An Open Letter to EU Cryptocurrency-related Regulators, Policy Advisors and Makers: Technology Assurances are a Must

4 min readSep 11, 2020

I am writing this open letter to raise what I perceive to be a vital concern regarding cryptocurrency-related regulation. Across Europe, we have seen regulators take similar approaches to those used in traditional financial services, which lack adequate levels of technology-based assurances due to inherent high risks associated with specifically decentralised technology used in Blockchain, Smart Contracts and Cryptocurrencies.

Cryptocurrencies, other similar forms of tokens and related activities have inherent technological risks which could be detrimental to European regulatory frameworks and the EU’s reputation in this sector. In June 2020, a European country had taken a blow to its reputation (and perhaps indirectly Europe) with respect to regulatory oversight of financial and operational due diligence of the sector. Let us not let it take another potentially more serious blow from lack of technological due diligence and technology assurances.

Cryptocurrencies, tokens, virtual financial assets, utility tokens, ICOs, STOs, IEOs, or any other financial operation and technology built on or making use of blockchain and smart contracts are inherently high risk. Regulators are already familiar with the risks inherent in the operational and financial aspects, but this risk is intensified because of its dependence on blockchain or similar distributed ledger technologies (DLT).

Unlike traditional technology and systems, where a mistake in a transaction or bug in the data or code can be fixed, on a DLT, such errors frequently cannot be fixed, and the data cannot be reverted or manipulated to compensate for losses resulting from the unexpected behaviour. Neither the operator, nor the software developer, the responsible Authority, nor the justice system may be able to enforce such a recovery. To put this in context, consider the hypothetical scenario in which, due to a software bug, all clients’ accounts are reset to have no funds, effectively emptying millions of euros worth of cryptocurrency held by various clients. Now consider this bug occurs in an EU licensed activity — it results in millions or billions worth of euros in losses and again it was licensed by an EU-based regulator, and it is found that adequate technological due diligence to minimise such bugs was not undertaken by the developer and/or operator, nor required by the Regulator. Not only will this be a blow to EU crypto-based licensed activity, but aggrieved parties may decide to initiate class-action lawsuits against the Regulator for not having had in place sufficient technology assurances that could have minimised such occurrences. It is worth adding that the hypothetical nature of this scenario is the latter part — the occurance of this happening to an EU licensed activity. However, when it comes to bugs and losses one can cite various instances of DLT technology failures which have led to the equivalent of hundreds of millions of euros.

The risks associated with the underlying technology is as high — much higher some would say — than the operational and financial ones. And yet, one can approach addressing such risks in a manner which mirrors the way in which operational risks are addressed — setting up a process of independent third-party system audits and a sufficient regulatory framework for ensuring technology-based assurances. This needs to be mandatory within the cryptocurrency space.

As part of Malta’s regulatory framework, the Malta Digital Innovation Authority addresses such technology-based assurances. We would like to reach out to the EU and other member states to initiate a forum for taking such assurances to an EU-level. If the EU does not implement adequate technology assurances, then it may only be a matter of time until it will have to face another blow to the credibility of its regulated services due to lack of technology-based assurances.

A list of such reported losses due to bugs and technology follow. Further details regarding the regulatory framework are discussed in the following paper: https://link.springer.com/article/10.1007/s12027-020-00617-7

Dr Joshua Ellul
Chairperson of the Malta Digital Innovation Authority
Director of the Centre for DLT at the University of Malta

List of a few reported bugs and losses
Sep 2020
https://cointelegraph.com/news/dev-finds-major-governance-bug-in-sushiswap-but-no-threat-to-the-project-yet

Aug 2020
https://www.coindesk.com/erc-20-ethereum-tokens-fake-deposit
https://www.theblockcrypto.com/post/74810/yam-token-market-cap-collapses-by-more-than-90-flaw
https://cointelegraph.com/news/rushed-upgrade-made-12-of-ethereum-clients-unusable (no direct loss of money, downtime though)

Jul 2020
https://cointelegraph.com/news/vulnerability-in-ravencoin-creates-extra-15-of-maximum-supply-for-hackers
https://www.coindesk.com/mempool-manipulation-enabled-theft-of-8m-in-makerdao-collateral-on-black-thursday-report

June 2020
https://cointelegraph.com/news/defi-protocol-balancer-hacked-through-exploit-it-seemingly-knew-about

Mar 2020
https://www.coindesk.com/long-festering-defi-dapp-bug-still-not-fixed-by-industry

Feb 2020
https://cointelegraph.com/news/decentralized-lending-protocol-bzx-hacked-twice-in-a-matter-of-days
https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8
https://cointelegraph.com/news/value-locked-in-crypto-defi-markets-hits-1-billion-milestone

Sep 2019
https://cointelegraph.com/news/hacker-spends-1k-to-win-over-110k-in-eos-betting-game-using-rex

June 2019
https://cointelegraph.com/news/ethereum-based-synthetic-asset-platform-loses-over-37m-tokens-in-oracle-attack

July 2018
https://cointelegraph.com/news/bancor-urges-industry-players-to-collaborate-after-23-5-million-hack
https://cointelegraph.com/news/bithumb-details-still-sketchy-after-30-mln-hack
https://cointelegraph.com/news/buy-the-fud-mainstream-media-convinced-coinrail-hack-caused-crypto-price-plunge

Dec 2018
https://cointelegraph.com/news/eos-dapps-lose-almost-1-million-to-hackers-over-the-last-five-months

Sep 2018
https://cryptoslate.com/eos-dapp-smart-contract-exploit-pays-out-200k-to-hacker/