As more things of value become managed, exchanged, and agreed digitally, the need for confidence and security in the code that powers these things has created the need for auditors to give those reassurances, identify and mitigate risks. Companies have been set up to meet these needs in the decentralized finance ecosystem, but their industry has few standards, no SRO-agreed best practices, which makes one ask “are their audits fit for purpose?”
The purpose of proposing regulations and standards is to help secure the wealth, investment and contributions of society – as we move towards a system that evermore relies on digitalization. Blockchain smart contracts are becoming more and more accepted by governments as a better digital method to store, exchange and create value.
DeFi and crypto as conceptualizations are many things. One of which is seen by some in the industry as the rejection of regulatory oversight. Governments, SROs, associations and working groups are centralized which does not quite fit with the principles of decentralization. A few years ago AML and CFT had no part in the crypto ecosystem, with many transactions processed on darknets. However, over time, this has changed remarkably with the crypto asset industry arguably enjoying less financial crime as a percentage in comparison to the traditional fiat system. This is the work of a more stringently increasing regulatory environment, companies such as Coinfirm deploying innovative AML solutions to the market and market participants themselves calling for a ‘cleaner’ system in an effort to power the mass adoption of blockchain.
The nature of the decentralized finance (DeFi) landscape is of particular interest to Coinfirm, as the firm has not one but two AML and CFT services – the AML Oracle and Liquidity Pools Reports – for an industry in its infancy.
Apologies are made in advance of proposals and considerations that the reader does not deem to delve into their respective fields in enough detail. Smart contracts code audits, smart contracts code auditors and smart contracts code auditors’ employees straddle cybersecurity, blockchain-native finance, some best practices from traditional auditing organizations and a number of other disciplines. In addition, due to the nature of decentralized autonomous organizations (DAOs) – that smart contracts code auditors also work with – being able to touch almost every sector of the globe’s economy other disciplines are sparsely discussed despite having direct relevance (i.e. a DAO that is a healthcare company thus encounters medical law).
Reasoning of Proposing Smart Contract Code Auditing Regulations
What is a smart contract code auditor?
A smart contract code auditor is a firm that is employed by a blockchain-native service to audit the security of a given smart contract(s). As of the date of this publication, DeFi organizations are of most relevance to smart contract code auditors.
How many smart contract code auditing companies are there? There are at least 50 reputable brands. These include; Certik, Hacken, Red4Sec, Kudelski Security, ConsenSys Diligenc, PWC Switzerland, Quantstamp, SlowMist, Trail of Bits, OpenZeppelin, Callisto Network, ImmuneByte, Blockchain Labs NZ, BlockSoftLab, Bloqchain Audit, Chainsulting, CM Blockchain Security Center, Chain Security, CoinFabrik, CoinMercenary, Decenter, HAECHI AUDIT, HAECHI LABS, Immunefi, Iosiro, John Wick Security Lab, Kaspersky Smart Contract Audit, KryptoGO, MixBytes, Alchemy, PeckShield, PepperSec, QuillHash Technologies, Smartdec, Solidified, Solidity Finance, Somish, SOOHO, Validity Labs, Verichains Lab, ZK Labs, HashEx, Cheetah Mobile Security, MENA Software, Papers, Sigma Prime, Smartaudit24, LeastAuthority and Runtime Verification.
What is a smart contract code audit?
Blockchain smart contract auditors conduct analyses of smart contracts to find and prevent vulnerabilities that can be exploited in over and underflows as well as reentrancy, reordering, short address and replay attacks. This analysis can be of a token itself, liquidity pool or any other blockchain-native smart contract.
What regulations already govern smart contract code audits?
There are already some regulations that require DeFi and DAOs in theory to conduct audits.
