Insights from Dr. Andreas Freund. 21 August 2024
Summary
There are solutions available that enable DeFi protocols to incorporate regulatory compliance seamlessly, while still prioritizing decentralization. By utilizing blockchain technology and advanced cryptographic methods, DeFi protocols are capable of ensuring secure and transparent transactions that comply with regulations, all while safeguarding user privacy. These protocols implement compliance requirements on digital assets and their owners, thus creating a resilient and adaptable framework that assists DeFi protocols in navigating the intricate regulatory landscape, ultimately contributing to a safer and more dependable decentralized financial environment.
Overview
Decentralized Finance (DeFi) has rapidly transformed the financial landscape (at least in the OpEd sections of Bloomberg and Fortune), presenting a permissionless and transparent alternative to traditional financial systems, boasting a total locked value (TVL) nearing $100 billion as of this moment. However, this very decentralization presents significant challenges, particularly when it comes to compliance. In contrast to traditional institutions that have central oversight, DeFi protocols are predominantly governed by self-executing code and do not have a single entity accountable for regulatory enforcement. This raises a vital question: how can these groundbreaking protocols embed compliance requirements into their framework without sacrificing their fundamental beliefs in decentralization and self-governance? This dilemma is pivotal for the future of DeFi, especially as regulators seek to strike a balance between fostering innovation and ensuring consumer protection, given that nearly all of the ~$100 billion in TVL and billions in daily transactions on Decentralized Exchanges (DEXs), as noted by DeFi Lama, have not undergone thorough compliance verification. Regrettably, authorities have recently taken legal actions against various DeFi protocols including Uniswap, Tornado Cash, among others.
After dismissing regulators’ concerns for several years, the organizations developing DeFi protocols are now coming to terms with two critical realizations:
- The notions of decentralization and lack of control do not shield against costly legal repercussions.
- For DeFi to achieve widespread adoption, there is a pressing need for enhanced user experience and compliance enforcement that encompasses both financial regulations and data privacy simultaneously.
Even if DeFi protocols sought to enable compliance checks right away, this would disrupt their most important clients and necessitate whole revisions of their protocols. Essentially, new iterations of the protocols would have to be developed while older versions continued to operate without any compliance mechanisms. Such a scenario is unsustainable since it is highly probable that the foundations or DAOs governing these DeFi protocols could still be held responsible for non-compliant versions of their protocol, as “smart contracts are forever,” which is a nod to a famous quote from Marilyn Monroe.
Fortunately, there is a path forward for these protocols. By utilizing blockchain-supported compliance strategies—an amalgamation of smart contracts and blockchain-verifiable zero-knowledge proofs, which indicate compliance of a user and the submitted asset transactions with relevant laws in a jurisdiction—DeFi protocols can form a comprehensive system that ensures regulatory adherence, risk mitigation, and transaction reporting for any digital asset. This proposed framework builds upon the foundational work by Azgad-Tromer et al. (2023) that intricately combines effective regulatory compliance procedures with enhanced privacy protections. For instance, it allows the establishment of compliant versions of digital assets that enforce jurisdiction-specific policies while still being privacy-conscious. The original Azgad-Tromer framework safeguards the financial value and technological functionalities of digital assets while ensuring that sensitive information is only disclosed to authorized law enforcement entities such as FinCEN, SEC, OFAC, etc. This bolsters the security and integrity of digital asset transactions while safeguarding privacy for legitimate users. Additionally, the framework’s compatibility with various digital asset types, including fungible and non-fungible tokens, positions it as an adaptable solution.
In summary, this framework enhances blockchains by adding more context about the identities of actors and the provenance of assets in a manner that preserves privacy, and it was initially implemented by Sealance. This cutting-edge approach enables the framework to tackle the challenges stemming from the decentralized nature of digital assets. By attaching Compliance-Relevant Auxiliary Information (CRAI) to transactions involving digital assets via encrypted formats, we ensure that vital compliance data, such as user identities, credentials, transaction histories, and asset provenance, remains secure and uncontaminated – see FinCEN guidance on Anti-Money Laundering for an example. The framework integrates cryptographic protocols that can self-enforce compliance policies assigned to digital assets—defining what holders can and cannot do with those assets, and what individuals can or cannot hold and/or trade. This capability allows for real-time oversight of compliance and reporting, thereby enhancing transparency and accountability in the digital asset space.
