Transaction synchronization and privacy aspect in decentralized applications

Patarawan Ongkasuwan 16-03-2020

Master’s Thesis

Examiner: Mihhail Matskin Academic advisor: Anne Håkansson Industrial advisor: Vygandas Simbelis, Mattias Jacobsson

KTH ROYAL INSTITUTE OF TECHNOLOGY INFORMATIO N AND COMMUNICATION TECHNOL OGY Abstract

The ideas and techniques of cryptography and decentralized storage have seen tremendous growth in many industries, as they have been adopted to improve activities in the organization. That called Blockchain technology, it provides an effective transparency solution. Generally, Blockchain has been used for or since its inception. One of the best-known Blockchain protocols is , which has invented the to enable Blockchain’s ability to execute a condition, rather than simply acting as storage. Applications that adopt this technology are called ‘Dapps’ or ‘decentralized applications’. However, there are ongoing arguments about synchronization associated with the system. System synchronization is currently extremely important for applications, because the waiting time for a transaction to be verified can cause dissatisfaction in the user experience. Several studies have revealed that privacy leakage occurs, even though the Blockchain provides a degree of security, as a result of the traditional transaction, which requires approval through an intermediate institution. For instance, a bank needs to process transactions via many constitution parties before receiving the final confirmation, which requires the user to wait for a considerable amount of time. This thesis describes the challenge of transaction synchronization between the user and smart contract, as well as the matter of a privacy strategy for the system and compliance. To approach these two challenges, the first task separates different events and evaluates the results compared to an alternative solution. This is done by testing the smart contract to find the best gas price result, which varies over time. In the Ethereum protocol, gas price is one of the best ways to decrease the transaction time to meet user expectations. The gas price is affected by the code structure and the network. In the smart contract, testing is run based on two cases, and solves platform issues such as runners and user experience and reduces costs. It has also been found that collecting the fee before participating in an auction can prevent the problem of runners. The second case aims to prove that freezing the amount of a bid is the best way to increase the user’s experience, and to achieve the better experience of an online auction. The second challenge mainly focuses on the privacy strategy and risk management for the platform, which involves identifying possible solutions for all risk situations, as well as detecting, forecasting and preventing them. Providing strategies, such as securing the smart contract structure, increasing the encryption method in the database, designing a term sheet and agreement, and authorization, help to prevent system vulnerabilities. Therefore, this research aims to improve and investigate an online auction platform by using a Blockchain smart contract to provide evocative user experiences.

Keywords Blockchain, distributed database, , digital ledgers, centralized database, decentralized database, Ethereum, Blockchain synchronization, security-related, cryptocurrency, digital currency, transaction, user experience, privacy strategy, smart contract, risk

Sammanfattning

Idéer och tekniker för kryptografi och decentraliserad lagring har haft en enorm tillväxt i många branscher, eftersom de har antagits för att förbättra verksamheten i organisationen. Den som kallas Blockchain-tekniken ger den en effektiv transparenslösning. Generellt har Blockchain använts för digital valuta eller cryptocurrency sedan starten. Ett av de mest kända Blockchain- protokollen är Ethereum, som har uppfunnit det smarta kontraktet för att möjliggöra förmåga att utföra ett villkor, snarare än att bara fungera som lagring. Applikationer som använder denna teknik kallas 'Dapps' eller 'decentraliserade applikationer'. Det finns emellertid pågående argument om synkronisering associerad med systemet. Systemsynkronisering är för närvarande oerhört viktigt för applikationer, eftersom väntetiden för att en transaktion ska verifieras kan orsaka missnöje i användarupplevelsen. Flera studier har visat att sekretessläckage inträffar, även om Blockchain ger en viss säkerhet, till följd av den traditionella transaktionen, som kräver godkännande genom en mellaninstitution. Till exempel måste en bank bearbeta transaktioner via många konstitutionspartier innan den får den slutliga bekräftelsen, vilket kräver att användaren väntar en betydande tid. Den här avhandlingen beskriver utmaningen med transaktionssynkronisering mellan användaren och smart kontrakt, samt frågan om en sekretessstrategi för systemet och efterlevnad. För att närma sig dessa två utmaningar separerar den första uppgiften olika händelser och utvärderar resultaten jämfört med en alternativ lösning. Detta görs genom att testa det smarta kontraktet för att hitta det bästa gasprisresultatet, som varierar över tiden. I Ethereum-protokollet är gaspriset ett av de bästa sätten att minska transaktionstiden för att möta användarens förväntningar. Gaspriset påverkas av kodstrukturen och nätverket. I det smarta kontraktet körs test baserat på två fall och löser plattformsproblem som löpare och användarupplevelse och minskar kostnaderna. Det har också visat sig att insamlingen av avgiften innan du deltar i en auktion kan förhindra löparproblemet. Det andra fallet syftar till att bevisa att frysning av budbeloppet är det bästa sättet att öka användarens upplevelse och att uppnå en bättre upplevelse av en online auktion. Den andra utmaningen fokuserar huvudsakligen på sekretessstrategin och riskhanteringen för plattformen, som innebär att identifiera möjliga lösningar för alla risksituationer, samt att upptäcka, förutse och förhindra dem. Tillhandahållande av strategier, som att säkra den smarta kontraktsstrukturen, öka krypteringsmetoden i databasen, utforma ett termblad och avtal och godkännande, hjälper till att förhindra systemets sårbarheter. Därför syftar denna forskning till att förbättra och undersöka en online-auktionsplattform genom att använda ett smart avtal med Blockchain för att ge upplevande användarupplevelser.