This is most notable in the European Union’s General Data Protection Act (GDPR) which stipulates under Article 32 of the aforementioned law firms processing the data of European Citizens must have in place “(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.“ However, as GDPR’s stipulations cover the handling of Personal Identifiable Information (PII) that Know Your Customer (KYC) processes collect – but that most DeFi and DAOs have not yet implemented as there as few jurisdiction-specific laws for – GDPR is not pertinent to DeFi and DAOs yet. The EU’s comprehensive crypto regulation Markets in Crypto Assets (MiCA) has not yet been amended to include DeFi and DAOs, nor has the EU’s latest AML and CFT regulation 6th Anti-Money Laundering Directive (6AMLD).
The California Consumer Privacy Act (CCPA), a recent comprehensive cybersecurity and data law, stipulates audits at least once in a given 12 year period. Although the CCPA’s broad view of an audit, in theory, encompasses blockchain smart contracts, it was signed into law – 2018 – before the rapid adoption of DeFi and the subsequent financial consumer protection issues that Coinfirm finds itself regularly analyzing with respect to DeFi exploits due to no, poor standard of or irrelevant timing of a blockchain smart contract audit.
US cybersecurity laws such as the American Institute of CPAs’ SOC 2 audit standards require firms to undergo pentesting every 6 months under the ‘guiding 5 principles of trust’, but similarly to GDPR makes PII a focus (one of the principles of trust) that KYC-adverse DeFi does not yet apply to, and ‘availability’ for principles to be overseen set out by a service-level agreement (SLA), which few DeFi users sign as it rarely exists on those platforms. A smart contract audit SRO for example might be able to for instance aid other organizations in designing principles that best fit defense mechanisms for DeFi at a given time.
Tackled from another angle, there are few regulations that specifically deal with the business models inherent to the nature of DeFi. Some anti-money laundering (AML) and combatting the financing of terrorism (CFT) regulations have been amended to include DeFi business models.
Although the Financial Action Task Force (FATF) has updated its Recommendations to encompass DeFi, only Singapore and Switzerland have notable KYC laws in place to cover the space but do not have laws targeting defense mechanisms of smart contracts. Instead, it is the UK that is arguably most foremost in its call for regulating or “remedying” defense mechanisms against loss by exploitation of smart contracts in the Law Commission’s call for “views on smart contracts” in December 2020 and subsequent policy development, set to be published later this year.
In addition, new laws governing other disciplines should be considered such as in an example of a private healthcare firm operating as a DAO. For instance, the UK’s Medicines and Healthcare products Regulatory Agency (MHRA) has announced its intention to revamp software laws in response to the EU’s Medical Device Regulation of 2017 (EU MDR 2017/745), which sets up guiding principles for software-first healthcare services.
Are further regulations in the space needed?
Hacken, a leading smart contract code auditor, released an analysis in December 2020 that only 247 (23.5%) of 1,055 “cryptocurrency projects” had “either not passed a security audit or have not publicly disclosed the fact they had been audited.” Hacken also points out that only 16.6% of the projects analyzed had a published bug bounty program. Bug bounty programs are another very good method to enhance the security of DeFi and DAOs and whether regulation should be placed on having bug bounty programs instead of code auditors is a notable consideration of this paper.
The World Economic Forum has previously proposed a regulatory DeFi Policy Maker Toolkit framework that also draws attention to audits and bug bounties “mechanisms such as security audits and bug bounties can be employed to mitigate smart contract risks” but did not delve deeply into granular detail.
Coinfirm has analyzed DeFi hacks on a number of occasions, including the Poly Network, DAO Maker, Cream Finance, Impossible Finance and Eleven Finance hacks and that in recent hacks, a number of exploited DeFis had claimed to have had code audits, subsequentially having the victims of these hacks to question code auditing companies.
The nature of having code created by a dissipated number of developers that makes automated decisions on all transactions raises a number of concerns in relation to current data and cybersecurity regulations such as GDPR and CCPA. These laws were set for organizations using technology or technology-first organizations that have centralized data processing and operations management etc.
Code has traditionally been seen as an ‘enabler’ to digitalization with human-operated systems, it has not been the sole driver. DeFi and DAOs change that nature and thus the right regulatory approach must be taken.
