Thursday, October 6, 2022

Piercing The Veil

In Deconstructing ‘Decentralization’: Exploring the Core Claim of Crypto Systems Prof. Angela Walch gets to the heart of what the claim that a system is "decentralized" actually means:
the common meaning of ‘decentralized’ as applied to blockchain systems functions as a veil that covers over and prevents many from seeing the actions of key actors within the system. Hence, Hinman’s (and others’) inability to see the small groups of people who wield concentrated power in operating the blockchain protocol. In essence, if it’s decentralized, well, no particular people are doing things of consequence.

Going further, if one believes that no particular people are doing things of consequence, and power is diffuse, then there is effectively no human agency within the system to hold accountable for anything.
In other words, it is a means for the system's insiders to evade responsibility for their actions.

If the system were truly decentralized, with a large number of insiders none of whom had significantly more power over it than any other, this veil might be effective. But this is never the case in the real world. As I described in Are Bloockchains Decentralized?, based on Prof. Walch's work, the report from Trail of Bits and Kwon et al's Impossibility of Full Decentralization in Permissionless Blockchains, there are always loci of control behind the veil for regulators to address.

Below the fold I discuss recent moves by US regulators that indicate they agree.

Sufficiently Decentralized
Lets start at the bottom of the stack, with the Ethereum blockchain. Sander Lutz writes in SEC Claims All of Ethereum Falls Under US Jurisdiction:
In its complaint, the regulator noted that the ETH sent to Balina was “validated by a network of nodes on the Ethereum blockchain, which are clustered more densely in the United States than in any other country.” The SEC then concludes: “As a result, those transactions took place in the United States.”

The SEC appears to be suggesting that, because more of Ethereum’s validating nodes currently operate in the United States than in any other country, all Ethereum transactions globally should be considered of American origin. Currently, 45.85% of all Ethereum nodes operate from the United States, according to Etherscan. The second-greatest density of nodes is in Germany, with only 19%, by comparison.
Under Gensler, the SEC has yet to take an official stance on Ethereum, despite leadership within the Commission under the previous administration suggesting that Ethereum was “sufficiently decentralized” and therefore not a security. But if the SEC were to ever claim that Ethereum was an unregistered security, Fyre doubts the courts would stand in its way.

“I can see judges absolutely accepting that, sure: Ethereum is substantially located in the United States, insofar as it's run on a bunch of computers, and a bunch of those computers are in the United States,” said Fyre. “That's events occurring in the United States. No problem.”
Stakes 09/30/22
Clearly, miners operating in the US are subject to US law, and they appear to be close to a majority of the mining power. The argument that they must be under some jurisdiction and the best candidate is the US would be appealing to US judges. Ethereum's switch to Proof of Stake makes this a much more powerful argument, as David Gerard pointed out:
Staking is already as centralised as mining. The Lido staking pool plus the Coinbase exchange plus the Kraken exchange add up to over 54% of total stake.
Coinbase and Kraken (and a number of other exchanges and pools) are US entities. It isn't just their location that provides leverage for the regulators, it is potentially also the legal status of Proof of Stake. Molly White reported that Hours after Ethereum transition to proof-of-stake, SEC Chair says PoS crypto could be classed as securities:
In the early hours of September 15, Ethereum completed "The Merge – the long-awaited transition from its original proof-of-work consensus mechanism to proof-of-stake. Later that day, SEC Chairman Gary Gensler pointed to the staking mechanism as a signal that an asset might be a security as determined by the Howey test.

There has been much discussion over whether cryptocurrencies in general or individually should be considered securities, commodities, or possibly even something else. Broadly, people within the crypto community don't want to see the assets fall under SEC jurisdiction, as the SEC is seen as much less friendly to the industry than the CFTC.
Lydia Beyoud's SEC Chair Gensler Raises Concerns Over ‘Staking’ Model on Ethereum added detail:
On Thursday, Gensler took issue with a feature of Ethereum’s new upgraded blockchain, which has been dubbed the “Merge.” He said that a process known as “proof-of-stake,” in which coin holders can earn financial rewards by allowing a network to use some of their assets, could fall under securities rules. Ether had used the “proof-of-work” method that Bitcoin uses to run its blockchain.