Nyckelord

Blockchain, distribuerad storbok, digital ledbok, centraliserad databas, decentraliserad databas, Ethereum, Blockchain-synkronisering, säkerhetsrelaterad, cryptocurrency, digital valuta, transaktion, användarupplevelse, sekretessstrategi, smart kontrakt, risk Table of Contents

Chapter 1 Introduction ...... 1 1.1 Background ...... 2 1.2 Problem Statement ...... 3 1.3 Purpose and Goal ...... 3 1.4 Methodology / Methods ...... 4 1.4.1 Scope ...... 4 1.5 Ethics and Sustainability ...... 5 1.6 Delimitations ...... 5 1.7 Outline (Disposition) ...... 6 Chapter 2 Blockchain Technology and Cryptocurrency ...... 7 2.1 Blockchain technology ...... 8 2.1.1 Major impact on Blockchain ...... 8 2.2 Consensus protocols and standards ...... 8 2.2.1 Protocols ...... 8 2.2.2 Standards ...... 9 2.3 State of the art developments/products/features ...... 10 2.3.1 Ethereum ...... 10 2.3.2 ...... 10 2.3.3 Ripple ...... 10 2.3.4 Arcblock ...... 11 2.4 Challenges ...... 11 2.4.1 Consensus ...... 11 2.4.2 Blockchain barriers ...... 11 2.4.3 Completion time...... 12 Chapter 3 Methodology and Hypothesis ...... 13 3.1 Methodology ...... 13 3.1.1 Data collected ...... 13 3.1.2 Experimental tools ...... 14 3.1.3 Probability/consequence matrix ...... 14 3.2 Hypothesis from the research question ...... 15 3.3 Assessing the reliability and validity of collected data ...... 16 3.3.1 Reliability ...... 16 3.3.2 Validity ...... 16 Chapter 4 Data Analysis and Research Findings ...... 17 4.1 Data analysis ...... 17 4.1.1 Blockchain barriers ...... 17 4.1.2 Participant feedback and results ...... 18 4.2 Online NFTs auction platform design and architecture ...... 19 4.2.1 Auction services ...... 20 4.2.2 Payment components ...... 22 4.2.3 Server component (back-end database) ...... 25 4.2.4 Blockchain component ...... 25 4.3 Blockchain Synchronization ...... 25 4.3.1 Problem statement ...... 26 4.3.2 Communication design ...... 26 1

4.3.3 Case 1: Traditional transaction ...... 26 4.3.4 Case 2: Freezing amount ...... 28 4.4 Data privacy policy ...... 30 4.4.1 Problem statement ...... 30 4.4.2 Data protection agreement ...... 30 4.5 Risk analysis ...... 31 Chapter 5 Results and Discussion ...... 34 5.1 Testing results ...... 34 5.2 Gas vs time model ...... 37 5.2.1 Strategy solutions ...... 38 5.3 Privacy and risk ...... 39 5.3.1 Solutions ...... 39 Chapter 6 Conclusions and Future work ...... 42 6.1 Summary of findings ...... 42 6.2 Future work ...... 44 6.3 References...... 45 Appendix A ...... 1 Other data survey – 62 participants ...... 1 Appendix B ...... 1 Extra: Testing results ...... 1