One question that could be raised is that even when, if, or indeed should code auditors be regulated, that the same mistakes of the past are not repeated. Inferences can be made to the Great Recession financial crisis of 2007-09, partially caused by the re-packaging of CDOs (Collateral Debt Obligations) as stable financial instruments.
Naturally, no amount of regulation will make DeFi a totally secure method to store funds in its current state, however, some regulations could alleviate risk and be of significant benefit to financial consumer protection.
What form of regulations could governments consider?
Some of the proposed regulations below are arguably partially applicable in law if encompassed properly such as the EU’s GDPR. However, it can be argued that significant amendments to the current regulatory landscape are required, hence the UK’s Law Commission Policy Development.
- Code Auditor Associations as Self-Regulatory Organizations
- Government Body Responsible for the Oversight of Code Auditors
- Auditing Firms Registering with Government Body Responsible
- Audits After Significant Amendments
- Audits of Smart Contracts Once a Contract has Hit a Certain TVL Threshold
- Audits of All Smart Contracts Before Deployment on Mainnet
- Audit Before Token is Traded on Mass Market Exchanges
- Fiduciary Duty of Code Auditors
- Insider Trading Encompassing Employees of Code Auditors
- Training of Blockchain Code Auditing Firms Compliance
- Certification of Code Auditor Employees
Code Auditor Associations as Self-Regulatory Organizations
Self-Regulatory Organizations (SROs) are of great benefit to the various stakeholders in most industries. This is experienced in blockchain-based businesses to great success, an example of which can be found in the Japan Virtual Currency Exchange Association (JVCEA), a government-recognized SRO.
Best industry practices typically come out of SROs that could shape how an association of smart contract code auditors determine best practices. For instance, the Blockchain Association in 2019 unveiled the ‘Security Audit Certification’, demonstrating how associations are often faster at governments and often consider their stakeholders better than governments.
How an audit is performed such as whether an audit requires automated or manual testing or both would be another important factor SROs can consider as best practices due to their intricate knowledge of the underlying technology and faults. Testing, formal verification, associative law, factorising, communicative law etc.
Government Body Responsible for the Oversight of Code Auditors
Alternatively, within each country, a certain government body could be responsible for the oversight of blockchain smart contract code auditors. Similar to AML, this would include reporting requirements, registration, certification of employees etc.
However, the cross-sector nature of crypto poses an issue already encountered in other sectors of the blockchain-native ecosystem. For instance, in 2021, the United States of America had a number of government agencies all attempting to take charge of oversight of crypto entities based on their various views of the same crypto-asset being seen as a financial security, commodity or currency.
The government body responsible for oversight of blockchain-native code auditors could by regulation issue a public certification of certain smart contract auditing companies. The quality of smart contract audits can vary significantly and hence having auditors issued with certification or being an accredited registeree might help quality control of audit firms.
Auditing Firms Registering with Government Body Responsible
In every country that has crypto AML laws, companies such as centralized crypto asset exchanges must register with the government body responsible for regulatory oversight. This can be replicated for blockchain code auditing firms.
Audits After Significant Amendments
Smart contracts are often regularly improved or tweaked by the developers working on them. This can lead to a result where an audit was carried out on a very different to the smart contract subsequently having millions of dollars in total value locked.
It would therefore be of significant value that DeFi and DAO organizations were forced to be regularly audited if a smart contract had become unrecognizable from its originally audited iteration. This particular proposal could be very tricky as smart contracts regularly interact with one another, creating flash loan attack scenarios.
Audits of Smart Contracts Once a Contract has Hit a Certain TVL Threshold
It is common practice in the DeFi industry to deploy a smart contract before soliciting funds in the war for attention in arguably the fastest-moving and least regulated markets in the world.
One approach that could be made towards this issue would be to allow smart contracts to be deployed by DeFis and DAOs first but that after a certain total value locked (TVL) threshold is achieved an audit must be commenced. For example, California’s CCPA has a stipulation for an audit every 12 months period but in the world of DeFi, a smart contract could be created which quickly collects tens of millions of dollars – from thousands of investors – in its first day of deployment.
