Clarity Cuts Both Ways: The Digital Asset Market Clarity Act Exposes DeFi’s Legal Contradictions

The noise emerging from negotiations around the Digital Asset Market Clarity Act reveals a lot about long-simmering conflicts inside the web3 ecosystem. We have been writing for years about strange and clearly unsafe and clearly unacceptable requests from web3 lobbyists for exemptions and the like. We have even noted government officials tepidly starting to call out the industry for these issues. And now, finally, things are developing such that once-hidden conflicts are staring to emerge into the light.

The basic problem here is the generic-web3-lobbyist position on "clarity" is all about some ideal future world where everything is inherently automated and compliant and immutable. But the reality of today is anything but those three things. For example, to anyone that can read the code and work out the control lines it has long been clear that the vast majority of DeFi is in fact custodial under standard legal principles. So industry lobbyists push for exemptions and "clear" rules that might be written in plain english but also plainly do not apply to much of today's web3 economy. This inconsistency was always going to cause trouble at some point because the rules lobbyists were asking for do not suit their own clients.

And now, as soon as a regulatory framework consistent with those lobbyists' requests appeared as draft legislation, people are starting to freak out. The highest profile freak-out was from Coinbase which, apparently, infuriated the Trump White House when Coinbase abruptly and publicly did an about-face to abandon legislation it had formerly supported. We have long predicted industry actors would eventually be called out for these inconsistencies. That looks to have started.

There are a large number of contentious issues in this mess. Here we are going to focus on just two of them: DeFi exemptions and developer protections. These two issues are ideal to demonstrate the problem because the proposed legislation gives the industry pretty much exactly what it asked for yet nobody seems to really want it. And the responses make clear the initial requests were all, at best, unclear and intended to mislead.

Useless DeFi Exemptions

To start here, it is worth noting that Coin Center's position on the proposed DeFi exemptions looks reasonable to us and largely-consistent with their past statements. Coin Center is an old (relatively) web3 advocacy platform with a solid history of putting out clearly-reasoned pieces. We have often disagreed with them but they are a good representative for the intellectually-consistent libertarian-leaning side of web3 advocacy. And key to their positiion here is the distinction between decentralized and non-decentralized protocols. Nobody calls it CeDeFi anymore because that makes the problem too clear. But everyone knows, on some level, that a lot of "DeFi" is faking the "De."

The proposed bill only exempts truly decentralized, immutable protocols from a slew of rules. This leaves "DeFi" protocols with admin controls, kill switches, off-chain compliance and any number of other features within the traditional finance legal system where they probably cannot, and surely do not want to, comply.

You can get a good feel for the problem listening to this podcast in which a group of web3 advocates and lawyers seem to argue that unilateral central control should be acceptable as long as the stated goal of that control is safety. There are a number of other questionable claims in that discussion and elsewhere. But this whole "what about safety?" line is perfect to show the hypocrisy here. Who decides what is safe? How do we balance the safety of competing interests? Who even decides if a given "unsafe" incident is a hack or just a bad design feature?

If everyone in your world is a good faith actor and nobody ever makes mistakes then laws and police are a waste of resources. Building out infrastructure to give, say, parking tickets is clearly wasteful if nobody ever parks illegally. But that is not the real world. The real world has criminals and mistakes and word games. In 1962 President Kennedy announced a "quarantine" on shipments of offensive weapons to Cuba. That was part of what is now known as the Cuban Missile Crisis. This quarantine – effectively a US blockade of Cuba – was done, Kennedy said, in the interests of security. The US government chose the word "quarantine" because calling it a blockade would have been effectively declaring war on USSR-backed Cuba under Castro. Nobody wanted that.

And everyone understood the word games being played. Eventually, the off-chain exchange of messages between Kennedy and Khrushchev resolved the situation without a war between the US and USSR. But everybody, on all sides of the discussion, understood the word games involved. "Safety" will be interpreted differently by different people. Some will claim misinterpretation is involved. The point here is that history is replete with incidents where "safety" and "security" are used to justify actions on the flimsiest of pretexts. Handing out an exemption for total control because it is aimed at safety is childish and legislators are unlikely to fall for this loophole.

Or, to borrow a common saying, one person's safety is another person's attack. Control is control and the rules are written as they are to prevent someone bootstrapping unintended changes through a "small" vector of control. Why be so paranoid? Because history teaches that those small vectors of control will be so leveraged.

Developer Protections

The proposed legislation makes clear that nobody can be charged for a range of financial crimes "solely based on" writing software. It further clarifies that deployment, in and of itself, is to be construed as part of writing software but that any post-deployment interactions are outside the scope of the protection.

Beyond clarifying that deployment is part of development and not an operational detail this would seem to offer no protection beyond what already exists in the world. Nobody has been charged with a financial crime in web3 solely based on their writing software. In all of the mixer cases charged to date the developers were involved in some form of post-deployment activity. Sometimes this involved actively maintaining and interacting with on-chain code. Sometimes it involved running and maintaining a front-end to access on-chain code. Sometimes it consisted of marketing. Or collecting fees from a service. Or a range of other things.

The essential commonality across all the mixers charged to date is that the operator, whoever they were, was charged with things beyond just writing software.

Many in web3 believe the proposed legislation does not go far enough to protect developers. To them we say: what do you want? It is absurd to suggest the mere act of writing code absolves you of responsibility for actions taken after that code is put out into the wild. Does being a developer also mean you cannot be convicted of murder no matter what else you do? That is nuts. There are no recent cases in which someone was charged with a financial crime in web3 just for writing code. There are people who falsely claim this has happened. But false claims are not, well, they are not true.

