The Decentralisation Defence

Background

Blockchain technology is underpinned by the idea of decentralisation. Indeed, the narrative of decentralisation is closely associated with cryptocurrencies and cryptoasset transactions. Yet, modern crypto markets are dominated by centralised players, such as issuers of stablecoins and crypto exchanges. Consequently, the vast majority of disputes brought before courts and supervisory authorities involve centralised entities. By contrast, disputes concerning decentralised arrangements remain relatively few in number. However, this does not mean that such arrangements are free from legal challenges. On the contrary, the legal issues posed by decentralisation are more complex and may require innovative approaches to achieve socially beneficial objectives of financial inclusion, consumer protection, market integrity and financial stability. These challenges have increasingly come into the spotlight in cases where decentralisation has been invoked as a defence against potential liability, both private and public.

Decentralisation is itself an elusive concept, but one with significant legal and regulatory implications. It is often used to describe a distributed ledger with a shared history of time-stamped transactions and distributed decision-making. As other authors have argued, the factual decentralisation of blockchain-based financial infrastructure should be assessed at each layer of the decentralised finance (DeFi) infrastructure or DeFi stack, starting with the settlement layer and continuing through the layers above it, including the asset and protocol layers, which are the core layers for DeFi ecosystems.

The phenomenon of the ‘decentralisation defence’ refers to the use of decentralisation as a shield against liability or as a means of placing relevant relationships beyond the reach of the law, thereby protecting them from legal scrutiny more broadly. The emergence of the decentralisation defence is a remarkable development in the last few years. It raises difficult questions about liability within DeFi arrangements and potential regulatory access points. When there is an identifiable intermediary or direct counterparty, the attribution of duties and liability is relatively straightforward. However, in their absence or when such parties are unknown, attribution becomes significantly more complex. In my recent article, I analyse the concept of the decentralisation defence and discuss potential regulatory responses.

The case of Uniswap DEX

In the Uniswap case, the developers (Uniswap Labs) and investors in the Uniswap protocol—a decentralised crypto exchange (DEX)—faced a securities class action in the US. While the Uniswap protocol is a set of autonomous and immutable smart contracts, it is hosted, in part, on the web interface. Uniswap Labs, a Delaware corporation, owns a website-hosted user interface through which investors can access the protocol and buy or sell various cryptoassets.

The plaintiffs in the case argued that they lost money after investing in what turned out to be worthless tokens traded on the DEX. Due to the pseudonymity ensured by the underlying technology, the identities of the issuers (sellers) of these tokens were unknown and unknowable. It was argued that by providing a marketplace for buyers and sellers and by assisting with the drafting of the smart contracts underlying the DEX’s operation, the defendants facilitated scam trades, thereby contributing to the harm they suffered.

The US court dismissed these claims, holding that the drafter of a computer code underlying a particular software platform is not liable for third-party misuse of that platform. According to the court, the harm suffered by the plaintiffs was caused by third-party human intervention, not by the underlying protocol developed by Uniswap Labs. The court compared the case to a situation in which a developer of self-driving cars (here, Uniswap Labs) is sued for a third-party’s use of the car to commit a traffic violation or robbery (here, the issuers of the tokens). Notably, the court rejected an analogy proposed by the plaintiffs, who argued that the code drafters should be liable in a manner akin to manufacturers of defective products.

This case demonstrates that the decentralisation defence can lead to uncompensated losses and other negative externalities, where societal harm is evident, but no identifiable wrongdoer exists. Arguably, all there is, is software. This outcome raises fairness concerns and potentially results in a moral hazard.

Decentralisation defence and regulatory responses

For a legal order that heavily relies on intermediaries as regulatory access points or hooks, decentralisation poses significant practical and doctrinal challenges. Caution is essential to avoid excessive and inefficient (ill-fitting) regulation by simply applying the old rule book. In my opinion, the search for a responsible party in blockchain-enabled decentralised arrangements resembles processes observed with other major technological advancements in the digital space, such as the internet and artificial intelligence.

The modern regulation of the internet revolves around online intermediaries (e.g., online marketplaces, social media platforms; see E-Commerce Directive and Digital Services Act). In contrast, the EU regulation of AI targets developers and deployers of AI systems (see AI Act), which themselves are subject to specific product-safety requirements under the revised Product Liability Directive. Violations of these requirements may lead to liability of producers due to product defectiveness. Drawing inspiration from these regulatory approaches, I focus on the role of DeFi user interfaces, which serve as key gateways to DeFi infrastructure, and on software developers engaged in the development of smart contract code and blockchain protocols.

Building on the regulation of online platforms, while taking important differences into account, I argue that DeFi user interfaces that merely facilitate access to smart contracts should be subject to detailed information obligations and a notice-and-take-down rule, obliging them to remove at the front-end graphic level those cryptoassets or cryptoasset services that violate the law. Arguably, this procedure will not be able to prevent all harm, as it is inherently reactive. Hence, a more difficult question is whether interfaces should actively monitor on-chain activity and the smart contracts to which they provide access. Online platforms do not have such an obligation, although they are encouraged to do so. In my view, a similar approach could be adopted for DeFi interfaces, which should be encouraged to embed compliance tools that automatically detect and prevent illicit transactions.

As for developers within the blockchain ecosystem and the concept of product defectiveness, I observe that if a smart contract executes a transaction in line with the pre-programmed specification—even if the specific transaction violates the law and is voidable—this hardly indicates the defectiveness of the smart contract itself. In the absence of well-defined standards for such software, imposing far-reaching obligations or fiduciary-like duties on developers may be disproportionate and discourage innovation. This is particularly problematic given that much blockchain-related software is free and open-source. This is why the first step in addressing the role of developers should be the creation of relevant standards and guidelines. These standards should incentivise developers to address software vulnerabilities and minimise the risks associated with the decentralisation defence, taking into account the function of the specific software (e.g., payments, lending, exchange).

The author’s complete article can be accessed here.

Ilya Kokorin is Assistant Professor at Leiden University and Supervision Officer at the Dutch Authority for the Financial Markets (AFM). The views expressed in this blog post are solely those of the author and do not necessarily reflect those of the AFM.