Crypto firms are seeking to avoid the security label because it carries investor-protection requirements that many say are incompatible with with the asset class. “There is a full disclosure obligation on these projects,” Gensler told reporters.
It seems obvious that staking, especially via an exchange or staking pool, satisfies the Howey test by generating income. It is less obvious that ETH itself is a security, as it doesn't generate income but rather, in its inevitable progress moonwards, capital gains. But many stocks clearly satisfy the Howey test despite not offering dividends.

Layered on top of the Ethereum and other blockchains are Decentralized Autonomous Organizations (DAOs) /vb such as DeFi protocols. Most try to maintain the illusion of decentralization by ceding control to the holders of "governance tokens", who must vote on the operations of the DAO. Consider a DAO 100% of whose governance tokens were held by a single entity, as would be the case at launch. Clearly, that entity would be responsible for the DAO. Similarly, an entity holding 51% of the governance tokens would be responsible. Again, consider a DAO 51% of whose governance tokens were held by three entities, who would be jointly responsible for the DAO.

There is a reasonable argument that the holders of a DAO's governance tokens are jointly and severally responsible for it. If there were a large number of holders none with significantly more than any others it would be difficult to enforce regulation upon them. But the extreme Gini Coefficients of cryptocurrencies and the need for most users to operate via exchanges, which hold tokens on their behalf, mean that in practice only a small number of holders effectively control the DAO. Enforcing against these few whales is feasible, and would drag the smaller holders in.

The industry friendly CFTC appears to agree. They recently took action against a centralized platform:
The Commodity Futures Trading Commission today issued an order simultaneously filing and settling charges against respondent bZeroX, LLC (bZeroX) and its founders Tom Bean (Bean) and Kyle Kistner (Kistner) (collectively, respondents) for illegally offering leveraged and margined retail commodity transactions in digital assets; engaging in activities only registered futures commission merchants (FCM) can perform; and failing to adopt a customer identification program as part of a Bank Secrecy Act compliance program, as required of FCMs.

The respondents engaged in these activities in connection with a decentralized blockchain-based software protocol that functioned similarly to a trading platform. The order requires the respondents to pay a $250,000 civil monetary penalty and to cease and desist from further violations of the Commodity Exchange Act (CEA) and CFTC regulations, as charged.
bZeroX wasn't really decentralized, being an LLC. But they tried to evade regulation by adding decentralization, to no avail:
Simultaneously, the CFTC filed a federal civil enforcement action in the U.S. District Court for the Northern District of California charging the Ooki DAO—a decentralized autonomous organization and successor to bZeroX that operated the same software protocol as bZeroX—with violating the same laws as the respondents. The CFTC seeks restitution, disgorgement, civil monetary penalties, trading and registration bans, and injunctions against further violations of the CEA and CFTC regulations, as charged.
As the order finds and as alleged in the complaint, on approximately August 23, 2021, bZeroX transferred control of the bZx Protocol to the bZx DAO, which subsequently renamed itself and is currently doing business as the Ooki DAO. The Ooki DAO operates the Ooki Protocol (formerly the bZx Protocol) in the exact same manner as bZeroX and thus is continuing to violate the law in the same manner as bZeroX. By transferring control to a DAO, bZeroX’s founders touted to bZeroX community members the operations would be enforcement-proof—allowing the Ooki DAO to violate the CEA and CFTC regulations with impunity, as alleged in the federal court action. The order finds the DAO was an unincorporated association of which Bean and Kistner were actively participating members and liable for the Ooki DAO’s violations of the CEA and CFTC regulations.
I don't know what proportion of the Ooki governance tokens were held by Bean and Kistner, but any other holders were probably also "actively participating members" of the "unincorporated association", at least if they ever cast a vote.

Note also that, as I discussed in Responsible Disclosure Policies, there is almost certainly some mechanism for controlling (or at least stopping) the Ooki DAO that operates faster than a governance vote. If there isn't, the first vulnerability discovered in its code base will result in its HOLD-ings being stolen. Those in control of such a mechanism would be prime candidates for being "actively participating members".

