Maude Wilson

Policy Counsel
524 Broadway
New York, NY
maude@uniswap.org

Executive Office of the President

Office of the National Cyber Director

Re: Request for Information on Open-Source Software Security: Areas of Long-Term Focus and
Prioritization

Response submitted to www.regulations.gov

Uniswap Labs appreciates the opportunity to comment on the White House’s request for
information regarding open-source software security and is supportive of making open
source software a national public priority.

Uniswap Labs1 is a software development company that helped create the Uniswap
Protocol, a leading open-source and source-available, self-executing DeFi protocol.
Uniswap Labs is a developer of applications providing access to the protocol and the
broader web3 ecosystem. Uniswap Labs is headquartered in New York City and all but
one of its over 100 employees are based in the U.S. Approximately 40% of employees are
women and 40% people of color.

This comment letter will focus on responding to the RFC from the perspective of Uniswap
Labs, a developer of DeFi software.

I. Background on Uniswap Labs and the Uniswap Protocol

The Uniswap trading protocol is open-source and source-available smart contract code
that was first deployed on the Ethereum network.2 The Uniswap Protocol is the most
popular decentralized exchange protocol on the Ethereum network and a pioneer in
implementing the now-widely used Constant Function Market Maker (CFMM) structure.
In Automated Market Makers (AMMs), “liquidity providers” (LPs) contribute liquidity into a
liquidity pool smart contract for a specific token pair, e.g. ETH-USDC. By doing so, LPs
expand the liquidity pool for each of the two assets while simultaneously taking on some
trading risk in exchange for fees paid by traders for providing them liquidity (i.e. as
liquidity “takers”). Automated arbitrage trading by independent actors across both
decentralized and centralized trading networks ensures an alignment of price discovery
across the digital assets ecosystem.

1
http://www.uniswap.org/.
2
There have been three versions (v1, v2, and v3) of the protocol implemented on the Ethereum virtual
machine and layer two Ethereum scaling solutions Polygon, Optimism and Arbitrum. We will refer to all of
these protocols as the “Uniswap Protocols” unless specifically indicated otherwise.

1
The Uniswap Protocol has been highly successful. Cumulative volumes occurring through
the Uniswap Protocol in October 2023 exceeded $1.6 trillion across at least 3.9 million
wallet addresses. Daily volume on the Uniswap Protocol averages over $600 million per
day with current value locked in the protocol at approximately $3 billion.3

Consistent with the decentralized nature of the Uniswap Protocol, currently approximately
15-20% of Uniswap Protocol wallet addresses, liquidity providers or otherwise, use the
Uniswap Labs interface to interact with the Uniswap Protocol. This means that
approximately 80-85% of Uniswap Protocol volumes originate elsewhere, especially
through other interfaces, including free or commercial software wallets that have their
own integrations into the open source Uniswap Protocol or custom integrations.
Particularly knowledgeable users can also write code to interact directly with the smart
contract.

The Uniswap Protocol contrasts favorably when compared with traditional, centralized
financial market infrastructures on several traditional public policy priority areas.

- Interoperability. Because the Protocol has source code freely accessible to the
public, other developers, services, and market participants can interact or build
tools or other protocols that interoperate with it.

- Self-custody. All trades on the Uniswap Protocol and through the Uniswap Labs
interface are non-custodial, meaning that users retain control and possession of
their digital assets throughout the trade lifecycle. As an example, this means that
the benefits of lending one’s assets, should a digital asset owner engage in it,
accrue solely to the asset owner, not their custodian. This is no small benefit with
securities lenders alone earning over $9 billion in 2021 from lending out primarily
client assets.4

- Transparency. All transaction records, including price, trades, and quotes,

involving the Uniswap Protocol are recorded and freely available on the blockchain.
Similarly, market depth is freely available on the blockchain or through free
analytics tools like app.uniswap.org.5

3
See https://info.uniswap.org/#/ (last visited Oct. 27, 2023).
4
See DataLend: Securities Lending Markets Up 21% in 2021, Generating $9.28 Billion in Revenue, Jan.
4, 2022,
https://datalend.com/datalend-securities-lending-markets-up-21-in-2021-generating-9-28-billion-in-revenu
e/#:~:text=NEW%20YORK%20.
5
https://blog.uniswap.org/uniswap-v3-dominance

