Regulations on emerging decentralized finance technology have proven difficult to enforce, in part because, in the world of self-fulfilling digital contracts, it isn’t always clear which individuals should be held to account.

During a session at the Canadian Investment Review‘s 2022 Global Investment Conference in April, Ryan Clements, assistant professor and chair in business law and regulation in the University of Calgary’s faculty of law, said this regulatory shortfall makes it almost impossible for institutional investors to engage in the opportunity presented by the instantaneous flash loans and risk-free arbitrage opportunities afforded by DeFi. Though, he noted, almost impossible doesn’t mean impossible.

Read: DeFi poses technological, regulatory challenges for institutional investors: expert

“There are few, if any, protections that exist in this ecosystem right now. If you want to come into the ecosystem, there’s a lot of self-protection measures that you’ll have to take.”

There are other reasons why institutional investors are, in general, steering clear of the DeFi space. The first is that DeFi remains poorly understood, even by experts. Clements, who sits on the crypto-asset working group of the Investment Industry Regulatory Organization of Canada, said he has students using DeFi as a source of income with a better understanding of the rapidly evolving field than he has.

To put it simply, DeFi is built using the same blockchain technology used in Bitcoin. Clements credits Etherium founder Vitalik Buterin with creating it after looking at Bitcoin and asking a key question: Why don’t we make it programmable?

“Instead of moving money peer-to-peer within a bank or a payment mechanism, we can move anything. We can trade stocks and derivatives and we can create synthetic versions of stocks or derivatives. We can create analogues to loans and banking. We can organize these decentralized organizations and issue governance tokens that allow them to run.”

Read: Despite serious risks, institutional investors experimenting with DeFi: report

Any DeFi system operates by stacking layers of technology to create a smart contract. At the bottom layer is the traditional blockchain, which acts as a public ledger of transactions. Above that is the settlement layer, which runs a consensus mechanism that decides if the conditions for trades to be performed are met and triggers the trades to be performed. At the very top is a software layer that outlines the behaviour for the lower stacks to follow.

“A smart contract allows individuals with custody of crypto assets to interface with each other and perform a transaction that would normally require an intermediary, like a marketplace or a bank or a derivatives dealer,” said Clements.

The requirement that DeFi users have direct control over crypto assets presents challenges that make it particularly difficult for institutional investors to make effective use of the DeFi space, he noted. To do so, pension plans and endowment funds would have to entrust private storage keys of crypto assets to individual investors.

Read: Canadian institutional investors increasing exposure to crypto assets: survey

“But there are institutional investors, particularly in the U.S., that are starting to look to these opportunities, both by directly participating and also indirectly by virtue of participating in these lending protocols and automated market makers.”

Even those institutions willing to brave DeFi’s risks must figure out a way to do so in a manner that keeps them on the right side of regulators, said Clements. Due to the constant exposure inherit in using a smart contract, auditing crypto-based assets locked into smart contracts remains a difficult task, he added.

One of the strategies institutional investors can use to take on DeFi exposure is to operate with the assistance of custodial businesses, suggested Clements. While he said the regulatory framework may be too limited to provide those with direct exposure to DeFi with adequate protection, those operating through custodians may be somewhat better protected — at least in Canada and the U.S., where regulators have taken an approach known as ‘not your keys, not your coins.’

“[Like the Securities Exchange Commission in the U.S.], the Canadian Securities Administrators and the IIROC have asserted jurisdiction over centralized crypto asset trading. A platform that takes custody establishes a relationship between the platform and the user, creating an investment contract — which is a security.”

Read: A coronavirus game plan for defined benefit pension plans

Still, one risk facing DeFi’s early adopters that regulators simply can’t protect against are bad actors with a good understanding of how to manipulate contracts written in code. In a recent case, noted Clements, a 19-year-old Waterloo University math student found an exploitable bug inside a smart contract that allowed for instantaneous arbitrage.

By using the contract in a way that wasn’t intended, the student extracted $15 million worth of crypto assets. While neither the student, nor the assets, remained in Ontario long enough for the fraud case that followed to make its way through the courts, his proposed defence — that a contract’s code is its law — remains untested in Canada’s courts.

On the balance of probabilities, Clements said he’d guess Ontario’s judges would reject it, but he added it could go either way, leaving users of smart contracts without legal recourse for reimbursement if a code is found to be exploitable.

“Interestingly enough, people like decentralization until they lose all their crypto assets. Then, all of a sudden, they hire guys like me — lawyers — to bring a lawsuit, a common law remedy that’s been around for hundreds of years.”

Read more coverage from the 2022 Global Investment Conference.