Matt Levine reports on another SEC enforcement action, this time against The Hydrogen Technology Corporation:
The SEC’s complaint alleges that starting in January 2018, [former CEO Michael Ross] Kane and Hydrogen, a New York-based financial technology company, created its Hydro token and then publicly distributed the token through various methods: an “airdrop,” which is essentially giving away Hydro to the public; bounty programs, which paid the token to individuals in exchange for promoting it; employee compensation; and direct sales on crypto asset trading platforms. The complaint further alleges that, after distributing the token in those ways, Kane and Hydrogen hired Moonwalkers, a South Africa-based firm, in October 2018, to create the false appearance of robust market activity for Hydro through the use of its customized trading software or “bot” and then selling Hydro into that artificially inflated market for profit on Hydrogen’s behalf. Hydrogen allegedly reaped profits of more than $2 million as a result of the defendants’ conduct.
John Reed Stark, a former Chief of the SEC's Office of Internet Enforcement now lecturing at Duke University Law School, lays out An SEC Enforcement Program For Policing WEB3 now the:
newly renamed Crypto Assets and Cyber Unit (formerly known as the Cyber Unit) in the SEC Division of Enforcement will grow to 50 dedicated positions.
He proposes a:
multi-faceted SEC Web3 enforcement program focusing on 1) aggressive enforcement, with sweeps, SWAT teams, and the use of expedited and omnibus formal orders; 2) heightened Web3 surveillance; 3) coordinated regulatory cooperation and law enforcement liaison efforts; 4) nationwide educational initiatives; and 5) incentivized self-policing.
His discussion of self-policing is especially interesting:
self-policing in the context of Web3 securities fraud has proven a valuable source of help in discovering Web3-related frauds. A remarkable online culture of self-policing exists among individual users who resent the intrusion of crooks and thieves. The SEC must tap into this culture, encouraging users to report dubious Web3-related conduct, offerings, or other suspicious behavior.
Not only do users typically include the relevant names, addresses, phone numbers, and other pertinent information concerning the persons and entities involved, but complainants have also often undertaken some cyber sleuthing of their own (using all the latest available Internet tools), adding digital reams of useful and even inculpatory evidence).

For example, while Reddit, Telegram, and Twitter initially helped drive the meme-stock craze, now users on the sites channel that same energy into helping victims. Users routinely report diligently on several crypto bankruptcy cases, including Celsius and Voyager, “tapping into the huge social media communities that already exist for both platforms, urging users to write letters to the judge overseeing Celsius’s case, pooling funds for legal representation as well as sharing news and advice.”
The most important development of all relating to self-policing is the SEC’s whistleblower rewards program, which has become an extraordinary success and a notable supplement to the SEC’s investigative wherewithal. The SEC’s whistleblower provisions have even spawned the creation of a cottage industry of former SEC lawyers who now work on a contingency fee basis, helping whistleblowers navigate the complaint submission process.
The focus of the Financial Stability Oversight Council's recent Digital Asset Financial Stability Risks and Regulation is on regulating the markets and the players in them, not on regulating the underlying technology. Their Fact Sheet about the report explains that they identified three regulatory gaps:
  • First, the spot markets for crypto-assets that are not securities are subject to limited direct federal regulation. As a result, those markets may not feature robust rules and regulations designed to ensure orderly and transparent trading, prevent conflicts of interest and market manipulation, and protect investors and the economy more broadly.
  • Second, crypto-asset businesses do not have a consistent or comprehensive regulatory framework and can engage in regulatory arbitrage. Some crypto-asset businesses may have affiliates or subsidiaries operating under different regulatory frameworks, and no single regulator may have visibility into the risks across the entire business.
  • Third, a number of crypto-asset trading platforms have proposed offering retail customers direct access to markets by vertically integrating the services provided by intermediaries such as broker-dealers or futures commission merchants. Financial stability and investor protection implications may arise from retail investors’ exposure to certain practices commonly proposed by vertically integrated trading platforms, such as automated liquidation.
Note that they understand that, in practice, access to the underlying technology is mediated by platforms and businesses that are necessarily centralized and subject to regulation, once some legislative loopholes are closed. They recommend:
  • the passage of legislation providing for rulemaking authority for federal financial regulators over the spot market for crypto-assets that are not securities;
  • steps to address regulatory arbitrage including coordination, legislation regarding risks posed by stablecoins, legislation relating to regulators’ authorities to have visibility into, and otherwise supervise, the activities of all of the affiliates and subsidiaries of cryptoasset entities, and appropriate service provider regulation; and
  • study of potential vertical integration by crypto-asset firms."
Alas, as Allyson Versprille reports in Crypto Overhaul Fizzles in Congress, Leaving Industry and Investors in Limbo Congress is as usual incapable of effective action:
US lawmakers’ efforts to pass significant crypto legislation by the end of the year are on life support, leaving in place Washington’s scattershot approach to digital coins.

