Bridging the Gap: Navigating DeFi Compliance through Zero-Knowledge Techniques

Insight from Dr. Andreas Freund. 21 August 2024

TL/DR

There exist platform solutions for DeFi protocols to incorporate regulatory compliance without sacrificing decentralization. By utilizing blockchain technology alongside cryptographic protocols, DeFi protocols can guarantee secure and transparent transactions that fulfill regulatory requirements while preserving user confidentiality. Such protocols impose compliance regulations on digital assets and their holders. Consequently, they can offer a solid and adaptable framework to assist DeFi protocols in navigating the intricate regulatory environment, thereby contributing to a more secure and trustworthy decentralized financial ecosystem.

Introduction

Decentralized Finance (DeFi) has disrupted the financial sector (at least in the OpEd columns of Bloomberg and Fortune), presenting a permissionless and transparent alternative to traditional financial entities with a total locked value (TVL), as of this date, nearing $100Bn. Nonetheless, this very decentralization poses a significant challenge: compliance. Unlike traditional institutions that operate under centralized control, DeFi protocols are often governed by self-executing code and do not have a singular entity tasked with upholding regulations. This brings up a pivotal question: how can these groundbreaking protocols integrate compliance rules into their essence without undermining their fundamental principles of decentralization and independence? This challenge is central to the future of DeFi, as regulators struggle with striking the right balance between encouraging innovation and safeguarding consumers since nearly all the approximately $100Bn in TVL and billions in daily trades on Decentralized Exchanges (DEXs) according to DeFi Lama have not been subjected to any proper compliance assessments. Unfortunately, and quite recently, regulators have resorted to legal proceedings against several entities such as Uniswap, Tornado Cash, and other DeFi protocols.

After ignoring regulators for many years, the organizations developing DeFi protocols are now acknowledging two key aspects:

1. The concepts of decentralization and No-Control do not shield against costly legal repercussions.
2. Widespread adoption of DeFi necessitates improved UX and compliance enforcement — both financial and data privacy, simultaneously.

Even if DeFi protocols intended to implement compliance assessments promptly, it would not only disrupt their primary clients but also necessitate protocol overhauls. In simpler terms, entirely new iterations of the protocol would be required while earlier versions continue to operate without compliance assessments. This scenario is untenable, as it is highly likely that the foundations or DAOs governing DeFi protocols would still be liable for non-compliant versions of their protocol since “smart contracts are eternal” — indeed, a Marilyn Monroe pun intended.

Fortunately, a pathway exists for these protocols. By harnessing blockchain-native compliance mechanisms — a blend of smart contracts and blockchain-verifiable zero-knowledge proofs, which indicate that a user and the submitted asset transaction conform to applicable legislation in a jurisdiction, a comprehensive framework is established to guarantee regulatory compliance, risk management, and transaction reporting for any digital asset. This proposed framework builds upon the initial work conducted by Azgad-Tromer et. al (2023) that merges stringent regulatory compliance measures with privacy safeguards, enabling, for instance, the development of compliant versions of digital assets that adhere to jurisdictional regulations while retaining privacy. The foundational framework by Azgad-Tromer et al. maintains the economic worth and technical functionalities of digital assets while ensuring that sensitive data is selectively visible only to authorized law enforcement entities – FinCen, SEC, OFAC, etc. This reinforces the security and integrity of digital asset transactions while safeguarding privacy for legitimate users. Moreover, the framework’s adaptability to various forms of digital assets such as fungible and non-fungible digital assets renders it a versatile solution.

In summary, the framework enhances blockchains by integrating additional information regarding actors’ identities and asset provenance in a privacy-preserving manner and was initially implemented by Sealance. This progressive approach empowers the framework to tackle the challenges imposed by the decentralized character of digital assets. Attaching Compliance-Relevant Auxiliary Information (CRAI) to transactions involving digital assets in encrypted form guarantees that essential compliance data, such as user identities, credentials, transaction history, and fund origins, remains secure and impervious to tampering – see FinCen guidance on Anti-Money-Laundering for illustration. The framework integrates cryptographic protocols that can systematically enforce compliance standards assigned to digital assets — specifying what holders can and cannot execute with such digital assets — and digital asset holders — detailing what assets individuals are permitted to hold and/or trade. It can also update CRAI during the documentation of transactions on the blockchain. This integration facilitates real-time compliance oversight and reporting, boosting transparency and accountability within the digital asset ecosystem.

