In Re: Examining SEC v. Consensys
Following our three part series on the details of MetaMask a brand new blog appeared with a first post addressing some of the same issues. As the man says, "Oh you were finished? Well allow me to retort.”
The Assumptions
A recent post by Daniel Barabander, the Deputy General Counsel for crypto venture capital firm Variant assumes MetaMask is non-custodial.
A table up near the top of the blog post describes MetaMask’s technology as “non-custodial wallet apps/swapping feature.”
By assuming MetaMask software is non-custodial and then concluding it is non-custodial after already having started with that assumption, is at the very least, a curious way to posit a legal argument.
Presenting circular reasoning as some sort of logically sound argument to an audience that may lack the requisite critical reasoning skills and background knowledge to untangle what is happening is one way of poisoning the debate.
We do not enjoy that sort of behavior.
The Argument
We won’t do that.
Instead we will take a look at what we believe are three key errors in that post’s analysis.
1. Atomicity
Atomicity is the idea that either a number of things all happen, or none of them happen.
Atomicity is the concept that you can wrangle a computer to perform a sequence of possibly-unrelated tasks in an all-or-nothing way and this plays in to the argument as follows:
As I detail below, my best guess for what the SEC is describing here is a user performing an atomic swap through smart contracts Consensys wrote, which, if true, would entail significantly less control of the swapping process by Consensys than the SEC is implying.
And indeed the swap() function is atomic in that either it and all external functions calls it makes execute, or none of them do.
But this is hardly a feature unique to blockhains and smart contracts.
Oracle has supported “atomicity” since the early 80s — it’s called a Database Transaction and the concept dates back to IBM in the 1970s.
If “atomicity” were relevant to the legal issues, then PayPal could effect user-to-user transfers with atomic transactions and avoid the need for money transmitter licenses on the basis of atomicity.
Just because a transaction is “all or nothing” does not determine whether or not you need a license — the law looks to the substance, not the form.
If it acts like a broker, talks like a broker, and works like a broker, it needs a license.
Just because it performs all of the transaction all at once or not at all makes no difference as to whether it’s a broker or not.
Any competent SQL programmer can accomplish atomicity quickly and easily.
And we will gladly provide this service to any financial institution that wants it in exchange for a cut of the compliance expenses saved.
Such a purported contract however, will make clear we do not think anyone should do this and will gladly testify against you in court.
Here we really would be just writing software.
2. Control
This concept comes up when the post says:
While there is some admin functionality on the smart contract for a multi-sig that Consensys may control, there is no evidence to suggest the company actively operates the smart contract’s code.
Note this is a concession there is some degree of central control and it is followed by an assertion this control is not exercised.
Before we bother to demonstrate this control is exercised just read the code:
Giving up control is trivial.
If control were unimportant why wasn’t it renounced long ago?
And what sorts of control powers do we observe?
First, there is a kill switch:
Second, of course control was used to set up the adapter mapping:
Was that done at initialization time?
Yes.
Is control retained to this day?
Yes.
Some things only matter when there is a problem and that is why control should be considered in the limit or the bad case, not the generous good one.
Again we defer to:
3. Open vs Closed Source
Careful readers will note that that post does not mention anything about open-source software which is a conspicuous absence.
Also conveniently missing coincidentally, are the calls to not-verified-on-etherscan contracts.
We do however find a strange reference here:
Assuming the adapters are not malicious (which would be another issue entirely), their job is to enable a user to perform an atomic swap — in a single transaction take token A and exchange it for token B.
The adapters are the not-verified-on-etherscan code we’ve talked about throughout all 3 installments of our series on MetaMask (great movies come in trilogies, so why not blog posts?).
So now we are being asked to assume the adapters are not malicious.
Ok.
Go take a look at their analysis and you’ll find the last line of code is a call to _delegate().
Then go read what happens inside that call.
We are literally being asked to trust nothing bad happens inside those adapters.
Trust normally works when there is a strong disincentive to break it.
In the case of brokers and money transmission businesses that disincentive is a panoply of legal sanctions.
And, as part of the bargain those businesses make with the government when they sign up for licenses, government inspectors can look inside the “adapter.”
Here the argument is that:
- those sanctions, and those for failing to get licenses, are not applicable
- there is no need to grant access to look inside; and
- the operators of the system are entitled to the assumption nothing bad could ever happen because…what exactly?
If this is fine then banks and brokers can migrate their businesses to unpublished smart contracts, cancel their licenses and eliminate the compliance teams those licenses require (cost savings inside!).
Discussion
If this is the best argument the crypto-legal community has that we are wrong then we are feeling pretty good.
Open debate is healthy and regulatory issues are often complex.
Decades of work in the legal and financial services fields surely teaches that.
And different problems require different solutions.
When you are presented with an argument that suggests a gaping loophole in some longstanding regulation was recently discovered, ask yourself what changes this “discovery” would allow for businesses set up in earlier times.
Surely groundbreaking innovations do occur.
The wheel was pretty impactful, but the wheel didn’t require you to assume something was non-malicious.
Or to assume control was retained for no good reason at all and can be ignored by rules which explicitly contemplate surprising bad outcomes involving long-dormant control.
Are most people OK with those assumptions?
And lest this seem like we have some issue with MetaMask in particular rest assured we do not.
Back in 2023 people thought we had it in for Binance.
There was a time people thought we had it in for DCG.
We definitely thought LUNA was a bad idea and shared that fairly widely.
And we’ve been looking at these things a lot longer than many people seem to realize.
