CFTC takes enforcement action against three DeFi protocols, sounding alarm for all derivatives trading platforms

2023.09.09

CFTC takes enforcement action against three DeFi protocols, sounding alarm for all derivatives trading platforms

The CFTC could be a more fearsome regulator than the SEC, potentially directing its regulatory scrutiny straight at DeFi.

2023.09.09 - 07:34:43

CFTCDeFi

Navigating Web3 tides with focused insights

The CFTC could be a more fearsome regulator than the SEC, potentially directing its regulatory scrutiny straight at DeFi.

On September 7, 2023, the U.S. Commodity Futures Trading Commission (CFTC) once again directed its enforcement focus toward decentralized finance (DeFi), penalizing three U.S.-based blockchain companies—Opyn, Inc., ZeroEx, Inc., and Deridex, Inc.—which ultimately accepted settlements.

Before the DeFi industry could even begin to enjoy what seemed like a "victory" from Uniswap's courtroom outcome, the CFTC swiftly crushed that optimism just one week later, turning its regulatory spotlight directly onto the DeFi derivatives market—and indeed the entire DeFi sector.

This article analyzes the background of this CFTC enforcement action, internal dissent within the CFTC, and the potential implications for the DeFi industry moving forward, along with possible response strategies.

TL;DR

The CFTC may be an even more formidable regulator than the SEC, now aiming its enforcement directly at DeFi;
The CFTC imposed penalties on developer-operated companies for DeFi platforms violating derivatives trading regulations;
The CFTC attributes liability for malicious third-party activities directly to developers—even when developers have no control over such actions;
Gabriel Shapiro, General Counsel at Delphi Labs, stated: “100% of DeFi will be illegal” under current U.S. regulatory interpretation;
The SEC targets CeFi, the CFTC targets DeFi, and FinCEN focuses on KYC/AML/CTF compliance for global crypto asset flows—this is likely the U.S. crypto regulatory landscape leading up to the 2024 election year.

1. Case Background

According to the CFTC press release, Opyn and Deridex each developed and deployed blockchain-based protocols and websites offering token derivatives trading and perpetual contracts. These transactions qualify as retail commodity transactions involving swaps, leverage, or margin, which under the Commodity Exchange Act (CEA) and CFTC rules may only be offered to retail customers through registered exchanges. However, neither Opyn nor Deridex had registered with the CFTC, nor did they implement customer identification procedures required under the Bank Secrecy Act. Although Opyn implemented certain measures to restrict access by U.S. users, these were ineffective in practice, while Deridex took no such measures at all.

ZeroEx developed and deployed the 0x Protocol and the Matcha application, a DEX-like interface enabling users to trade across multiple tokens. On this DEX, certain leveraged or margined tokens—deployed by unrelated third parties—were available for trading. The CFTC asserts that such leveraged or margined retail commodity transactions can only be offered through registered platforms compliant with the CEA and CFTC rules. Since ZeroEx had not registered with the CFTC, it was deemed to have illegally provided these services.

As a result, Deridex and Opyn were charged with failing to register as a Swap Execution Facility (SEF) or Designated Contract Market (DCM); failing to register as a Futures Commission Merchant (FCM); and failing to implement customer identification programs required of FCMs under the Bank Secrecy Act. Additionally, ZeroEx, Opyn, and Deridex were all charged with illegally offering leveraged and margined retail commodity transactions in digital assets.

Pursuant to the charges, the CFTC required Opyn, ZeroEx, and Deridex—each operating developer companies—to pay civil monetary penalties of $250,000, $200,000, and $100,000 respectively, and to cease their unlawful conduct. Under settlement agreements, all three companies agreed to pay the fines to avoid further legal proceedings.

Ian McGinley, Director of Enforcement at the CFTC, said: “There was once a notion among DeFi project teams that decentralization and being ‘on-chain’ meant operating beyond the law. That is not the case. While the DeFi industry may be innovative, complex, and rapidly evolving, so too will our enforcement efforts. We will actively pursue unregistered platforms that allow U.S. persons to engage in derivatives trading.”

