IOSCO warns of hidden risks in DeFi and questions ‘decentralisation’

By John Bassilios

The International Organisation of Securities Commissions (IOSCO) has reviewed the quickly evolving DeFi market and warned of a dozen risks facing investors and other DeFi participants.

The report on ‘Decentralised Finance’ (DeFi) identifies new products and services such as ‘flash loans’ that have evolved with DeFi, and highlights the risks of both novel products as well as those that replicate traditional financial instruments. Chief among the concerns raised are the risks associated with DeFi products and services that look and behave like traditional financial services but are largely unregulated.

IOSCO also questions how truly ‘decentralised’ DeFi is. The report analyses DeFi systems the identifies common actors who retain control over allegedly decentralised systems, echoing a 2021 statement from the Bank for International Settlements that decentralisation is an ‘illusion’.

The report comes as the IOSCO Retail Market Conduct Task Force, co-chaired by the Australian Securities and Investments Commission (ASIC) and the Central Bank of Ireland, also released a consultation report addressing trends in the retail investment market on 21 March 2022. The consultation highlights concerns raised by regulators globally over the number of retail investors engaging with crypto assets for the first time without adequate regulation and the proliferation of fraudulent platforms and scams. Of the risks facing retail investors, ASIC Commissioner Sean Hughes said that ‘combatting misconduct in retail markets – especially that which is digitally enabled – is an ongoing challenge worldwide and risks undermining confidence and stability’.

What is DeFi?

Noting that there is no generally accepted definition of ‘DeFi’, the report states that in common usage DeFi often refers to financial products, services, arrangements and activities that use distributed ledger technology without the use of traditional intermediaries. According to IOSCO, the primary goal of DeFi is to remove intermediaries to allow for peer-to-peer transactions, and to therefore to create accessible alternatives to traditional and centralised financial market infrastructure. A key concern of the report is then how to manage application of existing regulatory frameworks to DeFi participants and activities, and whether a straightforward application of these existing regulatory frameworks is appropriate.

IOSCO argues that decentralisation is a spectrum and not a ‘binary outcome’, and that many products and services that claim to be decentralised are actually controlled by a select few either through concentrated ownership of the ‘governance tokens’ that allow users to vote on certain decisions, or by restricting the types of decisions that can be made by users. According to the report, ‘most DeFi protocols rely on [centralization] in one or more areas, and there are protocols that have a hidden [centralized] authority and are [decentralized] in name only’. The issue for IOSCO and regulators then becomes how to regulate DeFi participants and services when it is not always clear who is responsible.

The growth of DeFi

In October 2021 total value locked in DeFi platforms globally was estimated at USD$200 billion, representing a sharp growth in both the number of users and the value of crypto assets. The report points to several factors supporting the rapid growth of the DeFi market, including:

  • the ability for early investors to identify and invest in nascent technologies;
  • demand for liquidity in to the crypto asset market has created a role for market-making and other related services to be provided to DeFi platforms;
  • traditional centralised finance participants are increasingly seeking to demonstrate that they are engaged with market trends and see an opportunity to diversify their existing services and access high returns by engaging with DeFi;
  • DeFi projects have been actively encouraged by blockchain communities who hope to encourage the use of their networks; and
  • early adopters saw the funding of DeFi projects as a way to invest in products and services that were aligned with their own views.


DeFi products and services

The report goes on to provide an analysis and to identify the key products and services provide by DeFi platforms that are ‘open-sourced, decentralised, non-custodial, and enable investors and consumers to engage in crypto-asset transactions on a peer-to-peer or peer-to contract basis’. While recognising that DeFi is constantly evolving, IOSCO hopes that contributing to both a ‘granular and holistic understanding of the DeFi market’ will assist regulators considering issues around crypto assets and DeFi regulation.

Crypto assets

The report positions crypto assets as a central concept within DeFi projects as a type of asset that can be created by and/or interact with a smart contract or a piece of code. Crypto assets can be used in trading, lending, borrowing and other activities (read about the Australian Government’s proposal of a licencing regime on crypto asset secondary service providers). The rights associated with a crypto asset will vary, as will the type of crypto asset, how it is created and the method of distribution.

