The Wells process is a compliance audit designed for static financial disclosures, not for evaluating live, evolving software systems. It treats a protocol's GitHub repository as a final prospectus, ignoring the continuous integration and deployment cycles that define projects like Uniswap or Optimism.
the-sec-vs-crypto-legal-battles-analysis
Blog
Why the Wells Process Fails to Understand Software Development
A technical analysis of the fundamental mismatch between the SEC's rigid, linear enforcement timeline and the non-linear, iterative reality of modern protocol development and on-chain governance.
introduction
THE MISMATCH
Introduction
The SEC's Wells process is structurally incapable of evaluating modern software development, treating iterative code like a static financial document.
Software development is non-linear, while regulatory review is sequential. A protocol team can deploy hundreds of commits across multiple forks (e.g., Arbitrum Nitro, Base) during the months-long Wells review, rendering any initial snapshot of the codebase legally obsolete and practically meaningless.
Evidence: The Ethereum Merge was executed via a hard fork, a core software upgrade mechanism that has no analog in traditional finance. A Wells notice targeting pre-merge code would be investigating a system that no longer exists on the mainnet.
thesis-statement
THE PROCESS GAP
The Core Mismatch: Linear Law vs. Iterative Code
The SEC's Wells Notice process is a linear, deterministic legal framework that fundamentally misunderstands the iterative, probabilistic nature of software development.
The Wells Process is deterministic. It demands a final, complete record of past actions to establish liability. This legalistic framework treats software as a finished product, not a living system. It cannot process the reality of continuous deployment.
Software development is probabilistic. Teams ship code, observe on-chain behavior via tools like Tenderly or OpenZeppelin Defender, and iterate. A protocol like Uniswap evolves through thousands of commits and mainnet forks, not a single audited release.
The mismatch creates false positives. A bug patched in hours on Avalanche becomes permanent evidence in a filing, ignoring the iterative security model that defines web3. The process penalizes the act of building in public.
Evidence: Major DeFi protocols like Aave and Compound execute hundreds of governance proposals and code updates annually. The SEC's static snapshot approach criminalizes this essential development lifecycle.
case-study
REGULATORY REALITY VS. AGILE DEPLOYMENT
Case Studies: When the Wells Clock Clashed with the Dev Cycle
The SEC's rigid enforcement timeline is fundamentally incompatible with iterative software development, creating impossible compliance deadlines.
01
The Uniswap Labs Wells Notice
The SEC targeted Uniswap's protocol governance token (UNI) and LP interface, ignoring its decentralized, immutable core contracts. The notice came after years of public operation and community-led development, demanding a response to a product that was already a $3B+ TVL public utility. This highlights the regulator's failure to distinguish between a software protocol and a corporate security.
- Problem: Retroactive application of securities law to a live, community-governed system.
- Consequence: Legal uncertainty for all DeFi front-ends and governance models.
3+ Years
Live Pre-Notice
$3B+
TVL at Time
02
The 90-Day Response Fallacy
The Wells Process grants a 90-day window to respond to allegations. For a complex protocol like Compound or Aave, this is less than a single major development sprint cycle. A proper technical and legal defense requires:
- Auditing years of Git commit history and governance proposals.
- Modeling token distribution and economic incentives.
- Coordinating with a decentralized autonomous organization (DAO) for a unified response. The timeline assumes a centralized corporate defendant, not a global collective of contributors.
90 Days
SEC Deadline
120+ Days
Typical Dev Cycle
03
Protocols as Moving Targets
Software is never finished. The Ethereum protocol itself has undergone multiple hard forks (e.g., London, Merge, Dencun). A Wells Notice snapshot of a protocol is obsolete upon delivery. By the time the SEC files a suit, the codebase, tokenomics, and front-end may have been upgraded via Snapshot votes. This creates a legal paradox: prosecuting a specific, ephemeral software version for a dynamic, on-chain system.
- Problem: Regulation of a static artifact vs. a live, evolving network.
- Example: Uniswap v4 hooks would render a v3-based case moot.
4+
Major Uniswap Versions
Constant
State of Flux
WHY THE WELLS PROCESS FAILS TO UNDERSTAND SOFTWARE DEVELOPMENT
The Timeline Mismatch: Legal Process vs. Software Reality
A comparison of the SEC's Wells Process timeline and evidentiary standards against the realities of modern, agile software development cycles.
