Sep 16, 2020 16:27 UTC
Sep 16, 2020 at 16:27 UTC
The reason technology guarantees are a must for crafting EU crypto regulation
After Malta set out to deliver a regulatory framework for the cryptocurrency sector, policymakers & advisers recognized how blockchain, dispersed ledger technology & smart contracts, as well as correlated technologies, imposed new challenges to providing consumer protection & to fitting in existing legal structures.
Immutability of data & subsequently code, or rather smart contracts is a desirable feature to provide pledges to users that data (& smart contracts) cannot be interfered with. Nevertheless, this also poses a critical challenge: Every so often, it is intolerable, or infeasible, to change code after it has been written to such a distributed ledger. This possibly means that code can be deployed that ends up handling millions to billions of dollars worth of funds, & if a bug is found, it may be impossible to appraise the code to get rid of it.
Cryptocurrencies, tokens, initial coin offerings, security token offerings, etc., are built on this type of technology. To deliver consumer protection, regulators round the world have focused on executing a regulatory regime that ensures due diligence is undertaken concerning the individuals behind such operations & regarding the financial & legal aspects of the operations, which is excellent.
Hitherto, minimal effort has gone into ensuring that there are adequate levels of due diligence regarding the technology. In old-style financial systems, this is not much of a problem, as when something goes wrong, authorities & other centralized stakeholders can reverse actions & data as required. Nevertheless, when it comes to dispersed systems, this is not an option. Neither the crypto operator, users, regulators, enforcement entities nor even the courts can do anything to relapse the decentralized transactions. If a bug reasons losses of billions in crypto, the tokens are lost forever.
Some argue that users should bear such responsibility & risks. Being a computer scientist & programmer myself, I would be in a better position to accept this over many others. Nevertheless, should we expect users out there to bear the dangers of potential bugs within code?
If the sector desires to achieve mass adoption & not just entice the technology-inclined to use such technology, should we expect such non-tech-savvy users to understand code & the intricate types of bugs that often exist within?
Regulators see the profits in checking financial & business models neighbouring operations to safeguard consumer protection, as many investors out there may not be experts when it emanates to such models. Yet at a similar time, should we expect investors to understand code? & this is often coded that, when deployed, is not readable by humans but is in an encoding that only computers can understand.
Countless would argue that the financial & business models can be more easilyrealized by investors out there than the code well, at least for most users out there. Whereas it would be great if everyone could understand code, it is not the case.
Generally, even as a coder myself, I would prefer to invest in operations that have experienced technical due diligence over ones that have experienced operational due diligence. It would take much less time to recognize underpinning business & financial models than it would be to undertake a functional correctness assessment on my own. Possibly that is because I am aware of the complexities of technology.
Nevertheless, my gut feeling is that most users out there would also prefer that declarations have been undertaken with the code rather than on the business & financial side. That being said, both should be undertaken.
Fatalities in the industry
Examples of bugs within the sector that have resulted in massive losses are plenty. A (non-exhaustive) list of such reported instances is enormous. In 2018, exchange Coincheck was hacked; small South Korean exchange Coinrail & crypto exchange Bithumb was hacked; decentralized crypto platform Bancor was hacked, & 27 hacks of decentralized applications on the EOS blockchain occurred during five months. The subsequent year, in 2019, an Ethereum-based synthetic issuance platform & an EOS game of chance, EOSPlay, were impacted. This year has been no exception, as well: Decentralized lending protocol bZx saw two hacks in February; decentralized finance protocol Balancer & the Statera (STA) team were affected in June; an issuance susceptibility in Ravencoin’s (RVN) supply was found in July; & a bug was found in SushiSwap in September, amongst many others.
Utmost essential hacks of 2019 – New record of 12 in one year
One can realize that such circumstances are not theoretical. Present-day, one school of thought is that regulatory frameworks & licensed activities can help bring about mass adoption, particularly for those who do not understand the technology.
Nevertheless, if such frameworks do not provide assurances concerning the technology being used, & bugs that result in considerable losses do happen, will it only be a matter of time until a licensed activity suffers this fate? This would undoubtedly be damaging to the licensed activity, the jurisdiction & the sector, & it would induce doubt among investors & stakeholders, ultimately creating more hurdles in the way of mass adoption.
We have established a regulatory framework as part of the Malta Digital Innovation Authority’s remit. Additional details are presented in the paper “Regulating Blockchain, DLT & Smart Contracts: a technology regulator’s perspective.”
I feel that most crypto regulators have overlooked such technology assurances. Consequently, I have written an open letter highlighting these issues & inviting regulators to converse them in the aim of generating a regulatory framework that has the acceptable levels of technology assurances & delivers the essential levels of consumer protection that the industry desires to bring about mass adoption.