DeFi Regulatory Woes Uniswap in Heaven, Tornado Cash in Hell

DeFi Regulation Uniswap vs Tornado Cash

Author: Will Awang; Source: Web3 Xiaolü

On August 29, 2023, the Southern District of New York (SDNY) dismissed a class-action lawsuit against Uniswap. The plaintiffs accused Uniswap of allowing fraudulent tokens to be issued and traded on the protocol, causing harm to investors and seeking compensation. The judge ruled that the current cryptocurrency regulatory system does not provide a basis for the plaintiffs’ claims, and Uniswap is not responsible for any damages caused by third-party use of the protocol.

Prior to Uniswap’s “victory,” in the same SDNY court, the U.S. Department of Justice and other regulatory agencies (DOJ) brought criminal charges against Tornado Cash founders Roman Storm and Roman Semenov, accusing them of money laundering, violating sanctions, and operating an unlicensed money transfer business during the operation of Tornado Cash. The two individuals could face a minimum of 20 years in prison.

Both Uniswap and Tornado Cash are smart contract protocols built on the blockchain. Why is there such a difference in regulatory treatment between them? This article will delve into the two DeFi cases and analyze the underlying logic that leads to such differential treatment by regulators.

• MEKE public beta countdown ends, focusing on derivative trading in the DeFi sector.
• Hubei Court rules that the virtual currency mining contract is invalid due to the purchase of IPFS storage servers for mining Filecoin.
• NGC Ventures Is the AI track still worth starting a business now?

TL;DR

• The technology itself is not guilty, it is the people who use the technology who are guilty;

• The ruling in the Uniswap case is good news for DeFi, as DEXs are not liable for losses suffered by users due to third-party issued tokens, which has a larger impact than the Ripple case;

• Judge Katherine Polk Failla also presided over the SEC v. Coinbase case, and her response to whether a cryptocurrency is considered a security was: “This is not a decision for the court to make, it is a decision for Congress” and “ETH is a commodity.” Can the same interpretation be applied to the SEC v. Coinbase case?

• In the Tornado Cash case, although third-party involvement led to regulatory intervention, the severity of the case stems from the founder knowingly enabling the protocol to facilitate illegal activities and infringe on national security interests;

• Uniswap, being based in the United States and actively cooperating with regulators, as well as its token’s singular governance function, provides a good example for other DeFi projects to handle regulation.

1. Investors sue Uniswap for investing in fraudulent tokens

In April 2022, a group of investors filed a collective lawsuit against Uniswap’s developers and investors – Uniswap Labs and its founder Hayden Adams, as well as its investment firms (LianGuairadigm, Andreesen Horowitz, and Union Square Ventures). They accused the defendants of failing to register under the U.S. federal securities laws and causing damage to investors by listing “fraudulent tokens” in violation of regulations, and demanded compensation for the damages.

Presiding judge Katherine Polk Failla stated that the true defendants in this case should be the issuers of the fraudulent tokens, not the developers and investors of the Uniswap protocol. Due to the decentralized nature of the protocol, the identity of the issuers of the fraudulent tokens is unknown to the plaintiffs (and the defendants). The plaintiffs can only sue the defendants in hopes that the court can transfer their claims to the defendants. The reason for the lawsuit is that the defendants provided a platform for the issuance and trading of fraudulent tokens in exchange for transaction fees generated by the exchange.

In addition, the plaintiff also played the role of SEC Chairman Gary Gensler, believing that (1) the tokens sold on Uniswap are unregistered securities; (2) and Uniswap, as a decentralized exchange for trading security tokens, should be subject to relevant securities exchange and securities broker registration by regulatory agencies. The court rejected the extension of securities laws to the actions alleged by the plaintiff and concluded that the lack of relevant regulation was the reason for the dismissal, stating that the investors’ concerns “should be addressed to Congress, not this court.”

Overall, the judge believed that the current regulatory framework for cryptocurrencies does not provide a basis for the plaintiff’s claims. Furthermore, under the current US securities laws, the developers and investors of Uniswap are not liable for any damages caused by third-party use of the protocol. Therefore, the plaintiff’s lawsuit was dismissed.

II. Key Points of the Uniswap Case

The presiding judge in this case, Katherine Polk Failla, was also the presiding judge in SEC v. Coinbase and has extensive experience in handling cryptocurrency cases. After reading the 51-page judgment, it is clear that the judge has a deep understanding of the cryptocurrency industry.