Several high-profile, bipartisan bills that once seemed to have a promising shot of passing before the end of 2022 are held up, with congressional committees pushing off important votes. And now with lawmakers squarely focused on next month’s elections, their chances of becoming law in 2022 have all but evaporated.


David. said...

Emily Nicolle reports that Crypto Risks Require Same Scrutiny as Wall Street, FSB Says (FSB is the international Financial Stability Board):

"The FSB, which is set to present its recommendations to G20 finance ministers and central bank governors this week, said watchdogs should apply the overarching approach of “same activity, same risk, same regulation,” regardless of whether a cryptoasset is characterized as a payment, security or other instrument."

The FSB issued a letter to G20 finance ministers and a 77-page report entitled Regulation, Supervision and Oversight of Crypto-Asset Activities and Markets with eight main recommendations.

David. said...

The authorities' focus on the institutions rather than the technology is working. One of the most-touted advantages of decentralization is "censorship resistance" but, because in practice blockchains are not actually decentralized, it is illusory. Molly White reports that Over 51% of blocks validated on the Ethereum chain are censored:

"On October 14, Ethereum reached a milestone that alarms many who have pushed for blockchains as "censorship-proof" technology. More than 51% of blocks produced in the preceding 24 hours were processed by relays that filtered out transactions involving Tornado Cash, a crypto mixing service that was added to the U.S. sanctions list in August.

This 51% threshold doesn't pose an immediate threat to Tornado Cash users, because even validators that censor transactions will still attest to the validity of blocks created by non-censoring validators. However, if 51% or more of validators were to also stop attesting to non-censored blocks, they would no longer be able to be added to the chain."

The reason why this works is a combination of economies of scale and the extraordinary Gini coefficients of cryptocurrencies.

David. said...

Bruce Schneier and Henry Farrell have a post entitled Regulating DAOs that discusses the supposed conflict between the First Amendment and regulation of DAOs using an analogy with the golem:

"The analogy between DAOs and golems is quite precise, and has important consequences for the relationship between free speech and code. Ultimately, just as the golem needed the intervention of a rabbi to stop wreaking havoc on the world, so too do DAOs need to be subject to regulation."

They conclude:

"Tying free speech arguments to the cause of DAOs like Tornado Cash imperils some of the important free speech victories that were won in the past. But the risks for everyone might be even greater if that argument wins. A world where democratic governments are unable to enforce their laws is not a world where civic spaces or civil liberties will thrive."

Well, yes, but OFAC didn't sanction the code, it sanctioned the addresses Tornado Cash uses. This taints any transaction tracing back to those addresses. Back in May Nicholas Weaver's OFAC, the DPRK and the Tornado of Cash explained how, if challenged, someone could show that their use of Tornado Cash did not involve crime. And note that, as Schneier and Farrell point out:

"The protocol was deliberately instructed never to accept an update command."

Of course, others can modify the code and start a clone of Tornado Cash at different addresses, which can be sanctioned in turn. But proliferating instances in this way has a problem. As Weaver points out:

"But an important feature of Tornado Cash’s anonymity model is anonymity only works in a crowd. In technical terms this is called the “Anonymity set,” the number of possible options that an “anonymous” entity could actually be. If the DPRK’s stolen assets were the only Ethereum in the pool then Tornado Cash would offer no anonymity. So every other participant in Tornado Cash, by adding to the anonymity set, is acting to hide not only themselves but for all other participants’ money, including the DPRK’s stolen assets."

The more instances, the less anonymity.

David. said...