2

Chapter 1 Introduction

Due to the mainstream of Blockchain from 2018 to 2019 that derived from the results of CCN report [1], saying that people have stated their expectations regarding investment in distributed ledger technology (DLT) and Blockchain is part of DLT. The result increased from 9% to 23%, in addition to other development trails, as shown in Figure 1. The rise of smart contracts has impacted app development as well as migration to the Dapp structure. The shifting of perspectives on Blockchain, as well as visions about application development, has also had an impact on various industries such as real estate, financial, gaming and art. Due to the benefits of transparency, security and trustworthiness provided by Blockchain, interest in adopting this technology is increasing, and it now fulfils most requirements of applications [1]. The topic of Blockchain is becoming extremely interesting for researchers and developers who are improving and developing the functionality of the technology. Furthermore, an increasing number of attackers are attempting to penetrate the system in order to invade privacy, and to destroy or take control of the system. This results in issues of insecurity and distrust in the system [2]. In this thesis we consider two major problems: transaction synchronization and data privacy. Transaction synchronization intends to the resulting interaction between the user interface and Blockchain system in a Dapp auction platform called ‘Art Value App1’. Due to issues with using as the main currency, which can necessitate a minute to days to receive the transaction confirmation, users need to wait for the confirmation before they can decide to publish another transaction regarding the total amount of the remaining money. Although users can publish as many transactions as they want, but the amount in their wallet needs to update and freeze to prevent runners, that is, winners who refuse to pay. This can cause issues in financial Dapps, such as the purchasing time. And for the real-time market such as the stock exchange or high interactive market that need to be real-time stocks. The best solution to this problem is to collect the appropriate amount of gas fee/cost (processed cost or participation cost) and predict the time provided by the network. Accordingly, this research focusses on the Ethereum protocol, which means that the transaction time depends on the gas price. The limitation for the gas price occurs when the user or provider pays for too much gas and exceeds the amount that the network can support. This has no effects other than causing the transaction to proceed faster, because the maximum threshold for the gas price has impact on the limitation of the speed, and it should not exceed it. Furthermore, paying a gas price that is lower than the requirement of the network can cause insufficient funds and result in transaction failure. Regarding data privacy, although Blockchain provides a secure solution for

1 http://www.artvalueapp.com 1

storage transactions, privacy remains a significant issue [3]. This is due to the concept of public storage, in which everyone has access to the network, and are able to inspect all transaction flows inside the network in addition to previous transactions, which are traceable. Therefore, all platforms have the need to conduct research on data privacy and risk management for all elements that could impact systems. The second research question of this thesis will investigate data privacy and risk analysis, as well as providing possible solutions for all risk cases.

Figure 1: CFO survey on DLT investment timetable from 2018 to 2019 [1]

1.1 Background Blockchain technology has been adopted from the concept of peer-to-peer (P2P) decentralized databases (transaction records). The early generation (1.0) of Blockchain mainly aims to use simple record transactions in cryptocurrency. The next generation (2.0) follows the appearance of Ethereum currency, which has developed the simple transaction into a smart contract. Smart contracts are used to create the conditions for Blockchain to execute. This concept guarantees that nobody can disrupt the condition inside the Blockchain. The latest generation (3.0) has introduced decentralized applications (Dapps) that run on 2

top of smart contracts. This combination of smart contracts and applications to solve everyday situations is predicted to disrupt many business models [3]. Generation 4.0 of Blockchain will become usable for real life and will satisfy Industry 4.0 requirements, which are discussed further in Chapter 2, along with greater detail about Blockchain and its challenges.

1.2 Problem Statement The problem of synchronization of Blockchain smart contracts causes waiting time for the verification of transactions and confirmation, which results in a poor user experience and a high gas price in order to operate more quickly. Another issue concerns data privacy on the platform, including smart contracts, which need to publish non-sensitive data to the public. Due to the public nature of Blockchain, all data - including smart contracts - are stored openly and indefinitely so that everyone can inspect transaction flows. Therefore, it is very important to find the best solution to protect the data inside the chain. As such, this thesis identifies two main problems: 1. The synchronization cost between the user and transaction when using a smart contract, while waiting to receive the token that enables the next auction to start. 2. The privacy of data held inside Blockchain and a risk analysis of possible intrusion into the platform.