The key points of contention in this case are: (1) whether Uniswap should be held responsible for third-party use of the protocol; and (2) who should be responsible for the damages caused by the use of the protocol.

2.1 The underlying protocol of Uniswap should be distinguished from the token protocol of the issuer, and the issuer implementing the harmful acts should be held responsible.

Uniswap Labs previously stated: “Uniswap V3’s decentralized liquidity pool model is entirely composed of underlying smart contracts and executes automatically. This model, due to its openness, permissionlessness, and inclusiveness, can generate exponential growth in the ecosystem. The underlying protocol not only eliminates so-called intermediaries in transactions but also allows users to interact with the protocol in a simple and efficient manner through various methods (such as entering through Dapps developed by Uniswap Labs).”

The issuer, based on the aforementioned underlying Uniswap protocol and the unique AMM mechanism of DEX, anonymously lists tokens on the platform without any form of verification or background checks, and creates and establishes liquidity pool trading pairs (such as their own ERC-20 tokens/ETH) for investors to trade.

(https://www.docdroid.net/APrJolt/risley-v-uniswap-PDF)

The decentralized nature of Uniswap means that the protocol cannot control which tokens are listed on the platform or who interacts with them. The judge stated, “These underlying base smart contracts are distinct from the token contracts unique to each liquidity pool, created by the issuers themselves. The protocols relevant to the plaintiff’s claims are not the underlying protocols provided by the defendants, but the liquidity pool trading pair protocols or token protocols drafted by the issuers themselves.”

In order to explain better, the judge made several analogies: “For example, it is like making the developer of a self-driving car responsible for any accidents or bank robberies caused by a third party using the car, regardless of whether the fault lies with the developer.” The judge also analogized to payment apps Venmo and Zelle, stating that “the plaintiff’s lawsuit is like trying to hold these payment platforms responsible for drug dealers’ funds transfers in drug transactions, rather than the drug dealers themselves.”

In these cases, the responsibility lies with the individuals who commit the harmful actions, not the developers of the software programs.

2.2 The first ruling under the background of decentralized smart contracts

The judge acknowledged the lack of judicial precedents related to DeFi protocols and has not found a way to hold the defendants legally liable under securities laws based on decentralized protocol smart contracts.

The judge believes that in this case, the smart contracts of the Uniswap protocol can indeed operate legally, just like facilitating the exchange of crypto commodities ETH and BTC.

In this statement, the judge specifically mentioned the commodity attribute of ETH, albeit briefly.

2.3 Investor protection based on securities laws

Section 12(a)(1) of the Securities Act grants investors the right to sue for damages when the seller violates Section 5 of the Securities Act (registration and exemption of securities). As the claim is based on the regulatory issue of whether crypto assets are securities, the judge stated, “This is not something for the court to decide, but for Congress to decide.” The court declined to extend securities laws to the alleged actions by the plaintiffs and concluded that “investor concerns are best addressed to Congress, not to this court,” citing a lack of relevant regulatory basis.

2.4 Summary

Although SEC Chairman Gary Gensler has so far avoided calling ETH a security, Judge Katherine Polk Failla directly referred to it as a commodity (Crypto Commodities) in this case and refused to expand the scope of securities laws to cover the alleged actions in the case against Uniswap.

Considering that Judge Katherine Polk Failla also presided over the SEC v. Coinbase case, her response to whether crypto assets are securities, “This is not something for the court to decide, but for Congress to decide,” and “ETH is a crypto commodity,” can it also be interpreted in the case of SEC v. Coinbase? Regardless, although laws are currently being formulated around DeFi, regulatory agencies may one day address this gray area. However, the Uniswap case does provide a precedent for the crypto DeFi world, stating that decentralized exchange DEX cannot be held responsible for losses suffered by users due to tokens issued by third parties. This impact is actually bigger than that brought by the Ripple case and is beneficial to DeFi.

III. Tornado Cash and Its Founders in Deep Hell

Tornado Cash, a DeFi protocol deployed on the blockchain that provides coin mixing services, seems to be in a less than ideal situation. On August 23, 2023, the U.S. Department of Justice (DOJ) filed criminal charges against Tornado Cash founders Roman Storm and Roman Semenov, accusing them of conspiracy to commit money laundering, violation of sanctions, and operating an unlicensed money transmitting business during the operation of Tornado Cash.

