Resolving the Dichotomy: Defi Compliance under Zero-Knowledge
Opinion from Dr. Andreas Freund. 21 August 2024
TL/DR
There are platform solutions for DeFi protocols to integrate regulatory compliance without compromising decentralization. Using blockchain technology and cryptographic protocols, DeFi protocols can ensure secure and transparent transactions that meet regulatory standards while maintaining user privacy. Such protocols enforce compliance rules on digital assets and their holders. Therefore, they can provide a robust and flexible system to help DeFi protocols navigate the complex regulatory landscape, contributing to a safer and more reliable decentralized financial ecosystem.
Introduction
Decentralized Finance (DeFi) has taken the financial world by storm (at least in the OpEd pages of Bloomberg and Fortune), offering a permissionless and transparent alternative to traditional financial institutions with a total locked value (TVL), as of this writing, of nearly $100Bn. However, this very decentralization creates a major hurdle: compliance. Unlike conventional institutions with central control, DeFi protocols are often governed by self-executing code and lack a single entity responsible for enforcing regulations. This raises a critical question: how can these innovative protocols integrate compliance rules into their DNA without compromising their core principles of decentralization and autonomy? This challenge lies at the heart of DeFi’s future, as regulators grapple with finding the right balance between fostering innovation and protecting consumers since nearly all the ~ $100Bn in TVL and billions of dollars daily trades on Decentralized Exchanges (DEXs) according to DeFi Lama have not undergone any proper compliance checks. Sadly, and very recently, regulators have resorted to legal action against the likes of Uniswap, Tornado Cash, and other DeFi protocols.
After thumbing their noses at regulators for many years, the organizations building DeFi protocols are now realizing two things:
- The words decentralization and No-Control do not protect against expensive legal actions.
- DeFi mass adoption requires better UX and compliance enforcement — both financial and data privacy, and at the same time.
Even if DeFi protocols wanted to implement compliance checks immediately, it would not only upset their best client’s apple carts but would require protocol rewrites. In other words, completely new versions of the protocol with older versions still operating without any compliance checks. That is not a tenable situation, since, very likely, the foundations or DAOs governing DeFi protocols would still be held to account for non-compliant versions of their protocol since “smart contracts are forever” — yes, Marilyn Monroe pun quote intended.
Luckily there is a way forward for these protocols. Leveraging blockchain-native compliance mechanisms – a combination of smart contracts, and blockchain-verifiable zero-knowledge proofs, representing assertions that a user and submitted asset transaction are compliant with the applicable law in a jurisdiction, yields a comprehensive framework to ensure regulatory compliance, risk management, and transaction reporting for any digital asset. The suggested framework extends the work originally done by Azgad-Tromer et. al (2023) that combines robust regulatory compliance actions with privacy protection, enabling, for example, the creation of compliant versions of digital assets that enforce jurisdictional policies while being privacy-preserving. The original framework by Azgad-Tromer et al. preserves digital assets’ economic value and technological capabilities while ensuring that sensitive information is selectively visible only to authorized law enforcement authorities – Fincen, SEC, OFAC, etc. This enhances the security and integrity of digital asset transactions while maintaining privacy for legitimate users. Moreover, the framework’s compatibility with different types of digital assets such as fungible and non-fungible digital assets makes it a versatile solution.
In short, the framework augments blockchains with additional information about actors’ identities and asset provenance in a privacy-preserving manner and was first implemented by Sealance. This innovative approach enables the framework to address the challenges posed by the decentralized nature of digital assets. Attaching Compliance-Relevant Auxiliary Information (CRAI) to transactions involving digital assets in encrypted form ensures that critical compliance data, such as user identities, credentials, transaction history, and fund provenance, remains secure and tamper-proof – see FinCen guidance on Anit-Money-Laundering as an example. The framework incorporates cryptographic protocols that can automatically enforce compliance policies assigned to digital assets — what holders can and cannot do with such a digital asset — and digital asset holders — what assets individuals can and cannot hold and/or trade. It can also update CRAI during the recording of transactions on the blockchain. This integration allows real-time compliance monitoring and reporting, enhancing transparency and accountability in the digital asset ecosystem.