It is worth mentioning that prior work in this domain was executed by Kaira et al. in 2021 concerning a centrally managed Hedge Fund. While it complements this conversation, it does not address KYC/AML compliance, which is the focal point of our discussion in this paper.

How to Render DeFi Protocols Regulatory Compliant

How does such a framework function within the context of DeFi protocols, considering that most assets on these platforms are not inherently regulatory compliant?

Fig. 1: High-Level DeFi (ZKP) Compliance Architecture as an enhancement of Azgad-Tromer et al.

The core insight in extending the Azgad-Tromer et al. framework is that a smart contract wallet utilized, for instance, in Account Abstraction (refer to EIP-4337) serves as a representative of one or more Entity

An Externally Owned Account (EOA) possesses considerably greater adaptability owing to its programmability than a conventional EOA. When a smart contract wallet is integrated with additional smart contracts enforcing compliance regulations and engaging with a DeFi protocol, we have all the necessary components. Conceptualize a smart contract wallet as being functionally similar to a conventional Broker-Dealer, a regulated and licensed entity that executes trades for its clients, while a DeFi protocol integrated with one or more compliance-enforcing smart contracts resembles a regulated stock or commodity exchange handling trading and compliance operations. It’s important to note that a Broker-Dealer is a *licensed entity* that acts as a *legal representative* of an individual investor, facilitating trades on the investor’s behalf and enforcing trade compliance regulations. The stock exchange serves as another *licensed entity* – registered with regulatory bodies like the SEC or FinCEN – and its compliance and trading duties are designed to be distinct — the separation of responsibilities is a critical compliance requirement.

Bearing this analogy in mind, we can now develop a regulatory-compliant DeFi protocol architecture incorporated with a compliance structure akin to that introduced by Sealance through policy manager contracts alongside associated compliance guidelines, and a compliant account registry. The simplest execution is via “smart contract hooks” within DeFi protocols as they permit tailored compliance enforcement extensions to the protocol, as seen in Uniswap V4 or Seaport. However, this does not address the challenge for DeFi protocols lacking such capabilities, which still constitute the majority.

There exists a generally recognized safe methodology to engage with DeFi protocols that lack contract hooks for compliance verification when a user acquires a yield-generating instrument, such as the Compound yield token (YT) e.g., cDai. In our illustration below, we implicitly assume that DeFi protocol contracts like the Uniswap Router or Position Manager are recognized contracts such that the compliance policy enforcement mechanism embedded in “compliant” assets can recognize them as compliant, thus not necessitating an additional zk-proof compliance assertion to be incorporated with, for instance, a transfer function.

Fig. 2: Example zkp-Compliance Stack application with Uniswap and compliant smart contract wallet

A compliance-safe DeFi interaction model is outlined below using the example of contributing liquidity to a Uniswap Liquidity Pool for specificity:

1. A user (EOA) directly interacts with a DeFi Protocol compliance (wrapper, also termed a logical abstraction) contract, or through the user’s Smart Contract Wallet in an account abstraction scenario.
   Note: the smart contract wallet has been granted a Power-Of-Attorney certificate via an authorized KYC/AML provider, such as a bank or exchange. This certificate functions similarly to how a conventional Power-Of-Attorney operates; it designates the smart contract wallet as capable of utilizing the zero-knowledge proof (zkp) compliance assertions generated by the zk-based compliance platform for asset transactions.
2. The DeFi (wrapper) contract authenticates the submitted zkp compliance assertions utilizing the zk-based compliance stack – a smart contract framework as seen in Fig 1 – directing compliance assertions via zk-proofs to policy enforcement points (PEP) – smart contracts that compose part of the zk compliance stack – where proofs are validated and actions or transactions are subsequently either permitted or denied. Should the compliance verifications succeed, liquidity may be introduced into a pool — whether a pool of compliant or non-compliant assets — for the user by the DeFi (wrapper) contract. We will consider a compliant asset pool for the subsequent discussion.
3. The DeFi compliance (wrapper) contract receives the YT and generates a compliant YT asset using one of the zkp assertions provided by the user.
4. The DeFi compliance (wrapper) contract subsequently transfers the now compliant YT to the EOA or the smart contract wallet — this too necessitates a zkp compliance assertion.

