SEC Comments Due Monday; OECD Tax Consultation; Ronin Hack Tied to Lazarus Group
DEF Weekly Roundup – April 15, 2022
SEC “Exchange” Rulemaking Comments Due Monday
Comments in response to the SEC’s exchange rulemaking are due April 18, 2022, and we have a draft of our comment letter available online. If you’re interested, please review it and provide feedback that would improve our submission before Saturday evening. We want our letter to be as broadly representative of the DeFi ecosystem as possible, so let us know if we’re missing anything.
More information on the rulemaking can be found at protectdefi.org. You can also use the site to submit your own comment letter to the SEC, which we definitely encourage you to do!
OECD Tax Transparency Framework
The Organization for Economic Co-operation and Development (OECD) released a public consultation on a new global tax transparency framework. This framework would provide ground rules for reporting and exchanging information regarding crypto asset transactions. Under the framework outlined by the OECD, countries would be required to automatically exchange transaction information on crypto-assets for tax purposes.
The OECD claimed that, under current reporting requirements, tax authorities do not have “adequate visibility” into crypto transactions. The OECD argues that the lack of centralized intermediaries in crypto markets limit governments’ abilities to track financial transactions and ensure tax compliance. The OECD believes this lack of transparency “could be exploited to undermine existing international tax transparency initiatives.”
What does this mean?
The OECD’s new report attempts to address these concerns with respect to disintermediated financial transactions by simply expanding the definitional scope of “financial intermediation” to include non-intermediaries, including “decentralized exchanges and decentralized finance more broadly” (page 6).
The report defines “Reporting Crypto-Asset Service Providers”—entities that would be required to report information to tax authorities—as
any individual or Entity that, as a business, provides a service effectuating Exchange Transactions for or on behalf of customers (which for purposes of this definition includes users of services of Reporting Crypto-Asset Service Providers), including by acting as a counterparty, or as an intermediary, to Exchange Transactions, or by making available a trading platform (page 43).
The core of the definition is consistent with the obligations of businesses traditionally subject to tax reporting requirements like a broker, in the OECD’s words a business that “effectuates” financial transactions “for or on behalf of customers.” Yet the rest of the proposed definition renders effectively meaningless this core concept: it proposes “customers” includes mere “users;” it suggests “effectuates” also means “making available a trading platform” and “acting as a counterparty.” If you’re confused, you’re not alone!
The OECD’s commentary on this definition further muddles it. For example, it states that entities that “make available a trading platform that provides the ability for… customers [i.e. users] to effectuate Exchange Transactions…” (page 43, emphasis added) are included.
In other words, the OECD suggests that a transaction an individual effectuates “in [its] entirety” (page 43) on his or her own behalf somehow simultaneously involves a business “effectuating Exchange Transactions for or on behalf of…” that same individual (page 43).
We’re responding to this public consultation and will circulate a draft when it’s ready!
North Korean Hackers Called the Lazarus Group Responsible for $600 Million Ronin Bridge Hack
The Treasury Department's Office of Foreign Asset Control (OFAC) recently updated its sanctions list to reflect the possibility that the North Korean hacker collective called the Lazarus Group was responsible for the hack of the Ronin bridge.
Bridges connect one blockchain to another so that funds can be sent between them. As the use of multiple layer one chains has expanded, the amount of value transferred via bridges has likewise significantly increased. Security vulnerabilities associated with bridges are why Vitalik Buterin has said that while he believes the future will be multi-chain, but he is “pessimistic about cross-chain applications.”
The Ronin bridge hack occurred last month and is currently the largest hack of a “bridge” within the crypto space. It is suspected that the Lazarus Group is responsible for a number of significant hacks and exploits.
What does this mean?
Bridge security has been and will continue to be a huge issue for the cryptocurrency ecosystem. In addition to the Ronin hack, there have been a number of exploits where hackers have been able to steal hundreds of millions of dollars worth of user funds.
However, there is a silver lining. Given the public nature of blockchains, it has been relatively easy for private actors and law enforcement to trace the stolen funds to the hackers’ wallets. In the case of the Ronin hack, the government was able to track down the hackers’ wallets and connect them to the Lazarus Group in less than a month.
For this reason, it has also been incredibly difficult for the hackers to launder stolen user funds. As we have stressed repeatedly, crypto and DeFi are uniquely bad for money launderers given the transparency of the transaction record. Moreover, the fact that the Lazarus Group is behind this hack shows that the malicious actors targeting crypto market participants are the same actors that target a range of public companies and private businesses, e.g. the Sony Hack before the release of The Interview.