Author: Liu Honglin, Xu Yuewen
Last month, Lawyer Honglin attended the Web3 Summit in Bangkok, during which I communicated with several entrepreneurs focused on on-chain DeFi aggregation services. In the course of the conversation, I found that not only one entrepreneur had a serious misunderstanding about the relationship between 'decentralization' and 'legal compliance'.
For example, many project parties providing on-chain yield aggregator financial services believe that their entrepreneurial projects are based on completely decentralized smart contracts and have not 'touched' user assets, thus they do not need to worry about compliance issues. Therefore, their entrepreneurship merely involves registering a company in Singapore and then starting operations, resulting in almost zero compliance costs.
Clearly, these friends have significant misunderstandings about compliance. Taking advantage of the weekend, I decided to write an article to discuss and hope to provide some practical compliance advice and risk prevention guidelines for friends planning to enter the on-chain financial entrepreneurial field.
Analysis of Industry Status and Yield Models
Yield aggregators are one of the classic applications in the DeFi ecosystem, primarily responsible for helping users optimize asset returns. Generally, a yield aggregator acts like an automated 'financial management robot.' Users deposit crypto assets into it, and the platform monitors the yields of various DeFi protocols (such as Aave, Compound, Curve, etc.) in real-time, dynamically adjusting fund allocations based on market changes to ensure maximum returns. Although referred to as a yield aggregator, to better visualize and describe its yield-generating nature, its essence is 'yield aggregation', or understood as 'asset data and dispatchers generated by the pursuit of yield maximization', achieving optimal yield strategies through smart dispatching.
For users, depositing funds (such as BTC, ETH, USDT, etc.) into an aggregator platform for liquidity mining in third-party DeFi projects, the platform will switch funds to higher-yielding DeFi projects for liquidity mining based on real-time yield data, thereby helping investors obtain higher returns.
For yield aggregator platforms, they can obtain income in the following ways:
First, from the perspective of services provided by the platform, there is a management fee, which is a certain percentage of management fees charged by the platform on user earnings (e.g., 1%-2%). The platform monitors relevant factual data and deploys smart contracts to manage the funds deposited by users.
Furthermore, some platforms adopt a performance-sharing model, where if users' returns exceed a certain annualized return rate, the platform will charge additional performance fees on the excess amount (typically between 10%-20%).
Finally, there are platform incentives, where user funds are directed through partnership agreements to receive incentives or commissions from partners.
In theory, yield aggregators are entirely operated based on on-chain smart contracts, where users' funds are always controlled by the smart contract, and project parties do not hold users' crypto assets or private keys. However, if there are vulnerabilities in the contract design, hackers or project parties may exploit permissions to steal users' funds. Additionally, some centralized 'yield aggregator' services require users to deposit funds into platform accounts, which means the platform has direct control over users' funds, leading to risks in fund security and transparency, fundamentally differing from the decentralized non-custodial model.
Common Compliance Misunderstandings of Entrepreneurs
1. Technical Decentralization ≠ Fund Security
Many entrepreneurs believe that as long as users' assets are controlled by smart contracts, project parties do not need to be responsible for fund security. However, in reality, the security of the smart contract directly determines the survival of the project. If there are vulnerabilities in the smart contract, hackers can steal user funds through reentrancy attacks, permission control vulnerabilities, etc., leading to fund losses, and the project parties cannot completely exempt themselves from liability. Therefore, even in decentralized projects, technical security remains crucial. Project parties must ensure that smart contracts undergo strict third-party security audits, conduct regular vulnerability remediation, and keep the code open source to enhance community trust and transparency. Otherwise, even decentralized technology cannot guarantee the absolute safety of user funds.
2. Decentralization ≠ No KYC Required
Many yield aggregator project parties believe that as long as the platform does not hold user assets, they can circumvent anti-money laundering (AML) and know your customer (KYC) requirements. However, global regulators are strengthening scrutiny of DeFi, especially in the US and EU markets, where projects providing financial services can hardly avoid KYC requirements. Ignoring this may lead to hefty fines and legal accountability.