| Key Dimension | The Wells Process (Legal Reality) | Software Development (Tech Reality) | The Mismatch Impact |
|---|---|---|---|
Primary Timeline Unit | Months to Years | Days to Weeks (Sprints) | Legal discovery lags behind codebase by 1000s of commits |
Evidence Standard | Definitive, Finalized Documents | Ephemeral Chat Logs, PRs, Archived Code | Critical context (Slack, GitHub) is dismissed as 'not formal' |
Change Velocity | Static Snapshot (e.g., Whitepaper v1) | Continuous Deployment (Multiple prod releases/day) | Prosecution based on outdated artifacts, ignoring iterative intent |
Decision-Making Artifact | Board Resolutions, Formal Memos | RFCs, Forum Posts, Snapshot Votes | Community governance is structurally invisible to the SEC |
'Control' Definition | Legal Entity & Officers | Multi-sigs, DAO Votes, Guardian Upgrades | Protocols are software, not corporations; control is decentralized and coded |
Remediation Feedback Loop | Years (Settlement → Injunction) | Minutes (Bug Report → Hotfix Deployed) | Legal orders are obsolete before ink dries, punishing past, not fixing present |
Primary Risk Model | Investor Fraud | Smart Contract Exploit, Oracle Failure | Misalignment: The largest existential risks are technical, not financial in nature |
deep-dive
THE PROCESS MISMATCH
The Slippery Slope: How Rigid Enforcement Stifles Innovation
The SEC's Wells Notice process is structurally incompatible with the iterative, open-source nature of modern software development.
The Wells Process is a waterfall model applied to agile development. It demands a final, static product definition for legal scrutiny, which ignores the reality of continuous deployment. Protocols like Uniswap and Aave ship weekly upgrades, where features are tested live in a permissionless environment.
Legal liability requires perfect foresight, but software innovation requires experimentation. A developer cannot predict every edge case of a novel mechanism, like a ve-tokenomics model or an intent-based solver network, before users interact with it. The process punishes the discovery inherent to building.
This creates a perverse incentive for opacity. Facing regulatory ambiguity, teams like those behind dYdX or Osmosis are incentivized to develop in private, launch fully-formed, and limit protocol governance—stifling the open-source collaboration that drives the space forward. The process protects no one and innovates nothing.
counter-argument
THE MISMATCH
Steelman: The SEC's Need for Finality
The SEC's Wells process is a legal tool for finality, but it fundamentally misunderstands the iterative, open-source nature of modern software development.
The Wells process demands finality. It treats a software protocol like a static financial product, requiring a definitive, unchanging statement of facts for enforcement. This legal framework assumes a finished product, not a living system.
Software development is inherently iterative. Protocols like Uniswap V4 or Optimism's Bedrock upgrade launch with known, public roadmaps for continuous improvement. The code is a starting point, not an endpoint, with changes governed by decentralized DAOs.
This creates a definitional paradox. The SEC's case against Coinbase hinges on labeling an asset as a security at launch. However, a protocol's utility and governance—key to the Howey Test—evolve post-launch through community votes and forks, like those seen in Compound or Aave.
Evidence: The Ethereum Merge was a planned, multi-year software upgrade that fundamentally altered the network's consensus mechanism. A Wells notice based on pre-merge 'facts' would be obsolete, demonstrating the incompatibility of legal finality with protocol development.
takeaways
WHY REGULATION FAILS TECH
Key Takeaways for Builders and Investors
The SEC's Wells Process is a legal framework ill-equipped to evaluate the iterative, open-source nature of modern software development.
01
The 'Finished Product' Fallacy
Regulators treat software as a static, shipped product. In reality, protocols like Uniswap and Aave are live services with continuous, on-chain upgrades governed by DAOs. The Wells snapshot ignores the iterative deployment and community governance that define Web3 development.
1000+
Governance Votes
Continuous
Deployment
02
Misapplying the Howey Test to Code
The Howey Test evaluates investment contracts, not functional software. Applying it to open-source protocol code conflates a tool with a business enterprise. This fails to distinguish between the Ethereum Virtual Machine (a world computer) and a company selling shares.
0
Equity Issued
Public Good
Code License
03
The Developer ≠The Issuer
The process incorrectly attributes control. Core developers like those behind Lido or MakerDAO do not control user assets or protocol revenue. Smart contract autonomy and decentralized treasuries sever the legal 'issuer' link the SEC relies on.
DAO-Controlled
Treasury
Non-Custodial
User Assets
04
Ignoring the Protocol/Token Distinction
A protocol's utility (e.g., Chainlink oracles, Arweave storage) is separate from its token's market price. The Wells analysis often treats the token's speculative trading as the primary function, blinding it to billions in secured value and real-world data feeds.
$10B+
Value Secured
Utility-First
Design
05
The Audit is the Disclosure
In traditional finance, disclosure is a PDF. In crypto, it's a verifiable smart contract audit from firms like OpenZeppelin or Trail of Bits, plus real-time, on-chain transparency. The legal process has no framework for this superior form of continuous disclosure.
100%
On-Chain
Real-Time
Verification
06
Innovation Velocity as a Liability
The rapid forking, composability, and layer 2 evolution (e.g., Optimism, Arbitrum) seen in ecosystems is interpreted as evasion, not innovation. The regulatory clock moves at 18-month cycles, while software iterates in 6-week sprints, creating inherent conflict.
6 Weeks
Dev Cycle
18 Months
Reg Cycle
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall