Is Software eating the Regulator? A Brainstorming on how DeFi could be treated in Regulation


This post was first published as a thread on my Twitter account ‘peterlih’ (

I’ve been thinking and talking about DeFi regulation for a while now when people asked me in podcasts or on stage. I always wanted to summarize my thoughts, so here we go. How could DeFi be regulated without too much pain? LFG!

I see 2 waves of crypto adoption:

1) Crypto becoming a tradable asset
2) DeFi — financial services on a new infrastructure

1) easy to regulate as the roles are the same as in Traditional Finance (custodian,broker…)
2) difficult to regulate as DeFi cuts out the middleman

The core motivation of regulation is imho positive (e.g. the goals of the German regulator BaFin): it’s about fair markets, transparency, customer protection and keeping criminal activity at a minimum. It’s the implementation of the goals in rules that makes it cumbersome to comply in Traditional Finance & also in CeFi/DeFi

It’s important to build regulation towards a clear set of goals as those can be achieved in multiple ways.

In Traditional Finance banks let auditors access their data centers to evaluate its resilience. In DeFi the data center called Blockchain is up forever. You can proof it with Math. There’s more examples like that.

Regulation should define the goals, market participants do the implementation to fulfill the requirements. Traditional Finance, CeFi and DeFi will all do this their own way.

Many libertarians believe states, governments and regulation will disappear soon. Let’s be realistic. They will be around for a long time.

Let’s think about regulation for DeFi under that side condition. We have to be proactive to make sure it does not limit our technology

Banks have to continuously screen their employees for gambling addictions or other matters that makes them unfit to perform their duties and susceptible for bribes & manipulation.

People who want to manipulate will always find a way. No control can keep up with humans’ creativity. History is full of examples e.g. Wirecard

DeFi has big advantages compared to Traditional Finance as the most difficult to regulate part of the system plays a different role: the human! Humans are the ones responsible for fraud, manipulation, enrichment and blackmail…

With DeFi financial services are 100% automated. No ways for humans to manipulate the execution!

If technology is doing 100% of the work, audits play an important role. Making use of the fact that smart contracts are unchangeable after deployment on a Blockchain, there are three situations where audits can be applied:

a) at development
b) before deployment
c) at runtime

a) At Development, DAOs could easily implement some compliance concepts of Traditional Finance (e.g. BAIT in Germany) as those introduce quality measures like formalized development and testing process, documentation, role/rights concept…

Everyone would agree to those measures if they were written somewhere else than a regulatory document

b) Before deployment a static security and functionality audit should happen. DeFi teams invest a lot in security audits. For customer protection, an ecosystem of accredited auditors should analyze the smart contract if it is delivering the services promised on the website

Protocols could be designed in a way to compensate auditors from protocol revenues or in tokens. This would align interests. Users want a safe protocol and should be willing to pay for it. Auditors should be independent (not paid by their customer), stake tokens and get slashed jic

c) At runtime, there should be limited / controlled ways to change smart contract behavior at runtime (e.g. through oracles). Furthermore, there should be public interfaces to read and audit all data flows at runtime (reading from the Blockchain or create something custom)

“Software is eating the [-world-] regulator”

… to put it like Marc Andreessen of Andreessen Horowitz. Regulators will do “Regulation as Code” and sit in front of a NASA launchpad style Dune Analytics dashboard and inspect market data and participants in real time.

Regulators have big concerns regarding AML procedures in DeFi. There is enough evidence that crypto is way less often used for criminal activity as it’s fully traceable and transparent (Report by Chainalysis Team).

It’s also way more effective to implement much better regulation with digital identity (Self Sovereign Identity / SSI, Decentralized Identifiers / DID) and hold with a wallet. DeFi services can verify the data (zero knowledge) and transact. Data protection and privacy would be improved as the user is in full control of the data.

Digital identity can be issued by a governmental body or be a verified token / credential by an obliged person (in AML lingo). Many projects show that it works already (, Fractal)

Frontrunning should be fixed on the L1 level. Other than Ethereum (“MEV”), Blockchains should be frontrunning resistant e.g. like Solana with Proof of History consensus

DeFi can only grow 100x if users get more guarantees from DAOs / developers than “you use OUR protocol at YOUR own risk”.

Easiest way could be to create a new form of legal entity, like a mix of a cooperative & limited with shareholding based on tokens. DAOs would run under a law of the respective jurisdiction. That would make it much easier for users to enforce customer protection and claims. Also states could collect taxes.

Offering DeFi services to customers comes with a responsibility. DeFi can only grow 100x if we can give higher guarantees. DeFi was anonymous by design. I think it will only scale if things get more transparent who is behind

Lastly we need insurance. Protocols like Nexus Mutual insure funds of a single user. Insurance could be provided between protocols, too. The foundation can be a few of the named ideas above to build a trust base.

Protocols joining forces to build a liability umbrella, this would be huge!

Regulation is coming. If we want DeFi to become the infrastructure for banking used by our kids, we have to enter a dialogue. Regulators won’t go away. More automated regulation means less pain. IMHO the mentioned ideas are tradeoffs the DeFi space can take, but happy to discuss.