3. Non-Custodial ≠ Zero Responsibility
'We have never touched user funds' is a common explanation from many yield aggregator project parties. However, even if the platform does not directly manage users' funds, project parties may still face legal liability. If there are vulnerabilities or attacks on the smart contract that result in user fund losses, the project parties must still bear some responsibility. Therefore, project parties must clearly inform users of the risks in the platform interface and user agreements, including potential issues like market volatility and smart contract vulnerabilities. Additionally, consider providing users with extra protective measures, such as introducing insurance mechanisms or compensation schemes, which can not only mitigate user losses but also enhance the platform's credibility and trustworthiness.
4. Tax Compliance: Don't think you can hide in the 'gray area' forever.
Some entrepreneurs believe that the crypto industry is in a 'gray area', and thus tax compliance is not an urgent issue. However, in reality, tax authorities in various countries have intensified regulatory scrutiny of the crypto industry, and more and more countries and regions require crypto projects to declare income and yields. Whether or not a project has cross-border transactions or involves partially anonymous transactions, tax compliance is an obligation that cannot be ignored. If declarations are not timely, there may be significant fines, interest, or even criminal liability in the future. Therefore, entrepreneurs should establish dedicated tax compliance teams to ensure that the platform's operating income, user returns, and any cross-border fund flows are declared timely and legally. For projects operating across borders, special attention should also be paid to the differences in tax laws of various countries to avoid violations due to unfamiliarity with local laws.
Compliance Advice from Lawyer Mankun
The charm of on-chain financial projects lies in innovation and technology-driven initiatives, but compliance and security are the cornerstones of long-term project development. Decentralization does not equate to exemption from responsibility; entrepreneurs must not only focus on smart contract design but also be well-prepared for KYC, AML, tax compliance, and market promotion. Technology may accelerate innovation, but only compliance can ensure the project's longevity.
I hope this article can provide practical advice for friends aspiring to enter the blockchain on-chain financial entrepreneurial space.
1. Strengthen Smart Contract Security: Security is not a 'one-time investment'.
Smart contracts are the core of yield aggregator projects, but security should not be a one-time audit; it is a continuous process. Auditing is the starting point, and regular security monitoring, vulnerability remediation, and contract updates are equally crucial. Especially in core aspects such as fund management and yield distribution, if contract vulnerabilities are exploited by hackers, the losses will be significant.
Therefore, project parties need to establish a sound contract security system to ensure that smart contracts can be continuously optimized with market changes and technological advancements. Additionally, open-source code allows the community to participate in contract reviews, not only enhancing transparency but also building community trust. Moreover, if the platform's contract is attacked, the ability to quickly respond and fix is crucial for maintaining user trust.
2. Compliance Due Diligence: Anti-Money Laundering is important.
Do not hope that 'decentralization' can help you evade regulation. Before launching a project, have a professional lawyer conduct compliance due diligence, especially regarding AML and KYC requirements. Rather than responding to regulatory investigations afterward, it is better to establish a compliant layout in advance to avoid facing hefty fines and legal disputes later. An early reasonable compliance layout can not only avoid high fines but also prevent potential legal risks. Project parties should collaborate with experienced legal advisors to ensure legal operations under the regulations of different countries and regions.
3. Tax Compliance: Post-tax income is the real income.
It is essential to have a tax compliance awareness! Ensure that project income and user returns are reported on time. Globally, tax regulation of cryptocurrencies and DeFi projects is gradually becoming a focus, and tax authorities have begun to increase scrutiny of the crypto industry. Ignoring tax compliance may lead to hefty fines, interest, or even criminal liability, affecting the project's long-term development. Therefore, it is crucial to ensure tax declarations for project and user earnings, ensuring compliance and avoiding unforeseen legal burdens.
4. Cautious Market Promotion: Authentic transparency is key to longevity.
Advertising must avoid exaggerating returns and must accurately reflect the platform's risks and returns. While short-term traffic is tempting, long-term user trust is the foundation. Compliant market promotion not only avoids regulatory risks but also enhances brand image.
Especially in DeFi projects like yield aggregators, yield volatility and contract risks are unavoidable. Platforms should honestly reflect key data such as risks, yields, and liquidity, and clearly inform users of potential risks. Through compliant market promotion, not only can regulatory penalties be avoided, but a stable brand image can be established, laying a foundation for the platform's long-term development.