Bridging the Gap: Achieving Compliance in DeFi with Zero-Knowledge Techniques

Views from Dr. Andreas Freund. 21 August 2024

Quick Summary

There exist platform solutions for DeFi protocols to adopt regulatory adherence without sacrificing decentralization. By utilizing blockchain technology and cryptographic methods, DeFi protocols can provide secure and transparent transactions that align with regulatory requirements while preserving user confidentiality. These protocols enforce compliance regulations on digital assets and their owners. Thus, they can offer a strong and adaptable framework to assist DeFi protocols in navigating the intricate regulatory terrain, aiding in the establishment of a safer and more trustworthy decentralized financial ecosystem.

Overview

Decentralized Finance (DeFi) has surged into the financial landscape (at least in the OpEd columns of Bloomberg and Fortune), presenting a permissionless and transparent substitute to conventional financial establishments with a total locked value (TVL), as of this moment, approaching $100Bn. Nevertheless, this inherent decentralization presents a significant obstacle: compliance. Unlike traditional entities with centralized oversight, DeFi protocols are frequently governed by self-executing code and do not have a single entity accountable for enforcing regulations. This brings forth a crucial inquiry: how can these pioneering protocols weave compliance criteria into their very fabric without undermining their fundamental tenets of decentralization and independence? This dilemma is central to DeFi’s future, as regulators struggle to strike the right balance between encouraging innovation and safeguarding consumers, given that nearly all the ~ $100Bn in TVL and billions of dollars in daily transactions on Decentralized Exchanges (DEXs), as noted by DeFi Lama, have not undergone adequate compliance evaluations. Regrettably, and very recently, regulators have begun legal proceedings against entities like Uniswap, Tornado Cash, and other DeFi frameworks.

After disregarding regulators for several years, the developers of DeFi protocols are now coming to two realizations:

1. The terms decentralization and No-Control do not shield against costly legal repercussions.
2. Widespread adoption of DeFi necessitates enhanced user experience and enforcement of compliance — in both financial regulations and data privacy, simultaneously.

Even if DeFi protocols wished to enact compliance checks forthwith, it would not only disrupt their primary clients but necessitate complete rewrites of the protocol. In essence, entirely new iterations of the protocol would need to coexist with older versions that lack compliance examinations. This scenario is untenable, as the foundations or DAOs governing DeFi protocols would likely still be held responsible for non-compliant versions of their protocol, considering that “smart contracts last eternally” — yes, the Marilyn Monroe pun was intended.

Fortunately, a path forward exists for these protocols. By harnessing blockchain-native compliance methods – a fusion of smart contracts and blockchain-verifiable zero-knowledge proofs, which represent affirmations that a user and their submitted asset transaction comply with the relevant laws in a jurisdiction, a comprehensive framework can be established to secure regulatory compliance, risk management, and transaction reporting for any digital asset. The proposed framework builds upon the foundational work originally conducted by Azgad-Tromer et al. (2023) that merges strong regulatory compliance actions with privacy safeguards. This allows, for instance, the development of compliant versions of digital assets that adhere to jurisdictional regulations while also preserving user privacy. The original framework by Azgad-Tromer et al. maintains the economic value and technological functionalities of digital assets, ensuring that sensitive data is selectively visible only to authorized law enforcement agencies – Fincen, SEC, OFAC, etc. This bolsters the security and integrity of digital asset transactions while ensuring privacy for legitimate participants. Furthermore, the framework’s compatibility with diverse types of digital assets, such as fungible and non-fungible assets, renders it a versatile solution.

In summary, the framework enhances blockchains with supplementary information regarding actors’ identities and asset origins in a privacy-preserving manner and was initially executed by Sealance. This groundbreaking approach equips the framework to tackle the challenges presented by the decentralized characteristic of digital assets. Integrating Compliance-Relevant Auxiliary Information (CRAI) into transactions involving digital assets in encrypted format guarantees that crucial compliance information, such as user identities, credentials, transaction records, and fund origins, remains secure and impervious to tampering – see FinCen guidance on Anti-Money Laundering as an illustration. The framework incorporates cryptographic protocols capable of automatically enforcing compliance rules linked to digital assets — what holders can or cannot do with such digital assets — and on digital asset holders — what assets individuals are permitted or prohibited from holding and/or trading. It can also modify CRAI during transactions recorded on the blockchain. This integration enables real-time compliance monitoring and reporting, bolstering transparency and accountability within the digital asset ecosystem.

