It’s been hammered into crypto founders’ brains that control is risky business under the law. While I’m happy that the importance of control has become top of mind for founders (we’ve come a long way over the past few years), I’m noticing a little confusion about how to properly think about control. Founders seem to think “control = bad” but don’t exactly know how to reason about it.
I think the better framing of control is that it’s a spectrum. To identify where you are on the spectrum, you need to ask yourself two questions:
Who is in control?
What can the control do?
Who is in control. The way to toggle this is through decentralization. The spectrum looks something like this (from more to less control):
One party controls >> a multisig of insiders controls >> a multisig of independent parties controls >> a DAO controls >> full immutability
What can the control do. The way to toggle this is through scoping. Here’s how this can look (again, from more to less control):
Full upgradeability >> full upgradeability with a timelock >> upgradeability of specific external dependencies (like swapping out an oracle) >> pause functionality >> full immutability
After you’ve identified where along the spectrum your control sits on each of these factors, you can apply it to the legal regime you care about. I strongly believe that the control analysis is relevant to pretty much any area of law. That is, the law’s lodestar to hold parties accountable usually comes down to who was in control of what.
For example, I’ve argued that unilateral control over users’ funds is a necessary condition of whether a party is a money transmitter. (The Tornado Cash court disagrees, but I wrote a paper on why I do not think that’s the correct interpretation of the law.) So when determining what "unilateral control" means, ask yourself: where along the control spectrum do you fall both on (1) decentralization and (2) scoping?
Maybe you have one person with an admin key, but that person can only pause the protocol in emergencies.
Or maybe you have an actually decentralized DAO with admin control of full upgradeability.
There’s an argument that neither arrangement would make a project a money transmitter because neither arrangement involves unilateral control by insiders.
You can then take this control analysis and apply it to other areas of law. For example, we all know all too well the Howey test for securities laws. The “efforts of others” prong, at least in part, is a question of whether there is a manager with control. The level of technical control over the protocol is an input to that decision.
Then there’s the question of deciding where you should fall on the spectrum. This should be done carefully with your counsel for each legal regime. But at a high level, we can say that control has benefits from a business perspective and costs from a risk perspective. I think the key thing is to ensure that your cost-benefit analysis is not out of whack — that you’re thoughtful as to why you’re retaining control. For example, if the primary “benefit” you want control for is to act in case of emergencies, your “cost” of control (in terms of liability) will be lower with a pause function than full upgradeability. Try and pick the non-negotiable facets of your business that require control and tailor-fit the level of control to match that.
All information contained herein is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. You should consult your own advisers as to legal, business, tax, and other related matters concerning any investment. None of the opinions or positions provided herein are intended to be treated as legal advice or to create an attorney-client relationship. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by Variant. While taken from sources believed to be reliable, Variant has not independently verified such information. Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by Variant, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Variant (excluding investments for which the issuer has not provided permission for Variant to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://variant.fund/portfolio. Variant makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This post reflects the current opinions of the authors and is not made on behalf of Variant or its Clients and does not necessarily reflect the opinions of Variant, its General Partners, its affiliates, advisors or individuals associated with Variant. The opinions reflected herein are subject to change without being updated. All liability with respect to actions taken or not taken based on the contents of the information contained herein are hereby expressly disclaimed. The content of this post is provided "as is;" no representations are made that the content is error-free.
It’s been hammered into crypto founders’ brains that control is risky business under the law. While I’m happy that the importance of control has become top of mind for founders (we’ve come a long way over the past few years), I’m noticing a little confusion about how to properly think about control. Founders seem to think “control = bad” but don’t exactly know how to reason about it.
I think the better framing of control is that it’s a spectrum. To identify where you are on the spectrum, you need to ask yourself two questions:
Who is in control?
What can the control do?
Who is in control. The way to toggle this is through decentralization. The spectrum looks something like this (from more to less control):
One party controls >> a multisig of insiders controls >> a multisig of independent parties controls >> a DAO controls >> full immutability
What can the control do. The way to toggle this is through scoping. Here’s how this can look (again, from more to less control):
Full upgradeability >> full upgradeability with a timelock >> upgradeability of specific external dependencies (like swapping out an oracle) >> pause functionality >> full immutability
After you’ve identified where along the spectrum your control sits on each of these factors, you can apply it to the legal regime you care about. I strongly believe that the control analysis is relevant to pretty much any area of law. That is, the law’s lodestar to hold parties accountable usually comes down to who was in control of what.
For example, I’ve argued that unilateral control over users’ funds is a necessary condition of whether a party is a money transmitter. (The Tornado Cash court disagrees, but I wrote a paper on why I do not think that’s the correct interpretation of the law.) So when determining what "unilateral control" means, ask yourself: where along the control spectrum do you fall both on (1) decentralization and (2) scoping?
Maybe you have one person with an admin key, but that person can only pause the protocol in emergencies.
Or maybe you have an actually decentralized DAO with admin control of full upgradeability.
There’s an argument that neither arrangement would make a project a money transmitter because neither arrangement involves unilateral control by insiders.
You can then take this control analysis and apply it to other areas of law. For example, we all know all too well the Howey test for securities laws. The “efforts of others” prong, at least in part, is a question of whether there is a manager with control. The level of technical control over the protocol is an input to that decision.
Then there’s the question of deciding where you should fall on the spectrum. This should be done carefully with your counsel for each legal regime. But at a high level, we can say that control has benefits from a business perspective and costs from a risk perspective. I think the key thing is to ensure that your cost-benefit analysis is not out of whack — that you’re thoughtful as to why you’re retaining control. For example, if the primary “benefit” you want control for is to act in case of emergencies, your “cost” of control (in terms of liability) will be lower with a pause function than full upgradeability. Try and pick the non-negotiable facets of your business that require control and tailor-fit the level of control to match that.
All information contained herein is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. You should consult your own advisers as to legal, business, tax, and other related matters concerning any investment. None of the opinions or positions provided herein are intended to be treated as legal advice or to create an attorney-client relationship. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by Variant. While taken from sources believed to be reliable, Variant has not independently verified such information. Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by Variant, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Variant (excluding investments for which the issuer has not provided permission for Variant to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://variant.fund/portfolio. Variant makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This post reflects the current opinions of the authors and is not made on behalf of Variant or its Clients and does not necessarily reflect the opinions of Variant, its General Partners, its affiliates, advisors or individuals associated with Variant. The opinions reflected herein are subject to change without being updated. All liability with respect to actions taken or not taken based on the contents of the information contained herein are hereby expressly disclaimed. The content of this post is provided "as is;" no representations are made that the content is error-free.