Innovation vs. Regulation & Security Practices
Every week the Mosaic research team will delve into important topics within the cryptoasset space.
Regulation: Lawmakers in the Highway of Innovation — Jason Yannos
2017 marked the official ignition of the mass speculative frenzy into cryptoassets attracting approximately $5.6 billion of new capital investment into the industry. Last year, hundreds of new projects were funded and born, “legacy” projects like Bitcoin and Ethereum witnessed increased interest and contribution — talent from many industries began to enter. A boom similar to that witnessed during the dot-com era of 1997–2001 has been ushered in, but in 2018 regulators across the globe lack consensus towards the treatment of this new asset class.
Is this new asset class a currency? Is it a security? Is it a combination of both a currency and a security? Or is it something regulators have yet to deal with? The answer is there isn’t a one size fits all solution to the asset class as a whole. In some cases, coins or tokens are currencies and in other cases certain coins or tokens are indeed securities. Ultimately each individual cryptoasset will exhibit different profiles and attributes making the regulatory treatment of this new asset class an extremely challenging and multidimensional problem amongst global regulators.
Despite the lack of clarity in the U.S. from the SEC surrounding regulation of this new asset class, it is evident that the pace of innovation and development is not sitting idle waiting for regulatory clarity. VC funding year to date thus far is estimated at around $1.3 billion and is on track to surpass 2017's total by year end. Moreover, funding for token sales in the first quarter of this year alone was 118% higher than in 2017.
Innovators and entrepreneurs are seeking the most accommodative jurisdictions around the world and are moving at incredibly fast rates. Countries like Switzerland, Singapore, and Malta have been proactive in this ambiguous regulatory environment which in turn has attracted not only inflows of capital but talent which will likely pay dividends to the economic growth of these countries in the years to come.
In a recent panel discussion at Token Summit moderated by William Mougayer titled “Token Regulation in the U.S”, some of the most knowledgeable thought leaders on crypto regulation shared their thoughts on the gap that currently exists between this new asset class and how lawmakers are thinking about regulation. The general sentiment is that U.S. regulators have yet to reach consensus on how to approach this new asset class, many grey areas exist; however, innovators and operators must factor in current regulations of several jurisdictions and operate within several boxes of guidelines when making operational decisions, and that change in regulation is a slow and tedious process.
The ramifications that exist today surrounding unclear regulation in the U.S. and several other jurisdictions are counterproductive to the development of the space as a whole. As the rate of development in the space continues at a rapid rate relative to the slow rate of innovation in regulation, the space will prolong its maturation and institutional investors will remain reluctant to enter the space. As a result, the distribution of capital to projects will continue to be skewed, excessive nefarious behaviors will continue to exist, and excessive volatility will remain a hallmark of these markets.
Technology: Towards better cryptocurrency security practices — Lanre Ige
Emin Gün Sirer recently published an article on the current state of security disclosure within the blockchain industry. On a high level, we can identify two problems that Emin highlighted in his article: (1) existing bounty programs do not currently sufficiently incentivize developers to report bugs; (2) in-house flaw assessment is not generally decoupled from development.
This article will address each of these points.
Bounty programs
EOS’s recent announcement of their $10,000 bug bounty for ‘every unique bug that can cause a crash, privilege escalation, or non-deterministic behavior in smart contracts’ highlights a problem with some bug bounty programs. Firstly, the amount awarded in this case is in non way commensurate to the amount of damage a ‘unique bug’ could cause. The sentiment was shared by others in the community:
In the past, bugs in smart contracts have cost users millions of dollars. Setting bug bounties at low levels may not incentivize users from reporting them. Secondly, a $10,000 bounty may not be worth a highly-skilled developer’s time — If a developer believes they can earn as much with less amount of worth, or that working on the bounty will cost more than $10,000 (in other work forgone) — ; for example, putting 40 hours of work into discovering and developing an exploit for a bug would work out to $250/hour. A potential developer must weigh the opportunity cost of pursuing the bounty against other consulting/full-time jobs she may have — it is not clear if, as a result, such a bug-bounty would prove in their best financial interests.
Outside of the blockchain industry, companies like Microsoft and Google have, in the past, donated over $100,000 for bug bounties. While no blockchain company has the ability to match a tech giant’s spending power, given the mission-critical and financial nature of many blockchain projects, a $100,000 bug bounty would not be unreasonable. Projects like Status and Augur have a history of generous and well-designed bug bounties which offer large rewards and a credible methodology to assess a potential bug’s potential severity and likelihood.
Decoupling of bug assessment from development
Emin claims that “many large projects do not even have a Chief Security Officer (CSO)”. A CSO’s job is to assess the severity of flaws independently from the development team; decoupling the security assessment process from development helps prevent work politics and egos infringing on a team’s ability to accurately identify flaws.
A quick survey of the top 25 cryptocurrencies (by market cap, as of June 4, 2018) reveals that only three had (easily) publicly identifiable security leads or Chief Security Officers. In the other 22 cases, we can assume that the majority of the security work is handled by the development team and supplemented by third-party security auditors. However, not having a dedicated person and team focused on security leads to perverse outcomes wherein developers may be encouraged to downplay the severity of a bug or even ignore it.
As more token sale projects go live over the next few months there will inevitably be more eyes on the security of their code. It’s likely that more exploits will be taken advantage of in larger projects like EOS and their exposure — as well as the subsequent damage — may act as the best incentive for projects to improve their security practices.Moreover, the open-source nature of these products ensures that their codebase’s are always subject to a high amount of scrutiny, which may not be afforded to a closed source project with a large internal security team.
End of weekly research report
We hope you have enjoyed reading the Mosaic researchers’ weekly report and stay tuned to the next article. Click here to visit our website
This article is intended for informational purposes only. The views expressed herein are not and should not be construed as legal or investment advice or recommendations. Recipients of this article should do their own due diligence, considering their specific financial circumstances, investment objectives, and risk tolerance before investing. The individuals contributing to this article have positions in some or all of the assets discussed. This article is neither an offer, nor the solicitation of an offer, to buy or sell any of the assets mentioned herein.