Tornado Cash was once a well-known coin mixing application on Ethereum, designed to provide privacy protection for users’ transaction activities. It achieves privacy and anonymity in transactions by obfuscating the source, destination, and counterparty of cryptocurrency transactions. On August 8, 2022, Tornado Cash was sanctioned by the U.S. Office of Foreign Assets Control (OFAC), and some on-chain addresses related to Tornado Cash were listed on the SDN list, which means that any entity or individual interacting with the on-chain addresses on the SDN list is illegal.

In the press release, OFAC stated that since 2019, over $7 billion has been laundered using Tornado Cash, and Tornado Cash has provided substantial assistance, sponsorship, or financial and technical support to illegal activities on the internet, which may pose significant threats to U.S. national security, foreign policy, economic health, and financial stability, thus resulting in sanctions from OFAC.

(https://www.researchgate.net/figure/Example-of-the-Tornado-Cash-1-ETH-pool-addresses-A-through-F-deposit-to-and-withdraw_fig1_357925591)

3.1 Criminal Charges against Tornado Cash and Its Founders

In a press release on August 23, the DOJ stated that the defendants and their co-conspirators created the core functionality of Tornado Cash Service, paid for the operation costs of critical infrastructure to promote the service, and received millions of dollars in return. The defendants knowingly chose not to implement the required know-your-customer (KYC) and anti-money laundering (AML) compliance measures, despite being aware of the illegal nature of the transactions.

In April and May 2022, Tornado Cash service was used by the Lazarus Group (a sanctioned North Korean cybercrime organization) to launder hundreds of millions of dollars in hacker profits. It is alleged that the defendants knew these were money laundering transactions and made changes to the service to publicly claim that they “seemed” to comply with compliance requirements, but in their private conversations, they unanimously considered these changes to be ineffective. Subsequently, the defendants continued to operate the service and further facilitated illegal transactions involving hundreds of millions of dollars, helping the Lazarus Group transfer criminal proceeds from encrypted wallets designated by OFAC as blocked property.

The defendants are charged with conspiracy to commit money laundering and conspiracy to violate the International Emergency Economic Powers Act, both of which carry a maximum sentence of 20 years in prison. They are also charged with conspiracy to operate an unlicensed money transmitting business, which carries a maximum sentence of five years in prison. The federal district court judge will decide how to sentence them after considering the U.S. sentencing guidelines and other statutory factors.

3.2 Definition of Money Transmitting Business

It should be noted that the Financial Crimes Enforcement Network (FinCEN), a subsidiary of the U.S. Department of the Treasury, has not filed a civil lawsuit against Tornado Cash and its founder for operating a money transmitting business without a license. However, if Tornado Cash falls under the definition of a money transmitter, this definition would also apply to other similar DeFi projects. Once confirmed, these projects would need to register with FinCEN and undergo KYC/AML/CFT processes, which would have a significant impact on the DeFi world.

In 2019, FinCEN released guidance (2019 FinCEN Virtual Currency Guidance) categorizing business models of cryptocurrency activities and determining whether they fall under the definition of a money transmitter based on the type of business.

3.2.1 An Anonymizing Software Provider

Peter Van Valkenburgh of Coin Center stated: The only accusation in the indictment against the defendants for operating a money transmitting business without a license is that they engage in the business of transferring funds on behalf of the public without registering with FinCEN. However, Tornado Cash is actually an anonymizing software provider, which only provides “delivery, communication, or network access services used by persons to support the transmission of currency.”

The 2019 guidance explicitly states that an anonymizing software provider is not considered a money transmitter, while an anonymizing service provider is.

3.2.2 CVC Wallet

Cravath, Swaine & Moore LLP, a top-tier law firm, also published a report using the only business defined as a money transmitter in the 2019 guidance, CVC Wallet, as an analogy to derive the rigid requirements for money transmitters – they must have total independent control over the value being transmitted, and this control must be necessary and sufficient.

In this case, the indictment describes how the defendants control the Tornado Cash software/protocol, but it does not indicate how they control the transfer of funds. The report analyzes the process of fund transfer in Tornado Cash and ultimately concludes that it does not have complete control over the transfer of funds like a cryptocurrency wallet service provider, as the transfer of funds still requires user interaction through a private key. Therefore, it should not fall under the definition of a “money transmitter.”