1.3 Purpose and Goal The purpose of this research is to explore and improve the online auction platform or e-Auction. Based on the Art Value App, an idea developed by Vygandas Simbelis2, which is a designed unique online auction experience with an interactive performance that enables users to participate and distribute digital artworks by Mar Vidal Segura called “User experience design and front end development of an online auction website”[4]. In this thesis, based around the art practice and research previously from Vygandas Simbelis called “Humanizing Technology Through Post-Digital Art” [5] and the work done by the Art Value team. The major concept of the project is to develop and build a platform for digital art to be generated, distributed, and traded online. In this platform, Blockchain technology is used to provide and prove authenticity and uniqueness of digital artworks. The decision to use Blockchain technology is made to provide and prove authenticity in a piece of digital artwork. The goal is to provide the first two implementations of a smart contract that can solve the synchronization issue inside the platform, and offer a solution to prevent all possible risks. The exclusive goal of the risk section is to facilitate compliance that can protect the platform from the occurrence of low to high severity-level issues and attacks by hackers, as well as mitigate the business perspective of losing customers due to poor user experience.

2 http:// www.simbelis.com 3

1.4 Methodology / Methods

The methodology applied in this research takes a quantitative approach, whereby data are collected taking into account social impacts, phenomena and facts. Data collection will be performed with the use of measurable metrics, which include time-efficiency and cost-efficiency. Data are brought together in Chapter 4 before performing analysis in Chapter 5. An additional methodology used in research on risk analysis is the probability and consequences risk analytic method, applied to identify the ranking of risks and subsequently determine the solutions for specific problems. With the use of probability and consequences risk model, which is based on real-world scenarios, to identify risk according to severity level (rank) or score (as represented in this research) it is straightforward to prioritize issues and solve them one by one. In this way, the platform can be secured before and after launching on the market. In addition, for risk analysis a plot of the probability impact will be produced based on risk events. This method enables the severity of cases to be scored.

1.4.1 Scope This thesis intends to explore and evaluate existing solutions in relation to Blockchain and smart contracts, in order to compare and improve functionality for future development, with a focus on the digital online auction. As the first problem we identify the synchronization and completion time (i.e. waiting time) between each transaction and user. The scope of this thesis is to evaluate and implement a testing environment for the Dapp platform ‘Art Value App3’, which is a concept from a start-up project in KTH Innovation batch 9 4 . The product is built to generate an artwork through the unique generative online auction [4] allowing users to participate in an auction by generating the artworks. The potential risks are time constraints and technical issues occurring during the process. In the best-case scenario we will need to exceed the time in order to finish the prototype; in the worst case we will need to discard some of the lowest-priority tasks. For the purposes of data collection, we will conduct an anonymous survey to confirm the identified problem on the Blockchain application market. We will not collect sensitive data or force participants to take the survey without their permission. This thesis will provide an online survey for gathering data in order to run the analysis. In this case, the survey will not collect personal data of the participants, which would infringe GDPR rules5 and their privacy.

3 http://simbelis.com/media-art-projects/art-value 4 https://www.kth.se/innovation/nyheter/fran-positioneringsteknik-till-blockchain-for-konst-kth- innovation-valkomnar-batch-9-1.888033 5 https://www.citdigital.com/2018/01/gdpr-digital-assets/

4

1.5 Ethics and Sustainability There are ethical concerns surrounding Blockchain and the business perspective usually associated with information security and privacy, as Blockchain provides open access to huge volumes of data and smart contracts. Since the Ethereum is a public Blockchain, which means it is open publicly, none of the data stored therein should be sensitive, such as personal data or data that allows identification of buyer and seller. Personal information leakage may occur, the prevention of which is considered to be a cyber security issue. The best solution is to provide compliancy to all parties and make this a high priority for everyone involved. Sustainability is one of the greatest concerns when developing an application from the business perspective. Currently, many applications aim to reduce the cost of buying a cloud database or implementing the database within the organization. Therefore, they are migrating from centralized databases to decentralized databases. Blockchain technology then provides the solution, as it is open and uses no physical hardware for storage, which is a decentralized database. As a result, it can increase sustainability in terms of being environmentally friendly and reducing the amount of carbon produced by an organization. Moreover, in order to maintain the business position, sustainability also needs to be considered in business models.

