In its relatively short history, the digital asset space has been plagued with security breaches and thefts. We spoke with an industry security specialist to get a better appreciation as to how this is being addressed.
With nascent technology, there’s a tendency to ‘move fast and break things’ (to borrow Zuckerberg’s terminology). In the cryptocurrency space, exchange hacks such as those involving Mt.Gox, Coincheck and Bitgrail have been frontrunners to a much longer litany of security failures. Latent innovation and technological advancement are progressive but only to the point where they lead to robust, dependable systems.
With that perennial dark cloud cast over the industry, 150sec spoke with Jason Tucker-Feltham, founder of London Crypto Services (LCS) – a specialist smart contract security auditing firm – to figure out if and how that’s going to change.
Tucker-Feltham’s entry into the industry is in and of itself a ringing endorsement of the potential in the space given the background of a career built up in the corporate banking world with Lehman Brothers, UniCredit and Deutsche Bank. He explained that the whole motivation behind the establishment of the business was due to the presence of bad actors in the space, inconsistencies in the approach to digital asset security and a need to address this.
“I saw more and more of a need for a smart contract security service based here in the U.K.”, explained the firm’s founder.
Other digital asset security specialists have established themselves in the U.S. such as Hosho. At first glance, GBP to crypto trading pairs account for modest volumes. However, this does not account for the fact that a lot of British residents convert their funds into Euro or US Dollars before they start trading. Whilst there are services targeting smart contract security auditing, others in the region offer this as a bolt-on service rather than a primary specialist service.
Why Smart Contract Auditing?
The code that belies Bitcoin, the most well-known cryptocurrency, is pretty basic. Development of Ethereum came at a later stage. Ethereum was driven by enthusiastic support in the developer community given that it facilitated far greater flexibility in support of the development of smart contracts and decentralised applications. ERC20 emerged as a technical standard for smart contracts on the Ethereum blockchain. As a consequence, most projects launched off the back of this standard.
But as Tucker-Feltham explained, there is some downside risk: “The problem with Ethereum is that because it can be tailored so easily by the end-user, there’s little that can be done to stop deficiencies in the code that’s being programmed onto the Ethereum blockchain.”
This is the aspect which bad actors seek to capitalize on, by identifying and exploiting bad code prior to firms like LCS getting an opportunity to audit. There has also been a languid approach in the industry to security, meaning that hackers have often gotten that opportunity long before security ‘white hats’. Tucker-Feltham maintains that no project is ever going to be 100% bulletproof yet by having more and more people reviewing code, the chances of issues emerging are greatly diminished.
The Double-Spend Conundrum
Exploits take many forms and vary in terms of sophistication. However, as the smart contracts security auditing boss reveals, the avoidance of a ‘double spend’ scenario with cryptocurrencies is a fundamental and central tenet.
Unlike an electronic data submission where you can copy and paste, you don’t want to have such a scenario (a copy of the original token) in a cryptocurrency – because this would mean that the monetary value would be lost and the network utility would be broken.
To help prevent scenarios like this, LCS is working with a variety of clients. That ranges from early-stage blockchain projects looking for advice as to how to conduct their first audit to crypto wallet projects and cold storage digital asset custodians. Oftentimes, the client may need a third party audit carried out which can be provided to a regulator as part of a process to achieve an industry licensing requirement.
Signs of Industry Maturity
In many ways, the industry is showing signs of moving towards maturity and with that, there’s hope for stricter regimens being enacted when it comes to security. The listing of tokens on digital asset exchanges in the recent past has been a money grab for some platforms. For a project to get its token listed, it has to pay a substantial listing fee. The consideration was in terms of the fee without a complete thoroughness when it came to understanding the new token.
Tucker-Feltham believes this is changing: “I think exchanges are being more mindful now that their reputation is on the line if there are any problems with the tokens they’re listing.”
“I think exchanges are being more mindful now that their reputation is on the line if there are any problems with the tokens they’re listing.”
Jason Tucker-Feltham, founder of London Crypto Services (LCS)
Symptomatic of that shift, LCS are being asked to carry out smart contract auditing for new tokens that exchanges are thinking of adding. The LCS founder believes this should be standard practice. Particularly so, given the tertiary concern some in the industry had been showing what should be a core tenet of platform security.
The London-based entrepreneur says that his opinion on this may not be welcomed in some circles – but proper regulation of certain industry participants could also go a long way towards keeping the level of security breaches and hacks to a minimum. Penalties should be applied if an exchange is hacked and exchanges should be made to hold ring-fenced funds for the purpose of compensating clients in the event of such a security breach.
That regulation cannot be overbearing such that it stifles innovation. Regulation in this space is in its infancy yet Tucker-Feltham is complimentary of the work being done by the U.K’s Financial Conduct Authority (FCA). The authority has engaged with crypto startups within the framework of its regulatory sandbox. A number of consultation papers have been produced with a view towards establishing what the regulatory perimeter will be.
The FCA has also indicated an intention to regulate crypto derivatives which Tucker-Feltham welcomes given the magnification in volatility that such products bring. They’re a risk for retail investors and likely should be confined to use amongst professional investors.
LCS consists of a team of senior developers in the UK, with additional support based in Ukraine – a well-known crypto hotspot in Eastern Europe – with a couple of smart contract auditors over and above that. The firm has only been around a year but with the pace of development in the crypto space, impact and results count first and foremost.
For anyone who’s been maintaining an interest in the space, it’s been patently evident for quite some time that industry standards need to be set. Alongside that, regulation is needed at least for centralised points in the ecosystem. Smart contract auditing can clearly play a role in minimising security risks. With this approach, it seems that it is entirely possible that the crypto sphere becomes no more of a hackers paradise than any other sector in the financial and fintech worlds.