2. Dissenting Views from CFTC Commissioners

2.1 Conflict with CFTC’s Regulatory Principles

Despite the CFTC’s enforcement decision, Commissioner Summer K. Mersinger issued a dissenting statement. She noted that this enforcement action targets DeFi protocols and applications in a decentralized environment—an area previously uncharted by the CFTC. Therefore, the agency’s initial regulatory stance in this domain carries significant weight.

In its 2022–2026 Strategic Plan, the CFTC stated it would increase stakeholder engagement regarding DeFi regulation and acknowledged that innovation in sectors like DeFi requires broad consultation. Yet this enforcement action stands in stark contrast to that strategic vision. The CFTC’s approach of “enforce first, communicate later” contradicts both its own strategic plan and Congress’s call for “responsible innovation.”

She emphasized that in this case, there was no evidence of misappropriated customer funds or harm to any market participants caused by the DeFi protocols or applications. While such heavy-handed regulation might protect hypothetical investors, it does nothing to encourage responsible innovation and risks driving the DeFi industry out of the U.S. market entirely.

2.2 Contradiction with the Uniswap Precedent

Additionally, she raised a critical practical question through the enforcement against ZeroEx: If a DeFi protocol is developed and deployed for legitimate purposes but is later used by unrelated third parties in violation of the CEA and CFTC rules, who should bear responsibility? Should DeFi developers be held liable indefinitely?

These questions were already addressed in prior judicial rulings, notably in the Uniswap case (see article: “The Regulatory Plight of DeFi: Uniswap in Heaven, Tornado Cash in Hell”). Courts have clarified that: Developers and investors of Uniswap are not liable for harms caused by third-party use of the protocol, because Uniswap’s underlying smart contracts are legally distinct from third-party token contracts deployed on top of it.

Therefore, this precedent should logically apply to ZeroEx as well, meaning the CFTC’s enforcement action contradicts established judicial reasoning.

2.3 Absence of a Viable CFTC Compliance Pathway for DeFi

Commissioner Summer K. Mersinger pointed out in her dissent that existing CFTC regulations are designed for centralized intermediaries. They require such entities to register as regulated intermediaries (e.g., Futures Commission Merchants, or FCMs) and comply with Bank Secrecy Act requirements such as KYC/AML/CTF, alongside other operational obligations.

Such regulatory frameworks are ill-suited for decentralized, disintermediated DeFi protocols. How can a decentralized protocol register as an FCM—a designation created specifically for centralized intermediaries? This remains an unresolved issue, and the CFTC has not provided a clear answer in this enforcement action.

Yet regardless of the strength of these objections, the CFTC’s enforcement proceeds unabated.

3. Significant Impact on Derivatives Markets

3.1 The CFTC May Be a More Dangerous Regulator Than the SEC

Due to the SEC’s prior enforcement actions and legal challenges in the crypto space, many assumed the CFTC might be a more favorable regulator for the industry—and thus should be granted broader authority. However, recent enforcement actions targeting DeFi projects reveal the CFTC’s true colors—it may pose an existential threat to the entire DeFi ecosystem.

This enforcement sends a strong warning to any DeFi protocol offering derivatives trading or derivative-like functionalities—including AMM-based DEXs. If such protocols serve U.S. users, they risk falling directly into the CFTC’s crosshairs. Gabriel Shapiro, General Counsel at Delphi Labs, went as far as stating: “In the United States, 100% of DeFi will be illegal.”

In an interview, he explained: First, DeFi protocols with derivatives functionality are now squarely in the CFTC’s sights—whether in the CFTC v. Ooki DAO case (see article: The Regulatory Plight of DeFi: Uniswap in Heaven, Tornado Cash in Hell) or in this latest enforcement action, the common thread is violations of the CEA and CFTC rules by DeFi protocols.

Second, under CEA and CFTC regulations: “No person or entity may engage in leveraged, margined, or financed transactions of commodities unless registered or licensed with the CFTC.” Yet nearly all DeFi protocols facilitate leveraged, margined, or financed transactions of crypto commodities. Furthermore, commodity swap transactions—arrangements whose value derives from an underlying commodity—can be classified as derivatives. Thus, even protocols like Lido, which issue wETH upon staking ETH, may fall within the definition of a commodity swap.

