci of control lack accountabilty will inevitably suffer these kinds of "risks and issues". Providing accountability of the loci of control requires the ability to dedny permission, which in permissionless systems is impossible.
5. Do you agree with the description of data gaps and challenges in the Report? ... How can market participants address these data gaps and challenges, including through the use of technology? For the reasons outlined above "market participants" are not motivated to provide regulators with timely and accurate data that would be ammunition for reducing their profits.
   
   How would you suggest IOSCO members address data gaps and challenges? Given this adversarial situation, the best that regulators can do is to rely on the third-party data sources such as Chainalysis and DataFinnovation. While it is clearly important for regulators to understand what is happening, their important task is to identify the loci of control and impose accountability upon them. Thus the key use of data is deanonymization. These third party services are reasonably successful at deanonymizing wallets, but the more successful regulators are at using them, the greater the incentive to improve anonymity techniques including the use of currencies such as Monero and Zcash, or mixers such as Tornado Cash.
8. Given the importance of the application of IOSCO Standards to DeFi activities, are there technological innovations that allow regulators to support innovation in DeFi/blockchain technologies while at the same time addressing investor protection and market integrity risks? This is the most worrying sentence in the entire report. The task of regulators is to prevent harm to the public not to "support innovation", least of all to support innovation in a technology whose goal is to evade regulation. The harm to the public arises directly from the use of permissionless systems to evade accountability. What the public needs regulators to do is to impress upon market participants that the use of permissionless systems to evade accountability is unacceptable and ineffective. Doing so will mitigate the "risks and issues" because people will stop using these systems.