Source from YouTube: Whiteboard Crypto

1. DEX coexists with KYC

DEX has the problem of difficult supervision: The main reason why DEX is difficult to survive in the coming storm is that they claim to lack the ability to identify users who use and contribute to mobile mining pools.

How it works:

• With the coming of laws and regulations, DEX needs to speed up its survival and KYC is required to survive the coming regulatory storm.

• Regulators from Europe, the United States and elsewhere are busy finalizing the details of how to designate the Decentralized Exchange (DEX) as a “broker”, trading agent or similar entity that influences transfers and cooperates with each other. The United States called for transnational cooperation in its executive order on responsible digital asset development, and the European Union recently called for transnational cooperation in its review of financial stability and integration.

• Verifying the identity of users and checking whether money and tokens are illegal helps to ensure that cybercrime is prevented to some extent. It makes DeFi safer for users and more feasible for regulators and policymakers. In order to survive, DEX will eventually have to admit this and adopt a certain degree of identity verification and money laundering prevention.

2. Relevant products to monitor DEX

The Financial Action Task Force (FATF), the standard setter of global anti-money laundering and anti-terrorist financing (AML/CFT) measures, issued a report on the application of its crypto asset guidelines. The FATF report is indispensable reading material for the compliance team of crypto asset businesses and financial institutions. It provides FATF’s views on the regulatory issues facing the global encryption industry and regulators.

The new FATF report points out the key issues that will become the top priority of the regulatory agenda in the second half of 2022 and beyond. Cross-chain DeFi, unmanaged wallet, NFT, and travel rule compliance will be the top priority of the VASP compliance team.

• Ensure that you have blockchain analysis capabilities, enabling you to detect and manage the risks of cross-chain DeFi activities and Tornado Cash and other DeFi coin mixers.

• Use the blockchain analysis function to identify unmanaged wallets related to sanctioned actors, extortion software gangs, and other illegal actors.

• Detect transactions related to the illegal use of NFT.

• Understand travel rule solutions and prepare for compliance

3. Regulatory participants

Brian Armstrong, CEO of Coinbase, proposed a blueprint for encryption regulation and advocated US legislation to improve the clarity of encryption regulation

The legislation should start from the centralized participants (stable currency issuers, exchanges, and custodians), because this is where the risk of consumer harm is greatest, and the supervision should focus on the need for additional transparency and disclosure of intermediaries. In addition, he suggested that countries enacting laws for cryptocurrency companies should not only enforce laws at home but also enforce relevant laws for foreign companies serving their own citizens.

4. From profit or reduce part of exchange supervision

One option might be to focus laws and regulations on profit rather than control. With limited legal tools at their disposal to address decentralized exchanges, governments may consider aggressively enacting new laws or rules providing that any profit derived from a decentralized exchange is perse illegal, or perhaps subject to substantial information reporting and regulatory burden. The IRS, for example, could take the position that receiving any profit from a decentralized exchange makes someone a withholding agent, although, again, the definition of withholding agent would likely need to be updated for this to work.

At the other extreme, governments might let certain decentralized exchanges operate in a low or no-regulation zone for the time being. There is actually much to be said for this approach, as it could allow financial technology innovations to flourish while allowing regulators to gather critical information on possible interventions. Regulators ideally would monitor technological developments and work with decentralized exchanges to better understand the technology and see how it is being utilized, before developing a regulatory framework. Perhaps smart contract technology can eventually support automated tax withholding, information reporting, and know-your-customer (KYC) verification, among other regulatory compliance functions.

5. Regulate by developing software

An alternative approach could be to provide software developers — and potential users of DeFI protocols — a regulatory incentive to build and support compliance through a “safe harbor.” Conceptually, a safe harbor could excuse direct liability for software developers and other DeFi participants, if the protocol:

• Has a lawful purpose and entails no fraud

• Interacts or excluding addresses and/ or jurisdictions encouraging OFAC compliance

• Limits or bars margin trading.