Note, that earlier work in this area was conducted by Kaira et al. in 2021 for the case of a centrally managed Hedge Fund. While complementary to this discussion, it does not touch on KYC/AML compliance, which is the central question we are discussing in this paper.
How to make DeFi Protocols Regulatory Compliant
So how does such a framework operate in the context of DeFi protocols, given that most assets on these platforms are not natively regulatory compliant?
Fig. 1: High-Level DeFi (ZKP) Compliance Architecture as an extension of Azgad-Tromer et al.
The key insight in the extension of the Azgad-Tromer et al. framework is that a smart contract wallet used, for example, in Account Abstraction (see EIP-4337) as a representative of one or more Entity Owned Accounts (EOA) has significantly more flexibility due to its programmability than an EOA. If a smart contract wallet is combined with other smart contracts that enforce compliance rules and interact with a DeFi protocol we have all the ingredients we need. Think of a smart contract wallet as functionally equivalent to a traditional Broker-Dealer, a regulated and registered entity, that places trades for their clients, and a DeFi protocol with one or more compliance enforcing smart contracts as a registered stock or commodity exchange with its trading and compliance functions. Note that a Broker-Dealer is a *registered entity* that is a *legal delegate* of a regular investor to place trades on the investor’s behalf and enforce trade compliance rules. The stock exchange is another *registered entity* – registered with regulatory authorities such as the SEC or Fincen – and its compliance and trading functions are separate by design — separation of concerns is a significant compliance rule.
With this analogy in mind, we can now construct a regulatory-compliant DeFi protocol stack integrated with a compliance framework such as the one pioneered by Sealance through policy manager contracts with associated compliance policies, and a compliance policy and compliant account registry. The most straightforward implementation is through “smart contract hooks” in DeFi protocols as they allow custom compliance enforcement extensions to the protocol, for example, Uniswap V4 or Seaport. However, this does not solve the issue for DeFi protocols that do not have such capabilities; currently still the majority.
There is a general safe pattern to interact with DeFi protocols that do not have contract hooks for compliance checks when a user receives a yield-bearing instrument such as the Compound yield token (YT) e.g. cDai. In our description below, we implicitly assume that DeFi protocol contracts such as the Uniswap Router or Position Manager are registered contracts such that the compliance policy enforcement mechanism embedded in “compliant” assets can identify them as compliant and not require an additional zkp compliance assertion to be embedded with, for example, a transfer function.
Fig. 2: Example zkp-Compliance Stack application with Unsiwap and compliant smart contract wallet
A compliance-safe DeFi interaction pattern is described below using the example of adding liquidity to a Uniswap Liquidity Pool for specificity:
- A user (EOA) calls a DeFi Protocol compliance (wrapper, also known as a logical abstraction) contract directly or through the user’s Smart Contract Wallet in an account abstraction scenario.
Note: the smart contract wallet has already been given a Power-Of-Attorney certificate through an approved KYC/AML provider, such as a bank or an exchange. This certificate is utilized in the same manner as a real-world Power-Of-Attorney works; it marks the smart contract wallet as able to use the zero-knowledge proof (zkp) assertions of compliance that the zk-based compliance platform creates for a user’s asset transactions. - The DeFi (wrapper) contract verifies the submitted zkp compliance assertions using the zk-based compliance stack – a smart contract system see Fig 1 – routing compliance assertions in the form of zk-proofs to (compliance) policy enforcement points (PEP) – smart contracts as part of the zk compliance stack) where proofs are verified and actions aka transactions are either allowed or denied. If the compliance checks are successful, liquidity is added to a pool — either a pool of compliant or uncompliant assets — on behalf of the user by the DeFi (wrapper) contract. Let’s assume for the following a compliant asset pool
- The DeFi compliance (wrapper) contract receives the YT and creates a compliant YT asset utilizing one of the zkp assertions provided by the user.