Note that previous work in this area was conducted by Kaira et al. in 2021 for the scenario of a centrally managed Hedge Fund. While it complements this discussion, it does not address KYC/AML compliance, which is the primary topic of this paper.

How to Achieve Regulatory Compliance for DeFi Protocols

So, how does such a framework function within the framework of DeFi protocols, considering that most assets on these platforms are not inherently regulatory compliant?

Fig. 1: High-Level DeFi (ZKP) Compliance Framework as an extension of Azgad-Tromer et al.

The principal insight in the extension of the Azgad-Tromer et al. framework is that a smart contract wallet utilized, for instance, in Account Abstraction (refer to EIP-4337) serves as a representation of one or multiple entities.

Owned Accounts (EOA) possesses considerably greater adaptability owing to its programmability compared to a standard EOA. When a smart contract wallet merges with various smart contracts that enforce compliance regulations and engage with a DeFi protocol, we acquire all the essential components. Consider a smart contract wallet as functionally comparable to a conventional Broker-Dealer, a regulated and registered institution, that executes trades for its clients, while a DeFi protocol equipped with one or more compliance-enforcing smart contracts resembles a registered stock or commodity exchange handling trading and compliance operations. It is important to note that a Broker-Dealer acts as a *registered entity* that serves as a *legal proxy* for a regular investor to conduct trades on the investor’s behalf and impose trade compliance guidelines. The stock exchange is yet another *registered entity* – registered with regulatory bodies like the SEC or FinCEN – and its compliance and trading functions are intentionally segregated — this separation of concerns forms a crucial compliance principle.

With this comparison in mind, we can now develop a regulatory-compliant DeFi protocol architecture integrated with a compliance framework, such as the one introduced by Sealance via policy manager contracts with related compliance policies, along with a compliance policy and a compliant account registry. The simplest implementation involves “smart contract hooks” in DeFi protocols as they facilitate custom compliance enforcement extensions to the protocol, for instance, Uniswap V4 or Seaport. However, this does not address the challenge for DeFi protocols that lack such features; at present, they still account for the majority.

There is a generally accepted safe method for engaging with DeFi protocols that do not feature contract hooks for compliance evaluations when a user acquires a yield-generating asset, such as the Compound yield token (YT), for example, cDai. In our upcoming explanation, we implicitly assume that DeFi protocol contracts like the Uniswap Router or Position Manager are registered contracts, ensuring that the compliance policy enforcement system embedded in “compliant” assets can recognize them as compliant, thereby negating the need for an additional zero-knowledge proof (zkp) compliance assertion to be included with, for instance, a transfer function.

Fig. 2: Sample zkp-Compliance Stack application with Uniswap and compliant smart contract wallet

A compliance-oriented DeFi interaction pattern is outlined below, specifically using the example of adding liquidity to a Uniswap Liquidity Pool:

1. A user (EOA) engages a DeFi Protocol compliance (wrapper, also referred to as a logical abstraction) contract directly or via the user’s Smart Contract Wallet in a scenario of account abstraction.
   Note: the smart contract wallet has already been granted a Power-Of-Attorney certificate via an authorized KYC/AML provider, such as a banking institution or an exchange. This certificate is utilized similarly to a real-world Power-Of-Attorney; it signifies the smart contract wallet’s capability to utilize the zero-knowledge proof (zkp) assertions of compliance that the zk-based compliance platform establishes for a user’s asset transactions.
2. The DeFi (wrapper) contract verifies the zkp compliance assertions submitted by the user using the zk-based compliance architecture – a smart contract framework as depicted in Fig 1 – directing compliance assertions as zk-proofs to (compliance) policy enforcement points (PEP) – smart contracts within the zk compliance framework) where proofs are validated, and actions or transactions are either permitted or rejected. If the compliance evaluations are successful, liquidity is added to a pool — either of compliant or non-compliant assets — on behalf of the user by the DeFi (wrapper) contract. For the purpose of this discussion, let’s assume a compliant asset pool
3. The DeFi compliance (wrapper) contract receives the YT and generates a compliant YT asset leveraging one of the zkp assertions provided by the user.
4. The DeFi compliance (wrapper) contract then transfers the now compliant YT to the EOA or the smart contract wallet — this also necessitates a zkp compliance assertion. 