The safe harbor could also contemplate requiring that protocols are able to implement any future CFTC-authorized software systems to enforce commodities-related laws (i.e., use “code as law”).

An example of how Aztec (zk. money) did:

In contrast to common misconceptions, privacy does not equate to non-compliance. Ultimately, Aztec believes in a future where users can easily generate zero-knowledge proofs to demonstrate compliance without exposing any personal information throughout the process.

Now, Aztec mainly focuses on two points in terms of compliance： Network compliance and User Compliance.

1. Network compliance

The aim of network compliance measures is to limit the introduction of illicit funds (e.g. exploited funds from hacks) into the Aztec Network. They are designed around commonly seen illicit asset transfer patterns (e.g. large sums, time-sensitive).

• **Block Deposit Cap: Address-specific Cap: A deposit amount cap is enforced on a per address, per asset, per rollup block basis at the smart contract level and on the zk. money **frontend.

• Daily Deposit Cap: 1) IP-specific Cap: A deposit rate cap is enforced on a per IP address, daily basis at the sequencer level. 2)*** Network-wide Cap***: A deposit amount cap is enforced on a network-wide, per-asset, rolling daily basis at the smart contract level.

2. User Compliance

The aim of user compliance measures is to provide users with means to demonstrate compliance with their individual accounts such as auditors, government authorities, and courts.

**Viewing Key Sharing: All Aztec accounts are created with viewing keys **that guard viewing access to details of all transactions received and sent with the accounts (e.g. sender, receiver, asset type, amounts). In order to demonstrate compliance, users can share their viewing keys with whoever requests viewing access to their Aztec transactions.

Conclusion

The regulatory and compliance requirements for decentralized exchanges are necessary. While supervising DeFi, its innovation, freedom, and other characteristics should be retained to enable better development. DeFi should be a system in which all investors can access and operate important data. It also should be a system that reduces the possibility of manipulation.

Such a system can guide funds to the most promising projects effectively. Appropriate laws and regulations help to create common incentives to benefit the entire financial system. They ensure that investors and participants can obtain safe and fair opportunities while building the market’s integrity.

Reference:

1. https://cointelegraph.com/news/identity-is-the-antidote-for-dexs-regulation-problem

2. https://0xzx.com/2022052913452339812.html

3. https://www.8btc.com/article/6762382

4. https://www.f6ex.com/archives/90975.html

5. https://www.civicresearchinstitute.com/online/PDF/JTI-3601-01-Exchanges.pdf

6. https://docs.aztec.network/compliance

7. *Statement on DeFi Risks, Regulations, and Opportunities; *https://www.sec.gov/news/statement/crenshaw-defi-20211109

8. Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 (MiCA) ; https://data.consilium.europa.eu/doc/document/ST-13198-2022-INIT/en/pdf

Source from Mudrex Blog (https://mudrex.com/blog/what-is-dex/)

Decentralized transaction (DEX) has greatly saved transaction costs and eliminated the huge risks brought by the transaction matching center in controlling funds, data, and users, which is the trend of global informatization. At the same time, however, due to the lack of KYC inspection required for AML compliance, investors held an attitude of waiting to be observed. Therefore, the demand for DEX compliance is not only to meet the regulatory demand of pending, but also the demand of investors.

• **From a technical perspective: **The decentralized exchange is a DApp built on the blockchain, which realizes two modules of asset management and trading through smart contracts.

• From the perspective of governance: A decentralized exchange is an open, community-driven, decentralized organization with highly decentralized rights and obligations.

Barriers to DEXs:

1. More complex user interface

The use of decentralized exchanges requires some professional knowledge, and the interface is usually complex and difficult to understand. Users need to do prepositive research before trading, and can’t expect DEX itself to provide much help. Users also need to be very careful in their operations, because there may be irreparable errors, such as sending tokens to the wrong wallet.