- The DeFi compliance (wrapper) contract then transfers the now compliant YT to the EOA or the smart contract wallet — this also requires a zkp compliance assertion.
This prevents users from trading non-compliant YTs unless the user manually unwraps the asset. Note that all the yield now accumulates to the compliant YT. A variant of this approach is using DeFi compliance library contracts with the same functionality as a compliance wrapper contract while not requiring trust in the initial wrapper contract deployment.
For DeFi protocol transactions of compliant assets (e.g. lending, swaps) or compliant assets with non–compliant assets (e.g. swaps), there is an additional pattern:
- A User (EOA) can utilize an authority delegation policy expressed as a PEP for its smart contract wallet such that the smart contract wallet can interact with a compliant asset without being required to produce a zkp compliance assertion. This can be achieved by the user creating a delegating zkp compliance assertion (delegation to smart contract wallet) and submitting it to the zk-based compliance stack to be validated and then registered with a specific Power-Of-Attorney policy within a PEP. Power-of-attorney-type policies can exist at a jurisdictional level, by asset category, or even at the level of individual assets.
Key Point: An authority delegation policy to be utilized in a transaction is at the asset level, not the level of a payee, a payer, or an authorizer level. This allows an asset to identify if a payer or payee is permitted to interact with it, without being required to produce a zkp compliance assertion. - Known DeFi protocol smart contracts e.g. Uniswap Router, or an Aave Lending Pool manager can, therefore, also utilize a Proof Delegation policy as described above. The primary difference is that in this context the entity creating the delegation zkp compliance assertion (regulatory whitelisting of a Defi protocol smart contract), and the registration is done by an authorized policy creator or registrar such as a KYC provider within the zk-based compliance ecosystem.
Key Point: As in the case of an EOA, this registrar-proof-delegation policy is at the level of the asset, and can differentiate jurisdiction, asset category, and even individual asset. However, it is of a different authority delegation policy type because the requester has another ecosystem role. Therefore, the compliant asset must have both types of authorization delegation policies attached to it because both a smart contract wallet, a Defi protocol compliance wrapper, and a Defi Protocol smart contract will interact with the compliant asset.
Conclusion
In summary, to ensure the longevity and acceptance of DeFi protocols by mainstream users, these protocols must move towards regulatory compliance. The described compliance platform, an extension of the framework proposed by Azgad-Tromer et al. and implemented by Sealance, offers a practical solution allowing DeFi protocols to incorporate compliance measures while maintaining decentralization. It uses blockchain technology and advanced cryptographic protocols for transparent, secure transactions that meet regulatory requirements, all while preserving user privacy. It enforces compliance rules on digital assets and their owners, providing a solid and flexible system. The key benefits of the described compliance framework for DeFi protocols are:
- Regulatory Compliance: The framework enables DeFi protocols to adhere to regulatory standards without compromising their decentralized nature (though KYC is necessarily still done by centralized entities).
- Risk Management: The framework enables mechanisms for effective risk management and transaction reporting for various digital assets.
- Privacy Protection: The framework incorporates cryptographic privacy-preserving features such as zkps ensuring that sensitive user information used in compliance credentials and in creating zkp compliance policy assertions remains confidential, with personal information stored and accessible only by KYC/AML or other compliance credential providers such as banks or exchanges
- Security: Leveraging safe cryptographic protocols, the framework can enhance the security and integrity of digital asset transactions by enforcing complex business rules.
- Versatility: It is compatible with different types of digital assets, including fungible and non-fungible tokens, making it a versatile solution for the DeFi ecosystem.
- Transparency and Accountability: The framework promotes transparency and accountability in the DeFi space through real-time compliance monitoring and reporting (through onchain submitted, fully encrypted reports).
Such a framework can assist DeFi protocols in navigating the intricate regulatory environment, contributing to a safer and more trustworthy decentralized financial ecosystem.
Dr Freund can be contacted via email at (email protected)