Audits of All Smart Contracts Before Deployment on Mainnet
Alternatively, rather than having smart contracts audited after a certain TVL threshold, consideration could be made towards smart contracts before they are deployed on blockchain smart contracts, thus removing possible issues of insider trading, as well as mitigating the risk often experienced in DeFi that large funds allocation to a new smart contract that is subsequently hacked not long after.
Audit Before Token is Traded on Mass Market Exchanges
The level of exposure that certain exchanges have to the mass market for ‘hyping’ new tokens can also significantly change their price. Most centralized exchanges in most jurisdictions do require that a token has undergone an audit before trading on the exchange. This is followed most likely due to the centralized exchange actually having to comply with stringent KYC, AML and CFT laws.
Large decentralized exchanges however have only begun to dip their toes into exploring KYC and AML policies and in the process testing how much of their traditional crypto hardliners user base they might lose and what volume of institutional demand they see coming to balance the loss.
Fiduciary Duty of Code Auditors
During the 2008 financial crisis, the rating agencies’ activities of labelling bonds as AAA from organizations such as Moody’s and Standard and Poor led to vast troves of junk bonds rated as premium. Owing to these organizations being paid by the issuers of the debt to rate them their effort to beat the competition.
A repetition of the crisis of 2008 should be averted by taking a leaf out of the book of regulations that have come in the wake of the crisis. For instance, it is notable that the EU put forward regulations on credit rating’s agencies in the wake of 2009.
In addition, some organizations in the blockchain ecosystem span across multiple disciplines; i.e. creating a mainnet, centralized exchange, investment into other firms etc. Particularly for these types of firms, having a fiduciary duty enshrined in law for code auditing – should they become involved – would be a good idea. Conflicts of interest do arise.
Insider Trading Encompassing Employees of Code Auditors
Employees of code auditing companies are aware of non-public information that could move crypto assets.
In addition, audits are closely read by investors of the DeFi platforms in question. Commonly with lesser-known platforms, after a DeFi audit has been concluded positively, the price of the token associated with that platform can spike substantially. Subsequently, audits positively received by retail investors result in current investors deploying more assets (increasing their risk), whilst also drawing in new investors.
Thus, whether one believes crypto assets are financial securities or not, the ‘ratings’ given by code auditors cause the fluctuation of crypto assets in the same manner as traditional rating agencies such as Standard & Poor or Moody’s cause the price of bonds, stocks etc to fluctuate after an upgrade or downgrade in debt rating.
In the EU’s MiCA, insider trading and market manipulation will become illegal in the crypto space. It would be well worth countries following in incorporating this law, and including auditors in the process.
Training of Blockchain Code Auditing Firms Compliance
Training is often a stipulation of regulatory codes.
Training extends to a number of entities in other legal disciplines such as AML. Having the employees of DeFis or shareholders of DAOs undergo training to know their auditing requirements could be an added benefit to DeFis and DAOs.
Certification of Code Auditor Employees
Some smart contract code auditors such as DeFiFusion claim that their analysts hold the certification of CompTIA Cybersecurity Analyst (CySA+). Whether cybersecurity analysts of smart contracts hold accreditations or not could be a valid method to maintain quality controls of audits.
Regulatory Proposal Considerations
With every proposal of regulations, the consideration of how they impact various stakeholders must be weighed heavily.
- Feedback from Stakeholders
- Increased Barrier to Entry
- Loss of Platforms and Innovation
- DAOs and Code Audit Regulations
- FATF as a Watchdog for Auditors or Not
- Jurisdictional Arbitrage
- Bug Bounty Programs
Feedback from Stakeholders
Naturally, as with any lawmaking process, feedback from the community is necessary during pre and post-proposal and legislation stages, an example of which is seen in the UK’s Law Commission smart contracts policy development.
Increased Barrier to Entry
Having regulations inevitably increase barriers to entry, which some would say is an anti-thesis to the beginning of the Bitcoin revolution. DeFi in its nascency means that many in the industry see it as similar to how Bitcoin was in the beginning. But as a movement becomes bigger and new stakeholders interact with, it is critical to protect the public. The proposed regulations in this document will without a shadow of a doubt increase those barriers to entry for budding groups of code developers.