2. There are unknown risk vulnerabilities

The security of the DeFi protocol depends on the smart contract that supports it. The smart contract's code may also have errors, resulting in the loss of the trader’s token. Although smart contracts work as expected under normal circumstances, developers cannot anticipate rare events and hacker attacks. For example, the DeFi attack in 2021 was named the Poly Network attack. The hacker took advantage of the bugs in the smart contract to modify the transaction verifier to achieve the purpose of intrusion. Thus, the assets were transferred to Ethereum and three other public chains, and the assets of 610 million dollars were stolen successfully. If security issues arise in the exchange, more and more users will move their funds out due to distrust, which will generate liquidity risk. A product KYE(Know Your Entity) made by another Web 3.0 company has a set of algorithms to find some other associated addresses that directly interact with this address, and identify a network multi-dimensional risk control system based on graph computing.

3. The currency price is extremely volatile (DEX’s liquidity problem is of great concern)

Since most DEX has uncensored tokens, traders also need to be vigilant at all times. The new token will also crush the liquidity pool and reduce the value of other tokens, and a token in the boom may be suddenly withdrawn.

• Low liquidity will lead to a large price fault, making the order unable to be executed at the originally specified price, resulting in a large sliding point

• Users bear the brunt of greater financial risks, causing serious economic losses

• Small pools with low liquidity will be flooded by hackers using flash loans and other technologies, using excessive orders to flood the market and deplete the funds of smart contracts

In November 2021, the event that the virtual currency produced by the IP of Squid Game, and then suddenly returned to zero after thousands of times of inflation, is a typical liquidity security event. At 9:35 a.m. EDT on November 1, the squid coin suddenly fell to almost zero in just a few minutes, with a drop of more than 99%,. A few days before the collapse of the “squid game”, some investors complained that they could not sell their squid coins on the Decentralized Exchange (DEX) Pancakeswap. Later, the founder of Squid Coin explained that because the project deployed innovative “anti-dumping technology”, that is, to restrict people from selling tokens when demand drops. The decentralized platform eliminates the complicated procedures and expensive fees for currency registration, and even eliminates the channels for authentication and audit, which greatly reduces the cost of fraudsters and the threshold for currency issuance, leading to the emergence of new fraud models in the DeFi field that fraudsters can use.

4. Lack of formal supervision

Now, the government regulatory authorities believe that virtual currency has an unstable factor in the financial market, and even allows criminals to use virtual currency trading to achieve criminal acts, such as money laundering, so they need to regulate it. When more fake websites run amok if the wallet is connected to the fake exchange and authorized, it will cause a serious loss of assets. However, at present, no clear regulatory system and laws and regulations have been issued for DeFi in various countries. In 2021, the UK Ministry of Finance ordered a review of financial technology, and called for the use of functional and technology-neutral methods to regulate crypto assets in accordance with the current regulatory framework and the principle of “same risk, same regulation”. At the same time, the supervision should be flexible enough to adjust at any time according to the risks arising from the activities related to encryption assets. In June 2021, the Securities and Exchange Commission Thailand announced that any DeFi-related activities in the future may require financial regulators. The U.S. Securities and Exchange Commission has issued a regulatory framework specifically for DeFi and blockchain projects in US dollars, but the U.S. Securities and Exchange Commission mainly regulates DeFi according to securities law. The most important reason for China’s current policy of completely prohibiting DeFi is the strong supervision of the underlying cryptocurrency.

5. Loss may not be recoverable

Traders should carefully keep their wallets and private keys. If the private keys are lost or transferred to the wrong chain, they will not be able to access their own assets. There is no central exchange to assist in the confirmation of fund transfers, which also easy to causes the wrong chain and address. The failure of DEX to regulate means that there is no place to appeal and no way to recover losses through the law. All transaction consequences must be borne by yourself.

Suggested policies should be enforceable：

1. Regulatory applications, not regulatory agreements:

2. Set early warning of liquidity shortage

3. The regulatory rules not only maintain a certain order in the market but also have tolerance for innovation and protect innovation.