Lending and borrowing

Lending protocols allow holders of crypto assets like stablecoins (crypto assets whose value is linked to the value of a reference asset like fiat currency), to earn a return on by depositing the assets in to lending pool that allows other participants to borrow those assets simultaneously. Lenders typically receive a different crypto asset representing their interest in the lending pool that can be redeemed for their original asset and any accumulated benefits.  Benefits are often set by algorithms, the project team, or through voting.Lending protocols may also support ‘flash loans’ where the lending, use of funds and repayment are performed within the same block of transactions. This means that if one element of the loan fails, then the whole loan will be cancelled. As flash loans do not involve default risk, borrowers are not required to deposit collateral and any interest earnt on the loan is generally fixed at a low rate.


The report outlines the practice of creating synthetic crypto assets and derivatives whose value is based on a reference asset or the outcome of a particular event. The report also gives an explanation of ‘wrapped’ or ‘bridged’ tokens, crypto assets that ‘serve as a bridge between one blockchain and another and require a person to transfer the underlying crypto-asset to the address of a centralized third party or a smart contract on the blockchain supporting that crypto-asset, which in turn issues, through a smart contract, a crypto-asset representing the underlying crypto-asset on a different blockchain’. Wrapped crypto assets allow owners to participate in DeFi programs on multiple chains, without having to sell the underlying crypto asset on the user’s ‘home’ blockchain, providing the DeFi program with synthetic exposure to the owner’s underlying asset.


The report outlines the growth of decentralised exchanges that allow users to trade crypto assets through smart contracts (rather than requiring assets to be transferred to a central platform). Exchanges can operate both ‘on’ and ‘off’ chain, where the blockchain can be used only as a record of settlement or as a central component of the services. The report also notes the role of bots and algorithms in matching and executing trades, and the role they play in exploiting inefficiencies in the exchange’s processes to front-run transactions and identify  arbitrage opportunities.

Risk protection and insurance

As insurance is limited in the crypto asset market, the report examines other methods by which investors can protect their assets. While there are smart contract-based insurance protocols aimed at protecting investors against adverse events such as hacks or technical failures, they are as yet underdeveloped and so are of little utility. Although DeFi insurance protocols are compared to traditional insurance, the report argues that insurance smart contracts could be considered a type of derivative as they are ‘essentially shared risk pools that offer and sell event contracts’.

Principal participants

IOSCO also provides an outline of the key participants in the DeFi market who design and provide products and services to other DeFi participants and investors without the involvement of traditional intermediaries. The market participants identified by the report include:

Protocol creators and developers

Described as the entitles who create the software through which DeFi operates, often obtaining funding from traditional avenues such as venture capital investment or through crypto asset offerings. Proceeds are often retained ‘on chain’ as a treasury to finance the future development or expansion of a platform.

Decentralised autonomous organisations (DAOs)

An alternative organisational structure that focuses on community governance. While the report acknowledges that there is no widely agreed definition of a DAO, it is generally accepted that DAOs are organised around a common goal with governance is shared amongst members according to a set of rules put in to place via enforcement mechanisms on a blockchain.

DeFi investors

The investors who participate in DeFi may be individuals, venture capital or private equity funds and institutions. The report emphasises the role investor play in both funding the establishment of DeFi programs, and also as participants in those programs once established. The report references recent statistics that estimating USD$1.9 billion was invested in to the establishment and support of DeFi programs by venture capital entities, fuelling the rapid expansion of the market.On the other end of the investment spectrum, the report also discusses the rise of celebrity crypto asset endorsements, easy to use platforms and investment protocols that mirror complex financial products such as hedge funds. This combination of factors allows retail investors to participate in unregulated facsimiles of financial products that they would not otherwise be able to access, or financial products that they do not understand.

Key risks and considerations

IOSCO also raises serious concerns with the removal of the intermediaries that has traditionally acted as ‘gatekeepers’ to financial products that provide a layer of consumer protection and legitimacy to transactions. Without intermediaries performing functions such as financial advice, informational services, liquidity controls, disclosure to investors and AML/CTF services, IOSCO argues that there is a serious risk to both investors and markets. While the development of DeFi can lead to lower costs and increased choice for investors, the report observes that it introduces potential new risks, and that many operators are currently providing services either in a legal grey area or in direct defiance of local regulation.