3.2.3 DApps

Gabriel Shapiro, the legal counsel of Delphi Labs, disagrees with Cravath’s viewpoint, arguing that they overlook another business model of cryptocurrency activities in the 2019 guidance – Decentralized Applications (DApps).

(https://twitter.com/lex_node/status/1698024388572963047)

Here is FinCEN’s perspective on DApps: “The owner/operator of a DApp may deploy it to perform various functions, but when the DApp engages in money transmission, the definition of money transmitter applies to the DApp, or the owner/operator of the DApp, or both.”

The complaint is based on the understanding of DApps in the 2019 guidelines, which defines unlicensed currency transmission businesses. In other words, when an entity (individual, legal person, non-legal organization) conducts currency transmission business through smart contracts/DApps, FinCEN’s rules will apply.

If FinCEN really stated the above in the 2019 guidelines, then we have to question why it has not taken any enforcement actions against DeFi to clarify this interpretation since its release. Considering that DeFi should all involve some form of fund transfer, theoretically it can apply to every DeFi application (because they all involve some form of fund transfer).

3.3 Summary

The 2019 FinCEN guidelines are ultimately just guidelines. They have no binding force on the Department of Justice and have no legal effect. However, in the absence of a comprehensive regulatory framework for cryptocurrency in the United States, these guidelines are still the best documents reflecting regulatory attitudes.

However, the approach taken by the DOJ leaves unresolved important questions for decentralized protocols, including whether individual actors should be held accountable for actions taken by third parties or resolutions made through loose community voting. Roman Storm, an American defendant, will appear in court and face trial in the next few days. The court may have the opportunity to address these pending issues.

Attorney General Merrick Garland said, “This indictment sends a warning to those who believe they can use cryptocurrency to hide criminal activity.” FBI Director Christopher Wray added, “The FBI will continue to dismantle the infrastructure used by cybercriminals to commit crimes and profit from them, and hold accountable anyone who assists these criminals.” This demonstrates a firm stance on AML/CTF regulations.

4. Why are there heaven and hell in the DeFi protocols?

The common points between the Uniswap and Tornado Cash cases are: (1) they are both smart contracts deployed on the blockchain and can operate autonomously; (2) regulatory intervention occurred due to non-compliant/illegal use of the smart contracts by third parties; (3) who should be held responsible for the damages caused by non-compliant/illegal behavior?

The difference is:

In the Uniswap case, the judge believes that (1) the underlying smart contracts on the blockchain are different from the token contracts deployed by the issuer itself, and there is no problem with the legal operation of the underlying smart contracts, (2) the token contracts deployed by the issuer caused harm to investors, (3) therefore, the issuer’s responsibility needs to be pursued.

In the Tornado Cash case, the complaint states that although regulatory intervention also occurred due to the illegal use by third parties, the difference is that the founder of Tornado Cash, knowing the situation, had the ability to control the protocol and facilitate illegal activities for network criminals, violating national security interests. It is obvious who should bear the responsibility.

Chapter 5: Conclusion

On April 6, 2023, the U.S. Department of Treasury released the 2023 DeFi Illegal Financial Activities Assessment Report, which is the world’s first assessment report on illegal financial activities based on DeFi. The report recommends strengthening the regulation of AML/CFT in the United States and, where possible, enhancing enforcement of cryptocurrency asset activities (including DeFi services) to improve compliance with the Bank Secrecy Act obligations by cryptocurrency service providers.

It can be seen that U.S. regulations are also following this approach, overseeing the inflow and outflow of cryptocurrency assets from the perspective of KYC/AML/CTF, controlling the source. For example, Tornado Cash provides money laundering convenience for cybercriminals. From the perspective of investor protection, specific project compliance is regulated. In the case of CFTC v. Ooki DAO, the regulatory agency intervened in the enforcement of regulations on the grounds that Ooki DAO’s business violated CFTC regulations. In the case of Tornado Cash, the regulatory agency intervened in the enforcement of regulations on the grounds that it violated FinCEN’s currency transmission regulations.

Although the U.S. regulatory framework for cryptocurrencies is unclear, at present, Uniswap has established operational entities and foundations in the United States and actively cooperates with regulatory agencies to implement risk control measures (such as blocking certain tokens). The UNI token has always only had governance functions (rather than being involved in disputes over securities-like tokens), providing a good example for other DeFi projects in dealing with regulation.

The technology itself is not guilty; it is the individuals who use the technology tools that may be guilty. Both the Uniswap and Tornado Cash cases provide the same answer.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!