What you should be mindful of：

Centralization and decentralization are not exclusive choices between 0 and 1 or black and white. Some parts of products are actually very centralized, while some parts are relatively decentralized. For example, some exchanges in DEX deploy AMM, which is a very decentralized deployment method. Another feature of DEX is that the platform does not hold customer assets, and customers keep their own assets which are also very decentralized. On the other hand, if we want to achieve compliance to a certain extent, there are many so-called regulations. One of which is the anti-money laundering and anti-terrorism funds that everyone has been talking about, which is basically content to be completed. So many things are a centralized solution, but there are many combinations of parts and decentralized components, so it should not be an exclusive choice between 0 and 1, nor black and white.

Centralization does not mean deregulation. Decentralization refers to the realization scheme of technology. Regulate or not is a governance mode of the whole country or the whole economic system.

DEX mainly faces two risks

1. The most basic risk is smart contracts. Whether the open source code of the project has been audited or not. Sometimes even if it has been audited, there may still be some loopholes. The security of the principal of the liquid pledge pool is guaranteed by the code of the smart contract. The second is the financial risk inside the pledge pool, that is, the price fluctuation and the unpredictable loss caused by AMM’s own mechanism. If the price of one of the assets rises, the market maker will automatically take the opposite action with the general traders in the market, and the more it rises, the more it sells, so the number of assets in the pool with rising prices will decrease. On the contrary, when the price of one of the assets falls, the market maker will also take the opposite action to the market, which means that the more it falls, the more it will buy. Therefore, the number of assets with falling prices in the pool will increase.

2. As an innovative way of digital asset trading, DEX provides users with disintermediation and convenience. Compared with CEX, CEX lacks an effective KYC mechanism and third-party AML system support, so it becomes a new challenge to use DEX to track digital asset financial crimes. In the guidance draft issued by the Financial Action Task Force on Anti-Money Laundering (FATF) on March 19, it was mentioned that global regulators are now paying close attention to DeFi and other encryption innovation industries, including DEX. Its future regulatory standards may not apply to DeFi's underlying protocol software and technology, but Dapp’s operators can be regarded as virtual asset service providers (VASPs), which must also meet the same AML requirements as traditional finance. In addition to the supervision of anti-money laundering, the regulators also pay attention to whether the DEX platform trading assets and DAO governance certificates are securities and derivatives transactions.

Reference:

1. https://cointelegraph.com/news/identity-is-the-antidote-for-dexs-regulation-problem

2. https://0xzx.com/2022052913452339812.html

3. https://www.8btc.com/article/6762382

4. https://www.f6ex.com/archives/90975.html

5. https://www.civicresearchinstitute.com/online/PDF/JTI-3601-01-Exchanges.pdf

6. https://docs.aztec.network/compliance

7. Statement on DeFi Risks, Regulations, and Opportunities; https://www.sec.gov/news/statement/crenshaw-defi-20211109

8. Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 (MiCA) ; https://data.consilium.europa.eu/doc/document/ST-13198-2022-INIT/en/pdf

Motivation

Money laundering via crypto assets is becoming a bigger problem. Whether you are a business engaging with them or an individual holding them in investment portfolios, the likelihood of getting exposed to “dirty” assets has grown significantly as the velocity of crypto trading increases. The consequences of being linked to dirty funds are worth an entire blog elaborating at least and are hard to overstate.

To protect ourselves, there are both free and professional investigation tools available in the market to trace fund flows in blockchain networks. Unfortunately, very few of them can actually assist human users (e.g. compliance analysts, diligent OTC traders) in constructing storylines of fund movements on blockchains with well-annotated crypto addresses. In addition to a human deep-dive investigation by viewing graph-like data visualization, as a business, we need to build a risk decision pipeline to automate some steps of risk management operations in order to handle thousands of transaction requests efficiently. The key ingredient to systems of this kind is an actionable number in determining the risk level of a given crypto address or entity.