Now it is true that through the mid 1990s the US government did try to use legal means to control the distribution of encryption software and source code. There was a time, in living memory, when the idea of charging someone "solely based on" writing software was a thing. But that ended about 30 years ago and the protection in the bill seems redundant. The outcome of the Crypto Wars was essentially a clarification that the First Amendment prevented the government from going after people for publishing math or source code. The First Amendment is old and gets clarified in various guises from time to time. That is how common law works.

We would argue that a protection which does nothing should be deleted lest a statutory construction concept known as the "rule against surplusage" leads some future judge to imbue the language with meaning nobody intended. Our concern here is that inserting a useless protection might end up generating some hard-to-predict-in-advance protection in the future when a judge looks at a strange case and tries to work out what the law means. To that judge we say: the narrowest meaning we can construe is that writing and deploying a piece of software does not mean the developer or deployer is a party to any contracts that software may some day enter into solely based on their having written or deployed that software. That means something, just not very much.

When you recall the Tornado Cash decision which concluded that immutable unowned software cannot enter into contracts the composition reveals why our reading is so useful. If someone deploys software they still own and control then they should be liable for whatever that owned software does. But that liability attaches by virtue of the ownership not the deployment (or the writing of the software). And when it comes to unowned immutable software, well, there are no ongoing admin interactions. So if no liability attaches due to deployment then no liability attaches at all.

The only practical difference here is the strange case of deploying owned mutable software where the owner at deployment is someone other than the developer or deployer. The rule would clarify that a non-owning deployer cannot be held accountable for the actions of the owned contract purely by virtue of doing the deployment. That could happen so the rule is not surplusage. It is however unlikely and the owner would be accountable anyway. So this corner case, while rare, resolves sensibly under our proposed reading.

If this language appears in legislation which is eventually enacted that is how we hope the words are eventually read by a court. Even better would be to delete this fake "protection" because there are unlikely to be any practical differences vs the status quo and more words introduce more opportunities for future confusion.

Infighting On

Coinbase did a very public 180 here and it is easy to see why when you understand what Coinbase really does. As but a single example, Coinbase has long been the central authority running an entire busy blockchain called base. We first called this out in 2023. And there are other Coinbase-adjacent projects with similar problems. They want an exemption for developing software that extends to absolve them of responsibility for activity beyond just writing code. That must be true as the proposed legislation offers immunity for the acts of writing and deploying code and Coinbase claims the proposed legislation is inadequate. There is nothing else Coinbase could possibly mean.

And this problem of claiming one is "just a developer" while running an on-chain business is endemic across web3. A lot of people accused of crimes, like for example the Samourai Wallet team and their sanctions- and money transmission-related legal problems, try to rally support for their defense by claiming they did nothing wrong and just wrote code. Almost always this is misleading and they wrote code and then did other things too. In the Samourai Wallet case one of the now-convicted developers once tweeted out Welcome new Russian oligarch Samourai Wallet users. Marketing is not writing code. And that style of marketing is asking for trouble. Nobody is willing to come out and claim that writing code should give you immunity for marketing activities but that is clearly what these people want.

So a large slice of the community have been lying for years and now they have a problem. If you agitate for X consistently for a long time and then when someone tries to give it to you a tantrum erupts there is a problem. We expect this to result in the formation of three groups of rifts.

First, we have the split between industry actors and the politicians and lobbyists that have long worked for them. Politicians listen to their donors and this industry has long donated a lot and spent a lot to hire lobbyists to influence policy. But there are limits. Even if your opinion of politicians is incredibly low and you believe they will say anything a donor asks for, you have to acknowledge politicians do not like looking like they are owned by their donors.

Flailing wildly as industry changes what it wants is not a good look in part because it makes it so much easier for your opponent in the next election to paint you as an unprincipled shill for that industry. Politicians do what their donors ask for because the donations help them get elected. But it is surely possible for a donor to request something that does more harm to the politician's electoral chances than the donor can make up with money or support.

Second, we have the split between tech teams and their lawyers. Just imagine the discussions inside VCs and DeFi businesses as the developers try to explain to their lawyers why these rules are dangerous. "But I thought the protocol was decentralized?" and "What do you mean the software controls user funds under these definitions?" Compliance is going to want to understand what it is signing off on. Again: you can pay people to look away but the price goes up the more flashing red lights are attached to the problem.

And finally there is the upcoming rift between investors and non-compliant businesses. A VC that soft understood you were speaking aspirationally about how your protocol might someday work will distance itself right quick when you take a public position that reveals you know you are breaking the law. Coin Center, as referenced above, is taking a public position in opposition to Coinbase. Coinbase has historically been a funder of Coin Center. But given how clear and consistent Coin Center's positions have been for years it is not like Coinbase could really expect them to contradict all of that just to please a donor. Further, Coinbase is the one paying and Coinbase is the one with the potential legal risk so there is no upside in publicly breaking all ties with Coin Center.

Not so for investors that can no longer sustain willful blindness around their portfolio companies or business associates. Go look at the number of people abandoning Kontigo following some reporting it might be waist deep in Venezuelan sanctions evasion. If an investor watches a portfolio company get exactly what it asked for in some draft legislation and then complain those rules are no good...that investor has no choice but to ask some questions.

All of a sudden many investors are going to be shocked to find gambling in the casino. Investors will happily take low returns, or even losses, on their clients money if the alternative is legal liability for financial crimes borne by the investor. The switch is being flipped, at this moment, from optimizing portfolio risk-reward ratios to optimizing that one cannot be charged in any sort of financial crime conspiracy.

DeFi's original sin - not working out the "De" before launching - is coming home to roost.