European Regulators Publish Joint Report on Recent Developments in Crypto-assets and DeFi

The rapid growth of DeFi and crypto lending has attracted significant attention from regulators worldwide. As financial services become increasingly decentralised, regulators must balance innovation with investor protection and market stability.

Article 142 of the Markets in Crypto-Assets Regulation (MiCAR) requires the European Commission (EC) to provide a report on recent crypto-asset developments, focusing on decentralised finance (DeFi) and the regulation of crypto-asset lending and borrowing.

The EC sought a joint report from the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) to assist with its assessments. These authorities published their report on 13 January 2025, containing their findings on the above issues. While the report doesn’t propose new regulations, it highlights key risks, trends, and considerations that could shape future policy decisions.

This article addresses the current state of DeFi markets and crypto-asset lending and borrowing and summarises the key findings from the regulators’ joint report.

The current state of decentralised finance (DeFi) markets

Overview

The report explains that DeFi is “a system of financial applications built on blockchain networks”. Such systems experienced rapid growth in 2021 but are still relatively niche and account for around 4% of the global crypto market value. DeFi adoption in the EU remains behind leading markets like the United States and South Korea. While the estimated number of DeFi users in the EU is 7.2 million, the report highlights that only around 15% engage regularly with DeFi applications.

DeFi operates on blockchain networks, providing financial services such as lending, borrowing, and trading without intermediaries. The market relies on smart contracts, which execute transactions automatically based on predefined rules. While DeFi offers benefits such as lower transaction costs and improved financial inclusion, it also carries significant risks.

Risks and challenges

The report explores various risks associated with DeFi, including:

• The software’s open-source nature: Many DeFi protocols rely on open-source code, which is beneficial as it fosters transparency, innovation, and collaboration. However, the absence of standardised security auditing practices means vulnerabilities can persist in the code, exposing users to hacking and exploitation.

• Blockchain network dependence: DeFi protocols depend on blockchain infrastructure for their operation, so any technical failures or disruptions can significantly impact the relevant services and result in quicker losses than in centralised systems.

• Smart-contract risks: The report states that, of all the risks associated with DeFi, attackers most frequently take advantage of smart contract vulnerabilities. The transactions’ automated and unchangeable nature means coding errors or logic flaws can lead to significant financial losses.

• Oracles: Oracles connect DeFi blockchains with external sources, allowing smart contracts to complete transactions based on real-world data. However, attackers can target Oracles’s vulnerabilities, including falsely inflating prices and destabilising the DeFi market.

• Cross-chain bridges: Cross-chain bridges allow users to transfer assets between blockchain networks. These transfers rely on complex smart contracts and carry significant security risks, with hackers targeting contract vulnerabilities to steal funds. A ‘Chainanalysis’ report in 2022 found around $2 billion in cryptocurrency had been stolen that year, accounting for around 69% of all DeFi hacks.

Regulatory considerations

The report underscores the difficulty in regulating fully decentralised financial systems. MiCAR only applies to entities providing crypto-related services, leaving gaps in oversight where no identifiable intermediary exists. While some industry initiatives aim to integrate know-your-customer (KYC) practices into DeFi, their effectiveness remains uncertain.

Regulators are also concerned about the impact anonymity or pseudonymity has on the lack of accountability in DeFi markets. Unlike traditional finance, where centralised institutions are responsible for compliance, DeFi relies on self-executing code, making enforcement and oversight more challenging.

Risk mitigation

The report highlights several measures to help reduce DeFi risks, including:

• Standardising and auditing software, including smart contracts.
• Certifying DeFi protocols using a product-based regulatory approach.
• Improving Oracle security, for example, by using systems to cross-verify sources.
• Enhancing cross-chain bridge security by conducting security audits and implementing monitoring systems.
• Enforce mechanisms to manage incident response and recovery and mitigate damage.
• Encourage education initiatives so users better understand the risks associated with DeFi.

Lending, borrowing, and staking of crypto assets

Business models and market trends

Crypto lending, borrowing, and staking services have significantly expanded recently. Both crypto-asset providers (CAPs) and decentralised protocols offer these services. Users can lend their crypto to a pool and earn interest on borrowed funds, while those borrowing must offer collateral as loan security. Staking involves locking cryptocurrency in blockchain networks to support system operations in exchange for rewards.