In this article, we introduce an ML (Money Laundering) Risk Score, which we developed in-house and plan to open-source. Before our efforts, there are good attempts made by other organizations to build similar scores. By learning from them, we reached an internal consensus that an actionable ML risk score should have three characteristics listed below:

• Explainable: The computation logic of this score should be transparent and understandable. In order to approximately reach this status, we choose to use a linear combination of determining factors as the main body of computation rather than black-boxed machine learning models. In order to be flexible enough to model some complicated logic while maintaining good explainability, we design three different components to accommodate different reasonings. In the next section, we will discuss them in detail.

Figure 1: Workflow of computing ML Risk Score

• Consistent with business logic: Interpretation of this score should align with human logic where a larger numerical value of this score means a higher risk of money laundering: sanction address should be at extreme risk level, one having a significant link to coin-mixers should be on the high-risk end of the spectrum, and, etc. And, the risk level should be determined by a comprehensive set of factors: nature of the business controlling a crypto address, transaction history, risky patterns revealed in the network of past transactions, etc.

• Extensible: The understanding of ML risk in crypto assets is still in the early stage. We aim to build a score that can stand test-of-time to support real applications in long run. Therefore, we made decisions:

• 1) Following the design principle of software engineering — separation of concerns (SoC), the ML risk score is a linear combination of three components (discussed in the next section). Therefore, for efforts of improving the accuracy of this score modeling with existing factors, we can achieve this by fine-tuning the weights of existing parameters. For efforts of considering an unprecedented risky factor, we can incorporate it by either adding it as a risky event in the risk adjustment component or altering the way of generating a semantic view where it fits best;

• 2) The computation can be equally applicable to a single address or a cluster of addresses belonging to the same entity. And, because of its transparency and well-structured, this score can be combined with KYC data to build a holistic Customer Risk Rating with both off-chain and on-chain data.

Under-the-hood: how to compute ML Risk Score

Design philosophy:

In the first version of the ML risk score, we set the ultimate goal to make the score actually useful in real-life applications. Therefore, we derive industry-wide consensus to design the first set of evaluation criteria to guide the development of the score. They are:

1) **Amount **matters: A larger transaction value with a particular service type of crypto address cast more influence on the risk score.

Influence: 1 million USD > 1000 USD

2) **Direction **matters: Sending exposure is more influential than receiving exposure. Since we consider that sending exposure is a result of an active intention. On the other hand, receiving exposure could be the result of passive intention.

Influence: Sending exposure > Receiving exposure

3) Direct vs. indirect matters: Engaging with a counterparty directly (in the graph typology, we call a direct connection a 1-hop) is more influential than indirect interaction (linked within 2 or 2+ hops). For directly linked entities, the likelihood is quite slim that the owner of the target address does not know the directly interacted counterparty. But, for indirectly linked entities, it is possible that the owner of the target address is not aware of distant entities.

Notice: in blockchains, we intend not to differentiate connections of 2-hop or connections of 2+ hops. For details, please check the great article published by Chainalysis.

Influence: Direct exposure > Indirect exposure

2. Modeling with semantic views

Money Laundering as coordinated value movements follows the same pattern, placement, layering, and integration, regardless of utilizing blockchains or traditional financial systems (e.g. banks). Due to the lack of AML compliance in the crypto world, it is much cheaper to create an account/address and conduct a transaction, when considering documentation cost and monetary cost.

A raw transaction graph view consists of a set of individual crypto addresses and links representing transactions between those addresses. This “organic” view is unnecessarily complicated and provides very low signal-to-noise information. Due to this fact, groups who wash money have commands of an unprecedentedly large number of addresses under control. However, it is possible to simplify the transaction graph significantly without meaningful information loss by clustering addresses into different entities for various reasons. We call the simplified graph the **Semantic view **where a node represents an entity instead. With domain knowledge, data collection, and AI techniques, we can build a practical AI-powered workflow to generate a semantic view now. However, building a better suite of processors to generate semantic views could be a never-ending effort.

