The recent $200 million hack of Singapore-based major cryptocurrency exchange KuCoin has been making headlines, but the difference between this attack and others in the past has been the hacker’s blatant utilization of everyone’s favourite new crypto frontier – DeFi (decentralized finance).
The KuCoin hacker must have had a lightbulb moment after the crypto media outlet Cointelegraph published the piece Regulatory risks grow for DeFi as a ‘money laundering haven’ not two weeks ago. Bing!
Generally it seems that the true innovation occurring in financial service is happening in DeFi. Imagine redesigning all financial products from scratch? The possibilities are endless. With $1 Billion locked into DeFi at the beginning of 2020, the figure has been increasing rapidly, currently standing at close to $10 Billion – a 10x increase. This is a very young sector with most of the operators not exceeding even 9 months. Mistakes are being made.
As is often the case, these innovations come with a whole lot of compliance risks – such as zero KYC/AML requirements for users on decentralised crypto-lending platforms. No safeguards are put on transaction monitoring so even proliferation financing sanctions can be breached by back-street uranium bargain hunters.
The lack of these basic safeguards leaves this quickly growing sphere at risk from the influence of bad actors and the majority of these DeFi projects would be treated as money laundering schemes if held to the same level of centralised VASPs – exposing some of the great teams involved in the space to the risks of being party to money laundering and terrorist financing.
The KuCoin hacker flew that flag when he/she took $millions in Synthetix tokens to the largest decentralised exchange (DEX), Uniswap and another DeFi swap provider, KyberSwap. And the KuCoin event is not the first time we at Coinfirm have seen transactions from hacks and scams going to DeFi.
This is not to say that DeFi is all bad, I personally think there is great innovation in finance happening there and transparency – once you know what you’re looking for and how – is high. But DeFi is a code, managed by the code.
Thus human intervention is theoretically very low and any measures to protect investors must be built into the protocol itself. This may encompass more stringent risk management policies or requirements to take into account the lack of credit scoring and human (or central) supervision. But for development teams coding the protocols, including compliance into the platform could be seen as hindering the fast scaling of operations at worst, or an afterthought at best.
In fact, there is a risk that compliance in DeFi is going in the total opposite direction, as Dovey Wan of Primitive Ventures notes – “All Defi infra are natural mixers with ultra low slippage” – meaning that the DeFi systems could easily be abused owing to their in-built code.
But I would urge protocol developers to take heed. Larry Cermak, The Block Crypto’s Director of Research, who chimed in about the KuCoin hack as he watched the Uniswap OCEAN (one of the hundreds of ERC-20 tokens stolen from KuCoin and which had to perform a hard fork due to the event) dumping wrote that a “high profile incident like this could bring Uniswap into regulators’ spotlight.”
It is only a matter of time before clear cut regulations come down in this compliance-adverse crypto sector. But interestingly, there is a solution. So-called ‘Oracles’ – compliance-focused smart contracts which would be able to ‘talk’ to other smart contracts and APIs. One of such will soon be launched by Coinfirm. This is the only way transactions can be verified vs AML risk.
The recent hack has also demonstrated how quick and transparent centralised exchanges, already well established and in-line with AML requirements, have been in reacting to the illicit flow of funds from the hacker. The community reacted swiftly – with a total of ~$129 million out of the $200 million frozen or invalidated by various projects and blockchain entities.
But DeFi does not (yet) have those requirements as a requisite. A research paper co-authored by Crypto.com stated that DeFi may not be eligible for current regulatory guidelines. The current FATF recommendation is that if the DeFi protocol is sufficiently decentralised and the entity behind it is not involved in daily operations, it may not be classified as Virtual Asset Service Providers (VASPs) and therefore will be immune from the Travel Rule.
Complicating the problem is the question ‘what is full decentralisation’? Whilst DEXs and other DeFi platforms may seem to be decentralised, development teams in control will put them in regulatory sights. In the case of the KuCoin hack, some DeFi projects have even been ‘condemned’ for actually being centralised owing to their ability to invalidate transactions associated with the hacker’s activities. But that is a whole other debate for another time.
We have been aware of the issue of compliance (or rather the lack of) in DeFi for quite some time and have finally found a solution to the problem – which we shall be releasing to the market imminently.
So stay tuned.