It is important to note that earlier work in this domain was performed by Kaira et al. in 2021 with regard to a centrally managed hedge fund. While it presents complementary insights, this work does not address KYC/AML compliance, which is the focal point of this discussion.
How to Achieve Regulatory Compliance in DeFi Protocols
So, how can such a framework be operationalized within the context of DeFi protocols, considering that most assets on these platforms lack native regulatory compliance?
Fig. 1: High-Level DeFi (ZKP) Compliance Architecture based on Azgad-Tromer et al.
The crucial insight in the extension of the Azgad-Tromer et al. framework is that a smart contract wallet, which may be used in Account Abstraction (see EIP-4337), as a representation of one or more Entity Owned Accounts (EOAs), offers significantly greater flexibility due to its programmability compared to a standard EOA. Should a smart contract wallet be combined with other smart contracts enforcing compliance requirements and interfacing with a DeFi protocol, we have all the components necessary. Envision a smart contract wallet as being functionally analogous to a traditional Broker-Dealer—a legally registered and regulated entity that executes trades on behalf of its clients—while a DeFi protocol, integrated with compliance-enforcing smart contracts, functions similarly to a registered stock or commodity exchange with its trading and compliance operations. It’s critical to note that a Broker-Dealer is a *registered entity*, acting as a *legal delegate* for regular investors to conduct trades on their behalf and enforce trading compliance regulations. Correspondingly, the stock exchange is another *registered entity*—registered with regulatory agencies such as the SEC or FinCEN—with trading and compliance functions designed to remain distinct—this separation of functions is a foundational compliance principle.
With this analogy established, we can now create a regulatory-compliant DeFi protocol stack that incorporates a compliance framework like that pioneered by Sealance through policy manager contracts alongside a corresponding compliance policy and compliant account registry. The most straightforward implementation involves “smart contract hooks” within DeFi protocols, as they facilitate custom compliance enforcement extensions tailored to the protocol, for instance, through Uniswap V4 or Seaport. However, this does not rectify the issue for DeFi protocols that currently do not support such capabilities, which remains the bulk of them.
A general safe interaction pattern exists for engaging with DeFi protocols lacking contract hooks for compliance checks, particularly when a user acquires a yield-bearing instrument such as a Compound yield token (YT), e.g., cDai. In our discussion below, we presume that the DeFi protocol contracts, such as the Uniswap Router or Position Manager, are registered contracts, which allows the compliance policy enforcement mechanism embedded within the “compliant” assets to identify them as such without necessitating an additional ZKP compliance assertion during functions like transfers.
Fig. 2: Example ZKP Compliance Stack application utilizing Uniswap and a compliant smart contract wallet
A compliance-aware pattern for DeFi interactions can be outlined below, using the process of adding liquidity to a Uniswap Liquidity Pool for specificity:
- A user (EOA) engages with a DeFi Protocol compliance (wrapper, or logical abstraction) contract either directly or via the user’s Smart Contract Wallet in a scenario involving account abstraction.
Note: The smart contract wallet has been issued a Power-Of-Attorney certificate through an accredited KYC/AML provider, such as a bank or an exchange. This certificate functions similarly to a traditional Power-Of-Attorney in the real world; it designates the smart contract wallet as authorized to utilize the zero-knowledge proof (ZKP) assertions of compliance generated by the ZKP-based compliance platform for the user’s asset transactions. - The DeFi (wrapper) contract assesses the submitted ZKP compliance assertions utilizing the ZKP compliance stack—a smart contract system depicted in Fig. 1—routing compliance assertions in the form of ZK proofs to specific compliance policy enforcement points (PEP)—which are also smart contracts within the ZKP compliance stack—where the proofs are verified, and transactions are permitted or denied. If all compliance checks are successfully met, liquidity is added to a pool—either comprised of compliant or non-compliant assets—on behalf of the user via the DeFi (wrapper) contract. For the sake of this discussion, we will assume a compliant asset pool is involved.