Figure 2: Illustration of AI-powered processors transforming “organic” transaction graph to semantic view.

3. Friendly math explanation

Equation 1

• Base risk: It is determined by annotation information of a given crypto address. This includes the service type (e.g. CEX) and its corresponding generic risk level, the entity (e.g. Coinbase), and/or its reputation for AML compliance.

• Exposure risk: It is derived from the semantic view of historic transactions of a target crypto address. We aggregate the data partitioned by indirect/direct and service types in order to compute exposures.

Equation 2

• Risk adjustment: The adjustment score can play a significant role in refining the final risk score. The factors triggering adjustment are expected to grow as industry-wide understanding and practices develop. At the current state, there are two categories of adjustment. They are:

• 1)** Attributes:** The annotation data can provide more information to depict the crypto address’s security level or other related aspects. For example, a crypto address had been reported by a network of partners as being blocked by a reputable crypto exchange. The “blocked” status will boost the risk level.

• 2)** Presence of risky transaction patterns**: Peel-chain is a layering technique widely used to increase the difficulty of tracing funds. It is commonly used as part of money laundering coordinated efforts. Within a certain proximity around the target crypto address, our AI algorithm can detect the peel-chain pattern. The detection of such a risky pattern definitely demands an upward adjustment to a risk score.

4. Example: improved discriminative power

It is very often that we encounter crypto addresses marked as “unknown” due to minimal annotation data. In this situation, an industry-leading on-chain analytics provider models the risk level of crypto address exclusively on service type. It will consider all addresses labeled as “unknown” equally safe, without considering past transactions. In their suggested workflow, they expect human users to draw their judgment by investigating transactions.

Figure 3: Screenshot displays the exampled crypto address with Chaintool’s KYA ( Link** **)

In contrast, our ML Risk score can indicate quantitatively that the target crypto address is quite high, due to the fact that a lot of funds are transferred to the Scam address. This is a good example that by using ML Risk Score, we can have a good sense of risk level without actually doing a tedious eyeball investigation.

Why open-source?

Open-sourcing ML Risk Score is a natural decision for our team. Web 3.0 and crypto are actually built upon open-source software with the goal of bringing transparency and decentralization. ML Risk Score has the potential to be a gatekeeper defending CeFi and DeFi protocols from being flooded by actors with dirty funds. Such mission-critical pieces of software must be built by the community.

Therefore, we have the following reasons/benefits for developing the score as open-source software:

• Attract more talents: To have more talents working on iterating ML Risk Score, we considered that we may have assembled a good data science squad (members are ex-Pinterest, ex-Google, ex-Alipay) as an early-stage startup in Web 3.0 space 😊. However, the development of ML Risk Score, which must keep up with the rapid development of blockchain technologies, demands more brain power from top talents way beyond what a small startup can provide.

• Promote adoption: Achieve community consensus on how to define ML risk and productize it as ML Risk Score. The ML compliance practices are still in the exploration phase. By open-sourcing ML Risk Score, we wish that it could promote communities to apply it in real business. The feedback from real applications accelerates the development of ML Risks. And, eventually, it can mitigate the exposure of the blockchain to Money Laundering use cases.

What is next?

We view starting open-source as the beginning of long-term commitments. During the upcoming weeks, we will gradually roll out a small number of open-source projects. Each of those projects requires coordination and well-planning between us and committed parties (most of them are well-established organizations in corresponding domains). ML Risk Score is likely to be the first one of them to launch an execution plan and setup.

• Contact career@chaintool.ai, if you would like to join us as an early member.

• Contact partners@chaintool.ai, if you would like to team up with us to solve your business problems or more.

• Contact investors@chaintool.ai, if you are looking for an early-stage startup to invest in and have a fairly strong belief in our mission and/or team.

• Subscribe to our newsletter, if you want to get updated with Web 3.0 risk management-related industry news.

Author(s): Yi Zhang (Co-founder & CEO, Ph.D.), Yi Dong (Founding Engineer, Machine Learning)