Well, Duh! Justina Lee points out the obvious in Binance’s Thumping of FTX Shows How Centralized Crypto Can Be:

"So far this quarter, Binance has commanded 43% of crypto volumes while FTX had 4% and Coinbase 5%. Now CZ is standing and Bankman-Fried isn’t, and Binance is only cementing its lead as the industry's most influential company. You could say that Binance is the JPMorgan Chase & Co. or New York Stock Exchange of crypto, but that doesn’t really capture its importance within the blockchain economy. Binance is an exchange, brokerage, venture capitalist and digital-wallet operator, all in one. It also created two of the six most valuable tokens, and operates the second-most-active blockchain in the world of decentralized finance."

David. said...

John Reed Stark is back with BIG CRYPTO’S BOGUS DEMANDS FOR “REGULATORY CLARITY”. It is must-read dissection of the crypto-bros' excuse for the rampant fraud that took down FTX and is rippling out across the cryptosphere, namely the lack of "regulatory clarity". He starts by pointing out:

"First off, securities regulation is not meant to be precise but is instead intentionally drafted to be broad and all-encompassing; clarity is not just uncommon, it is deliberately avoided.

Second, though securities regulation is primarily a principles-based legal framework, there already exists extraordinary regulatory transparency and lucidity regarding crypto.

Finally, although the crypto industry constantly grouses for regulatory clarity, whenever any specific regulatory crypto-related rules are promulgated or proposed, the crypto industry cries foul and almost instantly files a flashy legal challenge to its enactment."

It is full of detailed analysis, but also gems like this:

"When SEC Commissioner Hester Peirce recently complained to CNBC of the need for “regulatory clarity” in the crypto space, one Twitter user quipped, “[Hey Hester], Is someone suggesting that the ‘don’t steal your customer’s money’ rule isn’t clear?” This is a salient point indeed."

Stark discusses in detail the top five of the SEC's 100% record of enforcement actions, Telegram, Kik, BlockFi, LBRY and the SEC’s Wells notice of Coinbase. He also covers some of th bogus lawsuits the crypto-bros have filed against regulators, and the application of the KYC/AML laws to cryptocurrencies.

David. said...

In Let’s Stop Treating Crypto as If It Were Finance, Todd H Baker argues that the idea of applying financial regulation to cryptocurrencies is flawed:

"The core assumption behind this view is that crypto coins are financial assets – like shares of stock, bonds, or commodity contracts – though particularly complicated ones housed on blockchain ledgers. That assumption, however, risks luring policymakers into a potentially catastrophic category error. Crypto trading isn’t economically similar to any part of the traditional financial services system and serves none of the productive purposes that define finance. In fact, despite the “dress-up” clothes it wears, crypto trading isn’t finance or financial services at all. It is a game emulating finance – or, perhaps more accurately, gambling emulating finance. It is important not to let those advocating for crypto trading to be treated as financial services cloud our view of this critical categorical distinction. To avoid financial contagion and unnecessary risks to the traditional financial system, the best course of action is twofold. First, crypto trading should be separated as completely as possible from traditional financial services. Second, an effective non-financial regulatory regime should be established under new and existing state and federal laws to protect consumers from the much smaller but still meaningful risks that crypto trading will pose once that separation occurs."

Instead it should be treated as:

"a multi-player e-sports gambling competition based on an emulation of a financial trading market, deploying all the weapons of modern financial engineering – derivatives, options, high-speed execution etc. and all the tricks traders use in pursuit of gain. Because games and gambling reward risk-taking to make play more exciting and the potential prizes more enticing, it’s not surprising that the “finance” that the crypto game emulates is the type that society wants less of – the highly-levered and opaque type that creates financial crises. Crypto trading also shares a “closed loop” structure with gambling. Gamblers bring money – fiat currency – into a casino or online gambling game, wager on outcomes, and convert the winnings or losings back into money. The crypto trading system operates in essentially the same way."

David. said...

In Let crypto burn Stephen Cecchetti and Kim Schoenholtz argue thus:

"In the aftermath of the collapse of FTX, authorities should resist the urge to create a parallel legal and regulatory framework for the crypto industry. It is far better to do nothing, and just let crypto burn.

Actively intervening would convey undeserved legitimacy upon a system that does little to support real economic activity. It also would provide an official seal of approval to a system that currently poses no threat to financial stability and would lead to calls for public bailouts when crypto inevitably erupts again."