- The DeFi compliance (wrapper) contract receives the YT and generates a compliant YT asset by utilizing one of the ZKP assertions submitted by the user.
- Subsequently, the DeFi compliance (wrapper) contract transfers the now compliant YT to the EOA or the smart contract wallet—this action also necessitates a ZKP compliance assertion.
This mechanism prevents users from trading any non-compliant YTs unless they choose to unwrap the asset manually. Importantly, all yields will now accrue to the compliant YT. A variant of this strategy leverages DeFi compliance library contracts that provide the same functionalities as a compliance wrapper contract without necessitating trust in the initial wrapper contract deployment.
For DeFi protocol transactions involving compliant assets (e.g., lending, swaps) or engagements between compliant and non-compliant assets (e.g., swaps), an additional pattern emerges:
- A user (EOA) can employ an authority delegation policy expressed as a PEP for their smart contract wallet, allowing it to interact with a compliant asset without necessitating the production of a ZKP compliance assertion. Achieving this involves the user generating a delegating ZKP compliance assertion (which permits the smart contract wallet to act on its behalf) and submitting it to the ZKP compliance stack for validation, followed by registration alongside a particular Power-of-Attorney policy embedded within the PEP.
Key Point: Authorization delegation policies employed in transactions occur at the asset level, rather than the producer, recipient, or authorizer level. This facilitates asset recognition of permissible payers or payees capable of engaging with it, without necessitating the generation of a ZKP compliance assertion. - Recognized DeFi protocol smart contracts, such as the Uniswap Router or an Aave Lending Pool manager, can similarly leverage a Proof Delegation policy as earlier described. The key distinction within this context is that the entity generating the delegation ZKP compliance assertion (factoring in regulatory endorsement of a DeFi protocol smart contract) and registration is carried out by an authorized policy creator or registrar, such as a KYC provider within the ZKP compliance ecosystem.
Key Point: Just like with an EOA, this registrar-proof-delegation policy operates at the asset level and can differentiate between varying jurisdictions, asset categories, and even specific assets. Nonetheless, it represents a different kind of authority delegation policy since the requester holds a distinct role within the ecosystem. Consequently, the compliant asset must be associated with both types of authorization delegation policies because a smart contract wallet, a DeFi protocol compliance wrapper, and a DeFi Protocol smart contract will all interact with the compliant asset.
Final Thoughts
To sum up, to secure the long-term viability and acceptance of DeFi protocols among mainstream users, these protocols must advance towards regulatory compliance. The compliance platform outlined herein, building on the framework proposed by Azgad-Tromer et al. and put into practice by Sealance, presents a practical avenue for DeFi protocols to integrate compliance measures while still honoring decentralization principles. The deployment of blockchain technology and sophisticated cryptographic mechanisms enables transparent and secure transactions that align with regulatory requirements, all while sustaining user privacy. It is designed to enforce compliance rules concerning digital assets and their custodians, offering a dependable and adaptable system. The core benefits of the compliance framework for DeFi protocols are:
- Regulatory Compliance: This framework allows DeFi protocols to comply with regulatory mandates without undermining their decentralized essence (though KYC implementations still require involvement of centralized entities).
- Risk Management: The framework facilitates mechanisms for comprehensive risk management and transaction reporting applicable to various digital assets.
- Privacy Protection: This framework employs cryptographic features that preserve user privacy, such as ZKPs, ensuring that sensitive user information utilized in compliance credentials and in formulating ZKP compliance policy assertions remains confidential, with personal data retained and accessible solely by KYC/AML or other compliance credential issuers such as banks or exchanges.
- Security: By utilizing robust cryptographic protocols, the framework can reinforce the security and integrity of digital asset transactions by applying intricate business rules.
- Versatility: Its design accommodates various kinds of digital assets, including fungible and non-fungible tokens, making it an adaptable solution for the DeFi landscape.
- Transparency and Accountability: This framework advocates for transparency and accountability within the DeFi space through real-time compliance monitoring and reporting, facilitated by on-chain submitted, fully encrypted reports.
Implementing such a framework can aid DeFi protocols in successfully navigating the complex regulatory environment, thereby fostering a safer and more trustworthy decentralized financial ecosystem.
Dr. Freund may be reached via email at [email protected]