An open letter to EU cryptocurrency-related regulators, policy advisors and makers: Technology assurances are a must
Words by Dr. Joshua Ellul, Chairman of the MDIA and Director of DLT at the University of Malta. Catch up with him later this year in the Autumn edition of Block Magazine
I am writing this open letter to raise what I perceive to be a vital concern regarding cryptocurrency-related regulation. Across Europe, we have seen regulators take similar approaches to those used in traditional financial services, which lack adequate levels of technology-based assurances due to inherent high risks associated with specifically decentralised technology used in Blockchain, Smart Contracts and Cryptocurrencies.
Cryptocurrencies, other similar forms of tokens and related activities have inherent technological risks which could be detrimental to European regulatory frameworks and the EU’s reputation in this sector. In June 2020, a European country had taken a blow to its reputation (and perhaps indirectly Europe) with respect to regulatory oversight of financial and operational due diligence of the sector. Let us not let it take another potentially more serious blow from lack of technological due diligence and technology assurances.
Cryptocurrencies, tokens, virtual financial assets, utility tokens, ICOs, STOs, IEOs, or any other financial operation and technology built on or making use of blockchain and smart contracts are inherently high risk. Regulators are already familiar with the risks inherent in the operational and financial aspects, but this risk is intensified because of its dependence on blockchain or similar distributed ledger technologies (DLT).
Unlike traditional technology and systems, where a mistake in a transaction or bug in the data or code can be fixed.
On a DLT, such errors frequently cannot be fixed, and the data cannot be reverted or manipulated to compensate for losses resulting from the unexpected behaviour. Neither the operator, nor the software developer, the responsible Authority, nor the justice system may be able to enforce such a recovery. To put this in context, consider the hypothetical scenario in which, due to a software bug, all clients’ accounts are reset to have no funds, effectively emptying millions of euros worth of cryptocurrency held by various clients.
Now consider this bug occurs in an EU licensed activity — it results in millions or billions worth of euros in losses and again it was licensed by an EU-based regulator, and it is found that adequate technological due diligence to minimise such bugs was not undertaken by the developer and/or operator, nor required by the Regulator. Not only will this be a blow to EU crypto-based licensed activity, but aggrieved parties may decide to initiate class-action lawsuits against the Regulator for not having had in place sufficient technology assurances that could have minimised such occurrences. It is worth adding that the hypothetical nature of this scenario is the latter part — the occurance of this happening to an EU licensed activity. However, when it comes to bugs and losses one can cite various instances of DLT technology failures which have led to the equivalent of hundreds of millions of euros.
The risks associated with the underlying technology is as high.
Much higher some would say — than the operational and financial ones. And yet, one can approach addressing such risks in a manner which mirrors the way in which operational risks are addressed — setting up a process of independent third-party system audits and a sufficient regulatory framework for ensuring technology-based assurances. This needs to be mandatory within the cryptocurrency space.
As part of Malta’s regulatory framework, the Malta Digital Innovation Authority addresses such technology-based assurances. We would like to reach out to the EU and other member states to initiate a forum for taking such assurances to an EU-level. If the EU does not implement adequate technology assurances, then it may only be a matter of time until it will have to face another blow to the credibility of its regulated services due to lack of technology-based assurances.
A list of such reported losses due to bugs and technology follow.
| List of a few reported bugs and losses
Sep 2020 https://cointelegraph.com/news/dev-finds-major-governance-bug-in-sushiswap-but-no-threat-to-the-project-yet |
| Aug 2020
https://www.coindesk.com/erc-20-ethereum-tokens-fake-deposit https://www.theblockcrypto.com/post/74810/yam-token-market-cap-collapses-by-more-than-90-flaw https://cointelegraph.com/news/rushed-upgrade-made-12-of-ethereum-clients-unusable (no direct loss of money, downtime though) |
| Jul 2020
https://cointelegraph.com/news/vulnerability-in-ravencoin-creates-extra-15-of-maximum-supply-for-hackers https://www.coindesk.com/mempool-manipulation-enabled-theft-of-8m-in-makerdao-collateral-on-black-thursday-report |
| June 2020
https://cointelegraph.com/news/defi-protocol-balancer-hacked-through-exploit-it-seemingly-knew-about |
| Mar 2020
https://www.coindesk.com/long-festering-defi-dapp-bug-still-not-fixed-by-industry |
| Feb 2020
https://cointelegraph.com/news/decentralized-lending-protocol-bzx-hacked-twice-in-a-matter-of-days https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8 https://cointelegraph.com/news/value-locked-in-crypto-defi-markets-hits-1-billion-milestone |
| Sep 2019
https://cointelegraph.com/news/hacker-spends-1k-to-win-over-110k-in-eos-betting-game-using-rex |
| June 2019
https://cointelegraph.com/news/ethereum-based-synthetic-asset-platform-loses-over-37m-tokens-in-oracle-attack |
| July 2018
https://cointelegraph.com/news/bancor-urges-industry-players-to-collaborate-after-23-5-million-hack https://cointelegraph.com/news/bithumb-details-still-sketchy-after-30-mln-hack https://cointelegraph.com/news/buy-the-fud-mainstream-media-convinced-coinrail-hack-caused-crypto-price-plunge |
| Dec 2018
https://cointelegraph.com/news/eos-dapps-lose-almost-1-million-to-hackers-over-the-last-five-months Sep 2018 https://cryptoslate.com/eos-dapp-smart-contract-exploit-pays-out-200k-to-hacker/ |
| Feb 2018
https://bitcoinist.com/bitgrail-cryptocurrency-exchange-hacked-170-million-nano-allegedly-stolen/ |
| Jan 2018
https://cointelegraph.com/news/coincheck-stolen-534-mln-nem-were-stored-on-low-security-hot-wallet |
| Nov 2017
https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether |
| July 2017
https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach |
| Aug 2016
https://www.theguardian.com/technology/2016/aug/03/bitcoin-stolen-bitfinex-exchange-hong-kong |
| June 2016
https://www.bbc.com/news/technology-36585930 |
| Jan 2015
https://thehackernews.com/2015/01/bitstamp-bitcoin-exchange-hacked.html |
| Feb 2014
https://cointelegraph.com/news/mt_gox_blows_fallout_could_be_catastrophic |
| Sep 2012
https://bitcoinmagazine.com/articles/bitfloor-hacked-250000-missing-1346821046 |
| June 2011
https://venturebeat.com/2011/06/19/popular-bitcoin-exchange-mt-gox-hacked-prices-drop-to-pennies/ |
SiGMA Americas:
Following the successful launch of SiGMA Europe (Malta) and SiGMA Asia (Manila), we’re now launching the inaugural SiGMA AMERICAS, covering all three major timezones. The inaugural edition is set for September 22-24, 2020 with a virtual summit focusing on two themes: SiGMA AMERICAS for the Gaming industry and AIBC AMERICAS for the Emerging Tech industry. We wanted to provide fresh content, to help you navigate through these turbulent times. If you’re exploring Americas as a new frontier or wondering which tech solutions to embrace, we’ve got you covered: tune in on September 22-24, 2020.