1.6 Delimitations Blockchain is an ambiguous and innovative topic, which means that it encounters many barriers and impacts. For example, there are many issues regarding the limitation of resources. Many resources are not provided or are incompletely developed. According to the Coinmarketcap in 2019, the market capitalization of Bitcoin has increased to be around $152 billion higher than the 2017 market capitalization. Meanwhile, Ethereum reaches around $28 billion, which positions it in second place on the cryptocurrency market. This capitalization is continuing to increase rapidly. Therefore, this thesis is only able to cover the trends occurring from 2019 through the past data of Ethereum, since this thesis is focussed on Ethereum Blockchain. All data and information relating to research about Ethereum is widespread than other protocol. As most of the development resources are open-source and development is still ongoing, some may not be working properly, so alternative perspectives and solutions can be considered. The programming language Solidity is used to create smart contracts in Ethereum. It is still in the development process, because the number of Blockchain developers exceeds supply on the market. As a result, some features may not function properly. Many tutorial resources are available, and the resources might develop using the old version. When the new version is released there may be some changes in the code, in which case the code should be adjusted accordingly. This thesis uses Solidity version 0.5. However, future versions may feature significant changes in the code structure; this was the case during the update from version 4.0 to 5.0, and the code used in the older version may not be possible to compile due to adjustments in terms of functions. Lastly, the completion of the platform might be another limitation of this research, in

5

addition to the fact that this research mainly focusses on Blockchain implementation and testing with frameworks such as Truffle and Remix. This thesis mostly uses Remix because it is more convenient than Truffle. The limited time available for this research impacts the use of case studies for testing.

1.7 Outline (Disposition) This thesis presents the details of Blockchain technology and smart contracts in Chapter 2: Blockchain Technology and Cryptocurrency, including the consensus algorithm, state-of-the-art and challenges. Chapter 3 discusses the methodology and hypothesis of this research. The hypothesis is developed from the start-up, Art Value, for which we want to implement the best solution. Chapter 4 focuses on data collection and research findings by presenting the data collected through the survey, interviews from live events and test experiments. It also explores the platform architecture and the implementation of the case study for the hypothesis. The last section concerns the risk analysis and privacy issues for the platform. Chapter 5 presents results and discussion based on the results of Chapter 4. The last chapter concludes the thesis and discusses further work, as well as future trends of Blockchain and smart contracts.

6

Chapter 2 Blockchain Technology and Cryptocurrency

Blockchain technology and cryptocurrency have become ubiquitous topics in many industries since 2008, when Satoshi Nakamoto, the inventor of Bitcoin (BTC), the first, best-known and one of the most popular , released his first proposal. Bitcoin was created using the concept of Blockchain, the concept migrated from hash chain encryption concept that offers repetition encryption in cryptography [6]. After Satoshi published his open-source Bitcoin code online, many developers learned and developed several protocols to establish new or alternative coins. This initiated the market, as the coins introduced to the market were fungible tokens. Several years of Blockchain development, though generation 1.0 to 3.0, have progress to the creation of many applications. The original Bitcoin protocol evolved to Ethereum in the second generation. The third generation reacted to and solved the problems of the first and second generations [7][8]. During the first generation of the Blockchain (Blockchain 1.0), goals were to establish the concept and identify benefits of decentralization, anonymity, disintermediation, and censorship resilience in the financial industry, as noted by the paper ‘personal data protection through a decentralized framework’. Furthermore, according to the technical concept in the paper ‘Bitcoin: A Peer- to-Peer Electronic Cash System’, has provide a simplified distributed ledger that is limited to the specific purpose to solve the problem of double-spending transactions without any intermediate institution, third party or trusted authority. This issue causes inconvenience and complications for the many parties involved, so the aim is to reduce costs by introducing Blockchain technology and keeping track of all transactions publicly. After the emergence of Blockchain 1.0, a few years later Blockchain 2.0 developed the concept of the smart contract, which is the key aspect of Blockchain 2.0. Instead of limiting it to public storage for transactions, this allows execution of the code with the generic programmable Blockchain code which can run with the conditions stated in the smart contract [7]. Therefore, many developers and entrepreneurs have taken this concept and created a new platform running simultaneously. This evolved into Blockchain 3.0, when Dapps became popular and more attractive in the business world. Dapp basically distributed across a P2P network and is independent from a centralized server. As a result, it can save server capacity and increase data security, depending on platform models, and their design and implementation of the smart contract. The important point is that data stored in Blockchain are there forever, so developers need to consider carefully the design of which data should be stored inside Blockchain. With its evolution from 1.0 to 4.06 in the near future, we may see the results of Blockchain disrupting many industries

6 https://medium.com/@UnibrightIO/blockchain-evolution-from-1-0-to-4-0-3fbdbccfc666 (visited on 02/06/2019)

7

and businesses represented as platform. Blockchain still has many opportunities to improve and overcome its limitations [7].

