In September, the Commodity Futures Trading Commission (CFTC) brought two actions against bZeroX, its two co-founders and the Ooki decentralized autonomous organization (DAO) for violations of the Commodity Exchange Act and underlying regulations.

While the commissionrs move against the Ooki DAO is no doubt a significant milestone, there are other important aspects of these enforcement actions that also merit close attention, including for what they teach us about how regulators view control of Web3 protocols to work around technical hurdles and hold operators accountable.

David J. Kappos is a partner in Cravath, Swaine a Moorers corporate department and co-chair of the firmrs intellectual property practice. Evan Mehran Norris is a partner in Cravath, Swaine a Moorers litigation department and a member of the firmrs investigations and regulatory enforcement practice. Daniel M. Barabander is an associate in Cravath, Swaine a Moorers corporate department.

Over the past several years, we have repeatedly heard from industry participants that enforcement against Web3 platforms is unlikely, or even impossible, because existing regulations have architectural incompatibilities with Web3 platform functionality, making the concept of compliance inapt. That view should finally be put to rest. As the U.S. Treasury Department (Tornado Cash) and now the CFTC have demonstrated, regulators can and will make aggressive arguments to maneuver around potential barriers to enforcement presented by Web3 technology.

The area where we repeatedly see regulators blur the line between technical reality and their regulatory objectives is around control of a decentralized protocol. The bZx protocol, like all Ethereum-based protocols, is built using smart contracts, the defining feature of which is that they do not require a centralized operator to run their code; they run autonomously. This is a challenge blockchain technology presents to regulators across the board n how to hold persons accountable for code that does not require identifiable persons to run?

The bZx enforcement action demonstrates how at least one key regulator is thinking about control of Web3 protocols in order to hold operators accountable: by examining both technical and business control to draw the line between identifiable persons and autonomously run protocols.

Technical control

Technical control refers to technical mechanisms protocol developers use to control their protocol on the smart contract level, often by defining ladmin-onlyr functions that can be called solely by specific parties. Technical control is at the heart of the CFTCrs analysis. In fact, it is the determiner of the two time periods the CFTC lays out n the lbZx Relevant Periodr and the lDAO Relevant Period.r

Within those two time periods, the CFTC focuses on four levers of control n admin-only functionalities retained by bZeroX and the co-founders, and subsequently, the DAO: (1) upgrading protocol smart contracts; (2) pausing or suspending trading; (3) pausing or suspending contributions or withdrawals of assets and redemptions; and (4) directing disposition of the funds held on protocol smart contracts.

The CFTCrs primary vehicle for pointing out instances in which these parties did in fact exert such control relate to two exploits. First, it cites a $55 million hack the protocol suffered in November 2021 after a lspearfishing attack against a bZx DAO developer.r

In response to the breach, the DAO exerted its control over treasury funds, by lvot[ing] to utilize funds from the bZx DAO Treasury to compensate certain bZx DAO members and other users of the bZx Protocol who lost funds in connection withr the incident.

Second, the commission cites a February 2020 margin-lending exploit that targeted bZx and led to a loss of 1,300 wrapped ETH. To stop the hemorrhaging, lbZeroX utilized its Keys to pause trading and withdrawals, and to implement fixes to the smart contract code, to address the existing or potential losses to the bZx Protocolr caused by the incident.

As these two incidents show, technical control is at the heart of Web3 exploits because it (a) presents centralized points of failure and thus an attractive attack vector in decentralized systems and (b) exists to allow a protocol to swiftly respond to emergencies. The responses to these attacks make an easy case for regulators to demonstrate technical control and, thus, identifiable operators of the protocol.

Business control

The CFTC also repeatedly points to softer lbusiness controlsr to show that the respondents had control of the bZx protocol and, thus, should be liable.

The commission focuses most clearly on the fact that the respondents ldesigned, deployed, marketed and made solicitationsr concerning the bZx protocol.

First, it is clear that the CFTC views operating a front-end website to interact with the bZx protocol as a form of business control. The CFTC cites the front end as a vehicle lto market, solicit orders for and facilitate access to the bZx Protocolr because it lenabled users, through the click of a few buttons, to transfer assets and open positions on the bZx Protocol.r

Second, and as discussed above, the CFTC cites the respondentsr public statements and marketing as examples of business control. For example, the commission points out that the co-founders lmade public statements, appeared in interviews, wrote articles, led calls with community members that are publicly available on YouTube and otherwise publicly marketed and solicited members of the public to utilize the bZx Protocolr pre- and post-shifting technical control to the DAO, all as a form of business control.

Third, active participation in a DAO is seen as a form of business control. The CFTC finds in the settlement order that the co-founders were active on Ooki DAO governance matters. Further, one founder is cited for his lprotocol development and marketing work h on the Ooki DAOrs behalf during the DAO Relevant Period,r while another is cited for his lbusiness and budget planning and marketing work h on the Ooki DAOrs behalf during the DAO Relevant Periodr for Ooki DAO after it obtained technical control.

The CFTC describes the co-foundersr active participation in the Ooki DAO to show why they are being held personally liable for the DAOrs actions. This is particularly interesting because the CFTCrs definition of DAO membership only requires casting a vote, so there should be no need to show the co-foundersr active involvement in the DAO to establish their membership in the DAO as the basis for holding them personally liable for the actions of the for-profit unincorporated association. The commissionrs focus on such participation n despite it appearing superfluous in light of the CFTCrs definition of DAO membership n indicates that it views such participation as probative from a business control standpoint.

These enforcement actions reinforce the need for operators of Web3 protocols to have a better compliance policy than ltechnological infeasibility of compliance, so no compliance.r The CFTCrs in-depth analysis of technical and business control shows this clearly. Even though the bZx protocol runs autonomously, that will not stop regulators from seeking to identify operators in order to hold them accountable. While technology-first analysis is an important tool that can be used to support legal risk assessments, the bZx actions make clear that purely technical distinctions cannot justify a legal compliance strategy detached from practical realities.

As long as enforcement actions by federal regulatory agencies remain the dominant approach to policy development in the Web3 field, we must look to those actions to understand the evolving state of the regulatory landscape and what may come next. The CFTCrs moves against the bZx protocol demonstrates that regulators see points of control as strings to follow to the marionettist.