However, with USD 90+ in TVL as of the date of this publication according to DeFi Pulse, consumer protection becomes an increasing issue. As renowned crypto expert Erica Stanford in her book ‘Crypto Wars: Faked Deaths, Missing Billions and Industry Disruption’ notes, “anyone could create a token out of thin air”. From that angle, increasing a barrier to entry of smart contract creation by for example forcing the developers to get an audit before the deployment of a new smart contract by an accredited auditing firm employing certified auditors, might to some extent protect investors. But as code auditing firms increasingly are employed in DAOs, the potential pitfalls of an unregulated space will become heightened.
There is a significant danger of price car telling by any industry with a handful of vendors. The blockchain smart contract audit landscape as it currently stands is not even close to an oligopoly – and arguably crypto by nature alleviates the threat of this inefficiently – but could become an issue if regulations change the price elasticity of a required service.
Loss of Platforms and Innovation
If it is a legal requirement to have a code audit, some DeFi protocols that have not yet had an audit but the developers of which have created extensive lines of code would be particularly concerned about being forced to undergo an audit as the audit may find issues with the code that could lead to a great deal of work being undone.
In addition, according to Quillhash, a smart contract code auditor, as smart contract code audits can range from a few days to several months, resources dedicated to the task or the withholding of the smart contract until an audit has taken place etc, can lead to significant downtime, loss of competitive advantage and other issues.
DAOs and Code Audit Regulations
Decentralized autonomous organizations and their regulations could be substantial, particularly in terms of code auditing. If these organizations become ubiquitous in the future – somewhat fixing the questions of organization transparency and wealth inequality – then most regulations should apply to these firms as they are also managed by code alone.
Whilst many of today’s DAO’s are DeFi outfits, the nature of these organizational models means that they can be applied to any for-profit company as well as public entities. This means that some critical infrastructure could be at risk without stringent regulations. Healthcare firms could be run as a DAO, leading to issues with health data or operations, the problems of which have surfaced with the COVID-19 pandemic and ransomware attacks targeting the sector or energy firms being run as DAOs, the result of an exploit being demonstrated by the Colonial Pipeline attack that crippled the US’ energy grid.
Financial Action Task Force as a Watchdog for Auditors or Not
The Financial Action Task Force (FATF) is the global watchdog responsible for combatting financial crime globally with the participation of sovereign nations as members.
The proposed regulations enclosed in this document are born from the issues apparent from DeFi hacks that Coinfirm has analyzed. Often, black hat hackers that have exploited smart contracts typically go on to launder the proceeds of said exploits. Whether or not blockchain smart contract auditors are included in the FATF’s Recommendations should depend on the direct and peripheral exposure to financial crime that the lack of standards auditors in the space employ.
Coinfirm is aware of the jurisdictional arbitrage taken advantage of by certain entities in the blockchain ecosystem as they hop – or shop – from one country to the next in search of favourable laws. This issue is almost certainly going to pop up when and if DAOs and their auditors are regulated in certain jurisdictions.
This problem is easily shown in a hypothetical sense if for instance, an energy company that is a DAO has their audit completed that is also a DAO. A DAO’s domicile could be counted in any number of ways, how many nodes are operated in a given country or which country has the largest share of goods and services being sold to customers by that DAO.
Bug Bounty Programs
As the World Economic Forum and blockchain smart contract audit firms themselves note bug bounty programs are a foremost defense mechanism for decentralized finance protocols.
Bug bounty programs attract white hack hackers and are a highly efficient, proven method to organically – taken in the meaning of non-government intervention – protect DeFi, DAOs and other blockchain-native organizations.
How, what, when, where, why and indeed should code auditors, code audits and the employees of code auditors be bound by certain forms of regulations are questions that only the industry itself can answer.
Author: Ignatius Bowskill-Dutkiewicz, Content Marketing Manager
The views expressed in this document are solely those of the author. No guarantee is made that the content may not be amended significantly.