2.1 Blockchain technology Blockchain is a digital distributed ledger or public network database that everyone can investigate. Blockchain is also known as a P2P network that records transactions as decided by the member inside the network. The records from Blockchain are secured by cryptography hashes and assembled into a set of data called a ‘block’. A hash chain is a repetitive cryptographic method in which the hash of n+1 contains the hash from n. This creates a chain between hashes, in this case in the form of blocks. Therefore, Blockchain is considered to be secure and robust, dependent on the consensus protocol. Each block in the Blockchain can be inspected by anyone [9]. The inside of a Blockchain can be managed with different consensus protocols or algorithms, which are discussed in the following sections.

2.1.1 Major impact on Blockchain After Ethereum announced two standards, ERC-20 and ERC721, many Blockchain developers proposed the idea to sell or exchange crypto tokens with the help of smart contracts, and to create their own tokens based on the Ethereum network. The future of Dapp technology has rapidly advanced in the past couple of years. According to DappRadar 7 , 2,555 Dapps have been launched onto the market, and 11,775 smart contracts have been implemented. With these changes to the online market, people can securely buy or sell digital assets online with the use of smart contracts. Many people are curious about digital products that are intangible and abstract; since the assets are generated online, they cannot be touched or chosen as with buying goods in grocery store. So, the answer to the question of why people are willing to buying digital product. Because people believed in the value of the product. This is similar to believing in the price of branded products, such as a Louis Vuitton bag that can cost $2,000, or even expensive personal products such as face serum, hand cream or perfume. Accordingly, Blockchain technology causes people to demand a shift from physical assets to digital assets.

2.2 Consensus protocols and standards In this section will briefly discussion about consensus protocols that involved in many blockchain or cryptocurrency and as well as Altcoin, alternative coin that can be involve in this project.

2.2.1 Protocols The Blockchain protocol includes many algorithms that are used to verify the network. The best-known or most-used protocols are:

7 https://dappradar.com/ 8

1. (PoW): The first Blockchain algorithm to be used in the Bitcoin system. It provides a strategy to prove or verify transactions with a consensus inside the Blockchain network. Many studies state that decentralized application transactions need to verify from randomly selected nodes, which are prone to attackers who wish to intrude on the network. Therefore, a node that wishes to be part of the network must do a lot of work to prove itself, which means that they need to perform the computation of hash values and block headers by changing nonce inside the block header until it is greater or equal to the specific value. The specific value comes from the agreement inside the network, and is then broadcast to other nodes in the network to validate the block. The node is known as the miner, and the process is known as mining. The downside is that these costs a lot of computational power, in addition to resources and electricity, and is vulnerable to attack. Overall, it can cause wasted resources and is vulnerable to selfish mining attacks [10][11] 2. (PoS): This is an alternative for PoW that reduces energy consumption. Instead of randomly selecting the node to create a new transaction block, it randomly selects from the account balance, depending on how wealthy each node is. This algorithm is based on the belief that users who have a lot of money are unlikely to attack the network, since losing money in the system by attacking the network will result in a higher risk for them too. This makes PoS seem more secure than PoW, which randomly selects from anyone in the network [12]. The cost is nearly zero, but the chance of being attacked also comes as a consequence; before protocols adopt PoS, most of them start with the use of PoW to create the network. One example of a protocol in Ethereum moves from Ethash, which uses PoW, to Casper, which uses PoS – so if the attacker has already done a lot of work in Ethash, upon migrating to Casper they are already in the top priority list of nodes with a greater chance of being selected [10].