Many providers offer lending, borrowing and staking in multiple jurisdictions, yet the report highlights that most EU credit institutions have virtually no involvement in such services.

Risks and challenges

Each of these services poses unique risks:

• Consumer protection: Many providers lack transparency regarding fees, interest rates, collateral, and user’s rights. As a result, users may not understand the terms they agree to and will likely find it difficult to recover their assets following platform failures.

• Legal risks: One consequence of cross-border lending, staking, and borrowing is the lack of a unified legal framework. This ambiguity creates uncertainty for users, particularly regarding dispute resolution mechanisms.

• Market risks: Due to fluctuating asset prices, crypto markets are notoriously unstable. Sudden market changes can significantly impact collateral requirements and liquidation risks.

• Operational and ICT risks: Crypto transactions rely on complex technology and infrastructure, increasing the risks of cyberattacks and system failures, which can lead to substantial financial losses.

• Money laundering and terrorist financing (ML/TF): Cryptocurrency’s anonymous and cross-jurisdictional nature increases its exposure to fraudulent financial activities. Many platforms lack sufficient Anti-Money Laundering (AML) and Countering of Financing Terrorism (CFT) controls, making them ideal targets for criminals.

Key Findings

The report presents key takeaways regarding DeFi, lending, borrowing and staking in crypto.

DeFi

The EBA and ESMA highlight that DeFi remains a growing but niche market, with a total value locked (TVL) of EUR 77 billion as of September 2024. While adoption in the EU is on the rise, it still lags behind other global crypto markets.

Cyber risks are growing in line with the DeFi market expansion. The report mentions a recent shift from smart contracts to off-chain vulnerability exploitation, with most price manipulation incidents relating to Oracle attacks.

Money laundering and terrorist financing represent a significant threat, with the lack of AML/CFT controls making DeFi a strong target for illicit financial activities. Transfers conducted via centralised platforms possessing such controls are less exposed, although some risk still exists.

The report also states that the suggested mitigation measures will likely have varying degrees of success. DeFi monitoring based on public data has substantial limitations, whereas standardisation of smart contracts and effective incident reporting procedures are much more effective.

Lending, borrowing and staking

The report found that interest rates on crypto lending usually range from 8 to 15%, but higher rates exist. On the other hand, crypto borrowing interest rates tend to be between 4 and 16%. For DeFi lending and borrowing services, rates are between 0.20 and 2%, although such protocols also generate additional revenue streams like withdrawal and liquidation fees. Regarding staking, rewards can stretch from 3% to 45%, depending on the blockchain network.

The report raises concerns concerning the transparency of these services, with users receiving limited information on fees, interest, and yields. When considering lending and borrowing in DeFi markets, regulators consider multiple risks arising from market concentration.

Finally, evidence suggests that ML/TF issues are largely unmanaged due to a lack of a comprehensive and unified legal framework.

Conclusion

The joint report from the EBA and ESMA offers a detailed analysis of the evolving DeFi and crypto-asset lending markets, emphasising their rapid growth, associated risks, and regulatory challenges. While DeFi remains a niche market in the EU, its expansion brings increased concerns over cybersecurity threats, smart contract vulnerabilities, and the absence of clear oversight mechanisms. The report highlights the difficulties in regulating fully decentralised systems, mainly due to the lack of identifiable intermediaries and the challenges posed by anonymity.

Similarly, crypto lending, borrowing, and staking present significant risks related to consumer protection, legal uncertainties, and financial stability. The lack of transparency regarding fees, interest rates, and collateral requirements exposes users to potential losses, while market volatility and operational risks contribute to user uncertainty. The absence of a unified regulatory framework, particularly regarding AML/CFT controls, increases the risk of illicit financial activities, making these markets an attractive target for malicious actors.

Although MiCAR provides a foundation for regulatory oversight, the report highlights key gaps where no centralised entity exists to enforce compliance. Proposed risk mitigation strategies, such as smart contract standardisation, improved Oracle security, and enhanced transparency measures, may help reduce vulnerabilities. However, their overall effectiveness remains uncertain.

Given the complexities of regulating decentralised financial systems, ongoing monitoring, industry collaboration, and policy adjustments will be crucial in balancing innovation with investor protection, economic stability, and market integrity.