Therefore, in theory, virtually all DeFi protocols could fall under CFTC jurisdiction. This is a deeply concerning interpretation. Currently, the CFTC has targeted only smaller-scale DeFi protocols based in the U.S. (making enforcement easier), but larger players may be next.

While Shapiro’s view may seem alarmist, in practice, unilateral regulatory actions by agencies like the SEC, CFTC, and DOJ can still be challenged through judicial or legislative means. Regulators cannot interpret law arbitrarily, nor can they create law.

3.2 What Rules Were Violated, and Who Bears Responsibility?

Now that the CFTC has demonstrated its willingness to act against DeFi protocols, what justifies such actions, and who should be held accountable?

Commissioner Summer K. Mersinger reiterated that in this case, there was no evidence of misappropriated customer funds or demonstrable harm to any market participant from the DeFi protocols. The CFTC itself cited only violations of registration requirements under the CEA and CFTC rules.

The CFTC’s theoretical basis can be traced to a 2018 speech by Brian D. Quintenz, former CFTC commissioner and current a16z partner: For smart contract protocols, the key questions are whether the protocol constitutes a swap, futures, or options contract, and whether it serves U.S. users. If so, regardless of form—code or otherwise—it must comply with CFTC regulations.

If regulations are violated, who bears responsibility?

This question demands extensive debate. Most legal professionals share the perspective of the Uniswap case judge: Liability should rest with the malicious third party causing harm—not with developers who merely published code and cannot control third-party misuse.

However, considering the Department of Justice’s criminal charges against Tornado Cash founders, the CFTC v. Ooki DAO case, and this latest enforcement, it’s clear regulators disagree. The CFTC continues to hold developers liable for third-party misconduct—even when developers lack control over such actions. In the case of ZeroEx, for example, the CFTC did not assess whether the protocol developers were associated with the derivative tokens listed, or whether they had any ability to control their deployment.

4. How Should DeFi Projects Respond?

The most direct answer is: Leave the U.S. and block U.S. users.

Of course, how you block matters. Opyn attempted measures to restrict U.S. access, but they proved ineffective and the company was still penalized. Merely blocking U.S. IP addresses may not suffice—blocking U.S.-based VPNs or wallets may also be necessary. These technical solutions are relatively straightforward to implement.

Additionally, consider the following U.S.-related factors:

(1) Accessibility to U.S. users (accounts, wallets, transactions, etc.);

(2) Use of U.S.-based servers (e.g., AWS);

(3) Marketing or promotion within the U.S.;

(4) U.S. citizenship or residency of the company, employees, executives, or agents;

(5) Engagement with U.S.-based third-party service providers;

(6) Involvement of U.S. financial accounts.

In summary:

(1) Implement comprehensive blocking measures, including clear disclaimers in Terms of Use, to avoid falling within regulatory scope;

(2) Structure development teams and DAOs with appropriate legal wrappers to prevent individuals from bearing joint liability for DeFi protocols;

(3) Exit the U.S. Even giants like Coinbase proceed cautiously when launching derivatives products under U.S. regulation, often opting for offshore offerings while actively seeking CFTC licenses.

The range of applicable strategies is broad and highly dependent on specific circumstances—each case must be evaluated individually.

5. Final Thoughts

Through the Ooki DAO precedent, the CFTC has established the ability to认定违规的DeFi业务，并追究链上DAO及DAO内部代币投票成员的责任。As previously noted in the article “CFTC Wins Against Ooki DAO, Setting Precedent for DAO Legal Liability”: “Once a DAO can be sued, the blockchain is no longer a lawless frontier—regulators can now use this as a foothold to enforce rules against on-chain DAOs, DeFi, and DEX projects.” But apparently, few paid attention???

This latest CFTC enforcement action confirms that very point. Using the Ooki DAO ruling as precedent, the CFTC has brought three DeFi protocols to heel, holding their developer companies liable on identical grounds.

The SEC aims at CeFi, the CFTC aims at DeFi, and FinCEN oversees KYC/AML/CTF for global crypto flows—this is likely the U.S. crypto regulatory framework leading up to the 2024 election year.