An open letter to EU cryptocurrency-related regulators, policy advisors and makers: Technology assurances are a must

Words by Dr. Joshua Ellul, Chairman of the MDIA and Director of DLT at the University of Malta. Catch up with him later this year in the Autumn edition of Block Magazine

I am writing this open letter to raise what I perceive to be a vital concern regarding cryptocurrency-related regulation. Across Europe, we have seen regulators take similar approaches to those used in traditional financial services, which lack adequate levels of technology-based assurances due to inherent high risks associated with specifically decentralised technology used in Blockchain, Smart Contracts and Cryptocurrencies.

Cryptocurrencies, other similar forms of tokens and related activities have inherent technological risks which could be detrimental to European regulatory frameworks and the EU’s reputation in this sector. In June 2020, a European country had taken a blow to its reputation (and perhaps indirectly Europe) with respect to regulatory oversight of financial and operational due diligence of the sector. Let us not let it take another potentially more serious blow from lack of technological due diligence and technology assurances.

Cryptocurrencies, tokens, virtual financial assets, utility tokens, ICOs, STOs, IEOs, or any other financial operation and technology built on or making use of blockchain and smart contracts are inherently high risk. Regulators are already familiar with the risks inherent in the operational and financial aspects, but this risk is intensified because of its dependence on blockchain or similar distributed ledger technologies (DLT).

Unlike traditional technology and systems, where a mistake in a transaction or bug in the data or code can be fixed, on a DLT, such errors frequently cannot be fixed, and the data cannot be reverted or manipulated to compensate for losses resulting from the unexpected behaviour. Neither the operator, nor the software developer, the responsible Authority, nor the justice system may be able to enforce such a recovery. To put this in context, consider the hypothetical scenario in which, due to a software bug, all clients’ accounts are reset to have no funds, effectively emptying millions of euros worth of cryptocurrency held by various clients.

Now consider this bug occurs in an EU licensed activity — it results in millions or billions worth of euros in losses and again it was licensed by an EU-based regulator, and it is found that adequate technological due diligence to minimise such bugs was not undertaken by the developer and/or operator, nor required by the Regulator. Not only will this be a blow to EU crypto-based licensed activity, but aggrieved parties may decide to initiate class-action lawsuits against the Regulator for not having had in place sufficient technology assurances that could have minimised such occurrences. It is worth adding that the hypothetical nature of this scenario is the latter part — the occurance of this happening to an EU licensed activity. However, when it comes to bugs and losses one can cite various instances of DLT technology failures which have led to the equivalent of hundreds of millions of euros.

The risks associated with the underlying technology is as high — much higher some would say — than the operational and financial ones. And yet, one can approach addressing such risks in a manner which mirrors the way in which operational risks are addressed — setting up a process of independent third-party system audits and a sufficient regulatory framework for ensuring technology-based assurances. This needs to be mandatory within the cryptocurrency space.

As part of Malta’s regulatory framework, the Malta Digital Innovation Authority addresses such technology-based assurances. We would like to reach out to the EU and other member states to initiate a forum for taking such assurances to an EU-level. If the EU does not implement adequate technology assurances, then it may only be a matter of time until it will have to face another blow to the credibility of its regulated services due to lack of technology-based assurances.

A list of such reported losses due to bugs and technology follow. Further details regarding the regulatory framework are discussed in the following paper: https://link.springer.com/article/10.1007/s12027-020-00617-7

List of a few reported bugs and losses

Sep 2020

https://cointelegraph.com/news/dev-finds-major-governance-bug-in-sushiswap-but-no-threat-to-the-project-yet

Aug 2020

https://www.coindesk.com/erc-20-ethereum-tokens-fake-deposit

https://www.theblockcrypto.com/post/74810/yam-token-market-cap-collapses-by-more-than-90-flaw

https://cointelegraph.com/news/rushed-upgrade-made-12-of-ethereum-clients-unusable (no direct loss of money, downtime though)

Jul 2020

https://cointelegraph.com/news/vulnerability-in-ravencoin-creates-extra-15-of-maximum-supply-for-hackers

https://www.coindesk.com/mempool-manipulation-enabled-theft-of-8m-in-makerdao-collateral-on-black-thursday-report

June 2020

https://cointelegraph.com/news/defi-protocol-balancer-hacked-through-exploit-it-seemingly-knew-about

Mar 2020

https://www.coindesk.com/long-festering-defi-dapp-bug-still-not-fixed-by-industry

Feb 2020

https://cointelegraph.com/news/decentralized-lending-protocol-bzx-hacked-twice-in-a-matter-of-days

https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8

https://cointelegraph.com/news/value-locked-in-crypto-defi-markets-hits-1-billion-milestone

Sep 2019

https://cointelegraph.com/news/hacker-spends-1k-to-win-over-110k-in-eos-betting-game-using-rex

June 2019

https://cointelegraph.com/news/ethereum-based-synthetic-asset-platform-loses-over-37m-tokens-in-oracle-attack

July 2018

https://cointelegraph.com/news/bancor-urges-industry-players-to-collaborate-after-23-5-million-hack

https://cointelegraph.com/news/bithumb-details-still-sketchy-after-30-mln-hack

https://cointelegraph.com/news/buy-the-fud-mainstream-media-convinced-coinrail-hack-caused-crypto-price-plunge

Dec 2018

https://cointelegraph.com/news/eos-dapps-lose-almost-1-million-to-hackers-over-the-last-five-months

Sep 2018

https://cryptoslate.com/eos-dapp-smart-contract-exploit-pays-out-200k-to-hacker/

Feb 2018

https://bitcoinist.com/bitgrail-cryptocurrency-exchange-hacked-170-million-nano-allegedly-stolen/

Jan 2018

https://cointelegraph.com/news/coincheck-stolen-534-mln-nem-were-stored-on-low-security-hot-wallet

Nov 2017

https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether

July 2017

https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach

Aug 2016

https://www.theguardian.com/technology/2016/aug/03/bitcoin-stolen-bitfinex-exchange-hong-kong

June 2016

https://www.bbc.com/news/technology-36585930

Jan 2015

https://thehackernews.com/2015/01/bitstamp-bitcoin-exchange-hacked.html

Feb 2014

https://cointelegraph.com/news/mt_gox_blows_fallout_could_be_catastrophic

Sep 2012

https://bitcoinmagazine.com/articles/bitfloor-hacked-250000-missing-1346821046

June 2011

https://venturebeat.com/2011/06/19/popular-bitcoin-exchange-mt-gox-hacked-prices-drop-to-pennies/

SiGMA Americas:

Following the successful launch of SiGMA Europe (Malta) and SiGMA Asia (Manila), we’re now launching the inaugural SiGMA AMERICAS, covering all three major timezones. The inaugural edition is set for September 22-24, 2020 with a virtual summit focusing on two themes: SiGMA AMERICAS for the Gaming industry and AIBC AMERICAS for the Emerging Tech industry. We wanted to provide fresh content, to help you navigate through these turbulent times. If you’re exploring Americas as a new frontier or wondering which tech solutions to embrace, we've got you covered: tune in on September 22-24, 2020.

 

Related Posts