Understanding the Inconveniences and Risks of Blockchain Technology
Inefficiencies of the Blockchain
A digital token’s blockchain functions much like the Torrens land titles register system. If the digital token’s blockchain, a register of digital assets (the “Register” or the “Blockchain”), reflects the user’s digital payment tokens (“DPTs”), the user’s ownership is proved. The assets are recorded in addresses (the “Address”) on the Register belonging to users on the token’s blockchain. Looking up an Address on the Register will reflect the assets in the address.
Because those records on the Register are the only way to prove ownership of those digital assets, the real-time processing of recording the transaction of the token’s blockchain becomes critical for users that purchase DPTs for payment services. Many Registers of digital tokens have real time and computing inefficiencies.
Consider Bitcoin. When you make a Bitcoin transaction, it needs to be approved by the Register before the transaction is recorded. The Bitcoin Register has set a standard of 6 confirmations that a transfer needs before you can consider it complete. Computing nodes that update the Register (“Miners”) of the Bitcoin Register prioritize validating transactions by the fee that they receive for confirming them. Therefore, if you pay a higher fee, a Miner is more likely to process your transfer which decreases the transaction time thereby reflecting your digital assets earlier on the Register.
Consequently, depending on how much is paid or if any digital asset is paid at all, a transaction can take anywhere between to 1 to 24 hours. For payment services practicality, a transaction lag exceeding seconds defeats the processing of real time transactions in today’s age. Imagine taking 1 to 24 hours to buy a can of coke with BTC. However, even in view of these impracticalities, the industry recognizes the heavy adoption of blockchain technology for payment services by consumers and businesses as inevitable[1].
Centralised Addresses
Centralized receipts of digital assets are a concept used to deal with the inefficiencies of blockchain Registers. It allows the user to begin dealing and transacting real time within an internal accounting environment without having to wait for the update lag or suffer from the computing resources required by the Register to record the transaction[2].
There are businesses that create centralised Addresses (a “Platform”) to receive, custodise and secure a user’s deposits of digital tokens with the Address. The receipts are reflected on the Platform where the user can use this accounting environment to record their transactions for DPTs while updating the transactional information on the Register only when the transactions leave the Platform’s accounting environment.
Wallets, the Security Architecture of Addresses
A digital token wallet (a “Wallet”) is a software and security protocol that stores and encrypts a user’s alphanumeric codes (termed “Keys”) that are used to digitally sign off transactions in relation to a user’s address on the Register. Because those Keys are the only way to amend the transaction on the Register, they become a critical piece of the digital token ecosystem. Wallet security protocol becomes critical to the Business. There are solutions out there that deal with them[3].
Traditionally, cryptocurrency wallets use a single signature Key. This is a private Key that allows an individual to verify and sign off on any transaction. While the notion of using a single Key allows the funds owner full and exclusive access to their funds, it is a very risky concept. The security of the user’s wallet and assets therein are solely dependent on the private Key, which is nothing but a chain of alphanumeric numbers. There are several risks we identify here, including theft or easy misplacing of the key. In practice, if any of these triggering events were to occur, the user will be at high risk of losing all the digital tokens in the Wallet.
Updating the Register with one’s ownership of digital assets is not a simple process. It involves computing transaction data (a “Block”) for an Address. Having the unsigned Block verified by a Key and submitted to the Register. While this might seem like a verbally easy process, many consumers lack the sophistication to adopt the use of this technology for payment services because of the complexities of preparing a Block, safeguarding Keys, safeguarding transmissions of the Block to the Register from Attack Vectors and verifying the transaction on the Register.
Centralized receipts by a Platform safeguard against the lapses of wallet security of users by forcing easily implementable security protocols.
Attack Vectors and Their Increasing Risk for Centralised Addresses
All digital assets must connect to the internet. When connected, transmission data to and from critical systems can be hacked[4] or screen-jacked[5] allowing modification transmission policies and/or data (each an “Attack Vector”). Hackers (“Attack Vector Operators”) search for Attack Vectors that can allow them to modify transaction policies and transaction data before the transmission reaches its destination.
Centralization of digital assets comes with centralization of these risks. Because all Addresses are maintained online. Attack Vector Operators target centralised Addresses such as a Platform because it offers much higher rewards than to hack an individual’s Address.
Technology Risk Management Requirements
To counter the increased risk of centralised entities, the Monetary Authority of Singapore (“MAS”) has requirements to ensure that a Platform
Architecture, processes and policies around the Wallet security need to be sound. For example, one way to diversify secure access is to ensure that there are several layers of controls over who can modify the source code of the Wallet. This can be implemented by ensuring that technician who is modifies or pushes the source code to a live environment cannot do so without a one-time pin from a supervisor and a compliance officer.
Understanding the technology and its risks is critical in obtaining a license and to continue conducting a regulated payment service activity
If you are a Platform operator and would like to check on your view of the risks in the business, speak with us today if you would like to schedule a consultation on the licensing requirements around your technology and the organisational risk management approaches that can be taken to reduce operational risks on the Platform.
[1] See Project Ubin, an initiative driven by the Monetary Authority of Singapore https://www.mas.gov.sg/schemes-and-initiatives/project-ubin
[2] https://coincentral.com/how-long-do-bitcoin-transfers-take/#:~:text=Bitcoin%20transaction%20times%20vary%20and,minutes%20to%20over%201%20day.&text=The%20two%20things%20that%20determine,activity%20and%20the%20transaction%20fees.&text=The%20average%20Bitcoin%20transaction%20time%20is%20currently%20around%201%20hour.
[4] Where the User’s online terminal is being hacked and controlled by an external malicious third-party.
[5] Where the screen of the User is jacked, and the User believes he is entering digital signatures in a safe environment.
[6] Requirements in Form 1 Applications for Payment Services Licensing para 3.1.8, para 6.3 Technology Risk Management Guidelines