Amongst the risks identified by the report are:

Asymmetry and fraud risk

Where investors are not given full disclosure, they can unwittingly invest in high risk activities. The report also notes that while smart contracts and blockchain data are public, the technical nature of this information often requires specialist knowledge to interpret. Likewise the roles of social media and ‘finfluencers’ in marketing DeFi products and services can lead to investors making uninformed choices.


The ability for investors to engage in front-running on certain blockchains by paying a fee to have their transaction processed ahead of others has been highlighted as a key concern. The report notes blockchains such the popular Ethereum, process transactions relatively slowly, making them vulnerable to front-running by those with the knowledge and information to do so.

Illicit activity risks

Although the report recognises that some participants are beginning to consider AML/CTF, the large number who are not taking AML/CTF measures are vulnerable to participants acting ‘under a cloak of anonymity’ to conduct illegal transactions and to circumvent sanctions. The report also notes the growing market in technology available to obfuscate the identities of participants and the purposes of transactions including ‘anonymity-enhanced cryptocurrencies… mixers, [and] tumblers’.

Operational risks and cyber security

As is well-documented, crypto assets and blockchain technology are vulnerable to technology-based failures and human error. When The DAO, an early decentralised autonomous organisation that raised over USD$150 million from investors, was compromised shortly after its launch in 2016, hackers were able to siphon around USD$60 million worth of cryptocurrency. Likewise in early 2021, the New York Times reported on a growing number of users who risked losing their crypto assets due to lost or forgotten passwords, including one who estimated the value of his crypto assets to be USD$220 million, but had no way to access them.

Governance risks

Aside from potentially misleading investors as to how decentralised a DeFi service actually is, IOSCO also considers risks around potential conflicts of interest, access to information and the lack of transparency around voting. The ability for a small group of individuals to accumulate voting rights under pseudonyms means that DeFi entities are vulnerable to hostile takeovers, insider trading, misappropriation of assets and ransom attacks.

In conjunction with the risks to DeFi investors and providers, the report also touches on the flow-on effects for traditional markets. Noting that traditional financial institutions are increasingly engaging with crypto assets and DeFi projects, the report notes that the interconnectedness of DeFi and TradFi is likely to grow, exposing those institutions to DeFi risks. The report also considers the impact that DeFi instruments such as stablecoins and derivatives will have on traditional markets for those reference assets, such as fiat currencies and securities.

Cautionary optimism for the future of DeFi

While DeFi provides novel products, services, and opportunities to the financial services industry, it comes with risks to investors and wider markets.

Following the release of the DeFi report, IOSCO also announced the establishment a new task force to be lead by Tuang Lee Lim, Assistant Managing Director of the Monetary Authority of Singapore (MAS). The task force will work to examine the risks raised by the report. Upon the announcement, Lim stated that ‘IOSCO’s decision to establish the task force signifies our members’ resolve to take timely and coordinated policy action to appropriately address the risks arising from this fast-growing area’.

The publication of the report and establishment of the IOSCO DeFi task force comes as regulators globally turn their minds to regulation of DeFi and crypto assets.  Just last week, The Bank of England published a report on DeFi and market stability, expressing concerns around the lack of transparency in the crypto asset market and around DeFi participants. The European Supervisory Authorities also recently launched an EU-wide campaign to warn consumers of the risks surrounding crypto assets.

Continuing its work, IOSCO is seeking comment from interested members of the public and current DeFi participants on any matter relating to the report of crypto assets more generally. Comments may be submitted to

This article was written with the assistance of Eric Lay, Law Graduate.


John Bassilios

John Bassilios

Partner & Fintech and Blockchain Lead

John has broad experience in financial services, funds management, blockchain, crypto, web3 and corporate law.

You might be also interested in...

Blockchain, Cryptocurrency, Initial Coin Offerings & Security Token Offerings | 22 Mar 2022

Crypto-asset secondary service providers: licensing and custody requirements

We explain what you need to know about the Federal Government’s approach to the introduction of a regulatory and licensing regime for crypto-asset secondary service providers.

Blockchain, Cryptocurrency, Initial Coin Offerings & Security Token Offerings | 18 Mar 2022

President Biden signs new cryptocurrency executive order and EU progresses Markets in Crypto-Assets bill (MiCA)

US President Joe Biden has signed an executive order setting out key policy objectives for managing digital assets including cryptocurrencies.