2
In contrast, centralized financial market infrastructures generally use proprietary matching
engines, resist interoperability even when it is required,6 introduce custody risks,7 and
require expensive data licensing agreements to obtain transactional or depth of liquidity
data.8

The Uniswap Protocol is not centrally governed. It is not controlled by Uniswap Labs.
Similar to many other DeFi protocols, the developers of the protocol, i.e. Uniswap Labs or
any of its employees, lack the ability to block any transactions on the protocol or shut off
or otherwise unilaterally change the Uniswap Protocol code. By design, UNI governance
token holders with voting powers also cannot block any transactions or shut off the
protocol, but they can propose or vote to implement a limited number of changes to the
protocol, e.g., by voting in new liquidity provider fee tiers.9 Based on internal policies,
Uniswap Labs employees do not vote in protocol governance decisions.10

II. Comments

A belief in the strength of open source code, and the benefits provided by open source code,
underlies all aspects of our business. Uniswap Labs helps develop blockchain-based protocols
comprised of smart contracts, and also develops web-based applications that help people
access and use those protocols. The protocol is open-source (or source available under a
business source license), and the web-based applications are open-source.

For traditional applications, “open source” means third parties can see the original code that has
been published but can’t see the binary code (the 1s and 0s that the written code is translated

6
See e.g., The Interoperability Debate Rages On, Jan. 13, 2015,
https://www.bestexecution.net/post-trade-clearing-mary-bogan/, quoting Tomas Kindler, head of clearing
at SIX Securities Services: “With the exception of Euronext all the remaining main markets that remain
closed, such as Germany, Italy or Spain, are vertically integrated. From a pure economic perspective they
have no incentive to open up. So the equities market is seen as the first line of defence for the lucrative
derivatives market. That’s the main area they want to protect. Keeping the equities business closed has to
be seen in that context”
7
In 2011, futures commission merchant MF Global experienced a meltdown of its financial condition,
caused by improper transfers of over $891 million from customer accounts to a MF broker-dealer account
to cover losses created by trading losses. Corzine Reaches $5 Million Settlement With Regulators in MF
Global Case, Jan. 5, 2017,
https://www.nytimes.com/2017/01/05/business/dealbook/mf-global-jon-corzine-penalty-settlement.html.
8
The abuse of exchange data market power is a recurring controversy among centralized exchanges and
has been a priority policy area. See e.g., Nasdaq, NYSE Dealt Blow in Clash With SEC Over
Market-Data Feeds, May 25, 2022,
https://www.bloomberg.com/news/articles/2022-05-25/nasdaq-nyse-dealt-blow-in-clash-with-sec-over-mar
ket-data-feeds.
9
Introducing Uni, Sept. 16, 2020, https://uniswap.org/blog/uni.
10
Uniswap Labs employees may, however, delegate voting power to other members of the Uniswap
Protocol community.

3
into) that the application is actually running. This means there is no way for third parties to
independently verify that the program an entity says it is running is actually what is being run.

For smart contracts, anyone can see the binary code, even if the original code is not open
source. It is possible for third parties to extrapolate the original code from the binary code or, for
programs that are open source, they can compile the original code themselves and verify the
results against the binary code the smart contract is running.

The verifiability of smart contract code creates a host of benefits. For example, one of the
primary benefits of DeFi is composability. Developers can build on top of and integrate with
other protocols without need for costly negotiations, e.g., a non-disclosure agreement, terms to
access a particular API, revenue sharing agreements, etc. This permissionless interoperability
inherent in DeFi makes it easier for new products to be developed and lowers the barriers to
entry by allowing developers to make use of innovations that have come before. For example,
while Uniswap Labs has developed three (3) versions of the Uniswap Protocol, the interface we
have developed to facilitate interacting with the Protocol, as mentioned above, generally
accounts for 15-20% of total Protocol volume. Other interfaces, developed by unaffiliated third
parties, account for the remainder.