This method prevents users from trading non-compliant YTs unless they manually unwrap the asset. It is important to note that all yield now accumulates to the compliant YT. An alternative approach involves deploying DeFi compliance library contracts that function similarly to a compliance wrapper contract while eliminating the need for trust in the initial wrapper contract setup.

For transactions involving compliant assets in DeFi protocols (e.g., lending, swaps) or compliant assets entwined with non-compliant assets (e.g., swaps), an additional pattern exists:

1. A User (EOA) may employ an authority delegation policy articulated as a PEP for its smart contract wallet, allowing the smart contract wallet to interact with a compliant asset without the necessity to produce a zkp compliance assertion. This can be accomplished by the user generating a delegating zkp compliance assertion (delegation to smart contract wallet) and presenting it to the zk-based compliance stack for validation, which is then recorded with a specified Power-Of-Attorney policy within a PEP. Power-of-attorney-like policies may exist at a jurisdictional level, by asset class, or even at the level of individual assets.
   Key Point: An authority delegation policy utilized in a transaction is applied at the asset level, not at the level of a payee, payer, or authorizer. This allows an asset to discern whether a payer or payee is permitted to engage with it, without necessitating the production of a zkp compliance assertion.
2. Familiar DeFi protocol smart contracts e.g. Uniswap Router, or an Aave Lending Pool manager may therefore also leverage a Proof Delegation policy as previously described. The primary distinction is that within this context, the entity generating the delegation zkp compliance assertion (regulatory whitelisting of a DeFi protocol smart contract), as well as the registration, is carried out by an authorized policy creator or registrar like a KYC provider in the zk-based compliance ecosystem.
   Key Point: Similar to the situation of anEOA, this registrar-proof-delegation policy operates at the asset level and can distinguish between jurisdiction, asset category, and even specific assets. Nevertheless, it represents a distinct type of authority delegation policy since the requester holds a different role within the ecosystem. Consequently, the compliant asset must incorporate both types of authorization delegation policies, as it will interact with a smart contract wallet, a DeFi protocol compliance wrapper, and a DeFi Protocol smart contract.

Conclusion

In conclusion, to guarantee the sustainability and acceptance of DeFi protocols among mainstream users, it is essential for these protocols to advance towards regulatory compliance. The compliance platform detailed herein, an extension of the model proposed by Azgad-Tromer et al. and executed by Sealance, presents a pragmatic solution enabling DeFi protocols to integrate compliance measures while preserving decentralization. It employs blockchain technology and sophisticated cryptographic protocols for transparent, secure transactions that align with regulatory mandates while maintaining user privacy. It enforces compliance standards on digital assets and their owners, establishing a robust and adaptable framework. The primary advantages of the outlined compliance structure for DeFi protocols include:

• Regulatory Compliance: The framework allows DeFi protocols to conform to regulatory guidelines without jeopardizing their decentralized essence (although KYC must still be executed by centralized entities).
• Risk Management: The framework provides mechanisms for efficient risk management and transaction reporting for various digital assets.
• Privacy Protection: The framework incorporates cryptographic features that protect privacy, such as zkps, ensuring that sensitive user information utilized in compliance credentials and in the formulation of zkp compliance policy assertions remains confidential, with personal data stored and accessible solely by KYC/AML or other compliance credential providers like banks or exchanges.
• Security: By employing robust cryptographic protocols, the framework can augment the security and integrity of digital asset transactions through the enforcement of complex business rules.
• Versatility: It is adaptable to various types of digital assets, including fungible and non-fungible tokens, rendering it a versatile solution for the DeFi ecosystem.
• Transparency and Accountability: The framework enhances transparency and accountability in the DeFi sector through real-time compliance oversight and reporting (via on-chain submitted, fully encrypted reports).

Such a framework can aid DeFi protocols in maneuvering through the complex regulatory landscape, fostering a safer and more reliable decentralized financial environment.

Dr Freund can be reached via email at [email protected]