This procedure prevents users from trading non-compliant YTs unless the user actively unwraps the asset. It should be noted that all yield now accumulates to the compliant YT. A variation of this method involves employing DeFi compliance library contracts with functionalities identical to those of a compliance wrapper contract while eliminating the need for trust in the initial wrapper contract deployment.

For transactions involving compliant assets in DeFi protocols (e.g., lending, swaps) or compliant assets combined with non-compliant assets (e.g., swaps), there exists an additional pattern:

1. A User (EOA) may leverage an authority delegation policy represented as a PEP for its smart contract wallet, thereby enabling the smart contract wallet to interact with a compliant asset without needing to present a zkp compliance assertion. This can be realized by the user generating a delegating zkp compliance assertion (delegation to the smart contract wallet) and submitting it to the zk-based compliance stack for validation and subsequent registration with a particular Power-Of-Attorney policy within a PEP. Authority delegation policies may be established at a jurisdictional level, by asset type, or even for individual assets.
   Key Point: An authority delegation policy intended for a transaction operates at the asset level, rather than at the level of a payee, payer, or authorizer. This enables an asset to ascertain if a payer or payee is authorized to interact with it without necessitating a zkp compliance assertion.
2. Recognized DeFi protocol smart contracts, such as the Uniswap Router or an Aave Lending Pool manager, can therefore also implement a Proof Delegation policy as previously described. The main distinction is that, in this situation, the party creating the delegation zkp compliance assertion (through regulatory whitelisting of a DeFi protocol smart contract), and the registration are carried out by an authorized policy creator or registrar, like a KYC provider within the zk-based compliance ecosystem.
   Key Point: Similar to instance of an EOA, this registrar-proof-delegation policy exists at the asset level and can distinguish between jurisdiction, asset type, and even specific assets. However, it represents a different category of authority delegation policy since the requester possesses another role within the ecosystem. Therefore, the compliant asset needs to have both types of authorization delegation policies associated with it because a smart contract wallet, a DeFi protocol compliance wrapper, and a DeFi Protocol smart contract will interact with the compliant asset.

Conclusion

To summarize, for the sustainability and acceptance of DeFi protocols by mainstream audiences, these protocols must progress towards regulatory adherence. The compliance platform outlined, which expands upon the framework suggested by Azgad-Tromer et al. and executed by Sealance, provides a viable solution that allows DeFi protocols to integrate compliance features while preserving decentralization. It employs blockchain technology and sophisticated cryptographic methods for transparent, secure transactions that fulfill regulatory demands, all the while safeguarding user privacy. It enforces compliance regulations on digital assets and their owners, forming a robust and adaptable system. The primary advantages of the outlined compliance framework for DeFi protocols are:

• Regulatory Compliance: The framework allows DeFi protocols to conform to regulatory requirements without sacrificing their decentralized essence (although KYC has to be conducted by centralized entities).
• Risk Management: The framework facilitates mechanisms for efficient risk management and transaction reporting for a variety of digital assets.
• Privacy Protection: The framework integrates cryptographic privacy-preserving features like zkps, ensuring that sensitive user information utilized in compliance credentials and the creation of zkp compliance policy assertions remains confidential, with personal details stored and accessible only by KYC/AML or other compliance credential providers such as banks or exchanges.
• Security: By utilizing secure cryptographic protocols, the framework can bolster the security and integrity of digital asset transactions through the enforcement of intricate business rules.
• Versatility: It accommodates various types of digital assets, including fungible and non-fungible tokens, rendering it a flexible solution for the DeFi ecosystem.
• Transparency and Accountability: The framework encourages transparency and accountability within the DeFi sector through real-time compliance monitoring and reporting (via on-chain submitted, fully encrypted reports).

Such a framework can aid DeFi protocols in navigating the complex regulatory landscape, fostering a safer and more reliable decentralized financial ecosystem.

Dr. Freund can be reached via email at [email protected]