Composability depends on two things: immutable code and verifiable code. Immutable code
ensures that the underlying foundation that a new application is building on top of will not be
changed. Verifiable code ensures that the foundation is actually composed of the code an entity
says it is composed of, giving developers the confidence to build on top of it. With verifiable
code, developers can analyze the code of projects they are considering integrating with to
ensure they understand how the project functions and that it is secure.

Proposal

Given the important role open source/source available code plays in the blockchain ecosystem,
its security is also of the utmost importance. Open source code has benefits, but it also creates
security risks. These risks are slightly unique for open source smart contracts, because the
code is transparent and immutable.

Uniswap Labs knows this first hand: we have helped develop smart contract code that has
handled over $1.6 trillion in volume and has never been hacked. Over the past several years,
we have developed (and followed) industry best practices related to security. These best
practices include rigorous auditing, bug bounties, and developer security best practices.

A rigorous auditing program is critical for code that can be viewed (and therefore attacked) by
anyone and is immutable. Such a program would include multiple levels of review before code is
deployed. First, code should be shared internally with members of the team who did not write
the code, who will review the code to find bugs and vulnerabilities. Then, code should be shared
with respected third-party auditors. Finally, developers should review the external audit and
make any necessary changes. While these steps are industry best practice, they are by no

4
means the norm. A recent study found that less than a quarter of blockchain-based projects
were audited.11 The quality of available auditors also varies, with top-quality auditors in very high
demand and occasionally requiring a long wait.

After code is deployed, programs sometimes depend on “bug bounties” to catch any possible
vulnerabilities that make it through the auditing process. Since the code is open-source, anyone
can go through it and look for vulnerabilities. Bug bounties incentivize hackers to report those
vulnerabilities to the developer so that they can be fixed, instead of exploiting them. Many crypto
projects already have such programs in place. For example, Coinbase’s bug bounty program
has found and fixed over 600 bugs. Separately, Immunify has processed over $50 million in
bug bounties (for context, one such payment to an Immunify researcher was for a bug that
could have resulted in a $200m theft). More widespread implementation of bug bounties
would provide additional opportunities to identify vulnerabilities in the code.

Stronger cybersecurity standards across the DeFi ecosystem could likewise strengthen the
security of protocols. While individual organizations such as the Ethereum Foundation have
published smart contract security best practices, there is currently no norm across the industry.
Consistent application of smart contract security best practices by all projects in the ecosystem
would minimize the gaps available for illicit actors to exploit. Smart contract security best
practices could include: designing proper access controls, implementing internal safeguards
against problematic operations, making all code modifications via pull requests, to name a few.

Implementation

Although some blockchain protocols have financial use cases, we believe that the risks
described above make clear that the best template for regulating DeFi protocols is actually
existing software regulations, not financial regulatory frameworks. Specifically, looking at how
the use of software by third-party financial service providers are regulated.

Several agencies within the executive branch have implemented guidance regarding financial
service providers’ outsourcing of various aspects of their business. Even when financial service
providers engage in such outsourcing, they cannot outsource their compliance obligations. They
are still responsible for ensuring that the third party services they are engaging with are
sufficiently secure and will not pose risks to their customers. For example, the OCC has issued
guidance reminding banking organizations that their use of third parties “does not remove the
need for sound risk management” and advising them to take into account the risks posed by the
nature of their third-party relationships.12 The latter includes “understanding potential information
security implications” and “determining whether the third party has the expertise, processes, and
controls to enable the banking organization to remain in compliance with applicable domestic
and international laws.”

11
https://hacken.io/insights/complete-cryptocurrency-audits-list-research/
12
https://www.occ.gov/news-issuances/federal-register/2023/88fr37920.pdf

5
In the case of DeFi protocols, the interfaces that provide access to those protocols, and other
projects that integrate with those protocols, a similar framework could be implemented to ensure
security goals and standards are being met. The transparency and verifiability of protocol code
means that entities can assess a third-parties code without the permission or cooperation of that
third party (just as they would not need their permission or cooperation to integrate with that
project).

We propose an implementation of the above proposal that would require an interface providing
access to a protocol, or a project integrating with a protocol developed by a third party, to vet the
security of that protocol. In other words, the project’s responsibility to ensure the safety of its
products would extend to any third party protocol that the provided access to or integrated with.