2.2.2 Standards In Ethereum there are two standards for developers to manifest the idea of tokens: ERC-20 and ERC721. First, ERC-20 is the fungible tokens (FTs) standard that developers can use to build a crypto token based on Ethereum, where each token has the same value as currency (USD, SEK, EUR, GBP) [13]. Second, ERC-721 is the standard used in the case study of the online auction platform, Art Value. It represents non-fungible tokens (NFTs), also known as collectable tokens [14]. The difference between FTs and NFTs regarding Blockchain technology is as follows: FT represents cryptocurrency that may be interchangeable in currency exchange. All FTs have the same value, unlike NFTs, which have differing values. Example of applications that adopt the ERC-721 standard [15] are Blockchain Cuties [16], My Crypto Heroes [17], OpenSea [18] and CryptoKtties [19], which are among the best-known and most successful or popular applications on the market. The market value of all four is higher than $4k, with the highest being OpenSea at $114k. OpenSea is the largest P2P marketplace for collectible tokens 9

from other Dapps, such as crypto-collectible cards, digital art, and other valuables. On 15 November 2019, OpenSea reached approximately 700 users, which is the highest number of users on the Blockchain marketplace. The Dapp gaming industry also experiences high growth in developing new concepts, as demonstrated by Blockchain Cuties, My Crypto Heroes and CryptoKitties. These examples use similar basic concepts of collecting and breeding creatures such as puppies and cats. In Blockchain Cuties, the user can send creatures on adventures and earn ERC-20 tokens. The market value of these applications are $9.4k for CryptoKitties and $5.4k for Blockchain Cuties. Meanwhile, My Crypto Heroes is a multiplayer RPG game that uses ERC-721 for items inside the game. It reached 3.4k users in November 2019, and has a market value of $5.2k [20]. The next section provides a brief introduction of state-of-the-art features in the Blockchain framework and protocol that are having a major impact on the cryptocurrency market.

2.3 State of the art developments/products/features There are many solutions for developing smart contracts that are partially involved in this research, directly or indirectly. As well as producing the latest Blockchain framework, these solutions have implemented their own language for building smart contracts.

2.3.1 Ethereum Ethereum is an open-source platform for decentralized applications that allows programmers to develop and build on top of it. It was first launched open- source for developers in 2015. According to the Ethereum website, the aim was to build a foundation for new generations of the internet. Like other Blockchain protocols, Ethereum has its own cryptocurrency, called Ether (ETH), that is positioned on the market as digital money and has the same features as Bitcoin (BTC) [21]

2.3.2 Hyperledger Hyperledger is an open-source infrastructure for collaborative cross-industry Blockchain technologies. It is hosted by the Linux Foundation and is revolutionizing cooperation and innovation in Blockchain for business. According to Hyperledge.org, it is a collaborative software development approach that can ensure transparency, longevity, interoperability and support in advancing Blockchain technologies for commercial adaptation. The Hyperledger project consists of five main frameworks to create and distribute Blockchain and smart contracts: Sawtool, Fabric, Iroha, Indy and Burrow [22].

2.3.3 Ripple Ripple, or XRP, is a Blockchain protocol that provides a faster method to transfer money from one place to another with lower costs across the payment space, including for cross-border transactions. The concept behind this protocol is an attempt to replace the existing protocol for transferring money across the world, called SWIFT, that takes many days to confirm payments and

10

requires a high commission fee. Ripple solves both problems in the existing method, as it is faster and cheaper [23]. Ripple also provides open-source technology to allow developers to integrate the system into their applications, called XRP Ledger.

2.3.4 Arcblock Arcblock is the platform and ecosystem for building Dapps. It like Ethereum but they claim that it can solve the problem from Blockchain 2.0. The five problems that Arcblock solved as follows [24]: • Slow • Not user-friendly interface • High principle cost for building Dapp • Limitation in scalability • Lack of functionality

2.4 Challenges There are many barriers in Blockchain technology, which many researchers and Blockchain protocol developers have attempted to solve. This section briefly discusses the challenges of Blockchain, namely consensus, barriers and completion time.

2.4.1 Consensus Consensus is a main feature of Blockchain technology, but Bitcoin’s consensus mechanism attempts to prone the miner which can make the network vulnerable. Therefore, consensus is the major concept behind Blockchain’s architecture, since the transaction would not verify if the network does not prove that data is matched. But some vulnerability remains, which requires a lot of hashing power to destroy the structure of the network in order to prove the consensus within the network; this is possible in some protocols [7][12].

2.4.2 Blockchain barriers The existing data shows that Blockchain still has many barriers, as follows: 1.) User-friendly (time): This has been a major barrier in Blockchain technology for decades. Many applications present a complicated user interface, which means that users do not understand how it works, and consequently withdraw or leave [25]. 2.) Government regulations: Since Dapps are quite new to the internet and are still under development, there is a lack of knowledge and very little government regulation to protect them, as in the case of e-commerce or online stores. This issue also varies in individual countries [26]. 3.) People’s mindsets and beliefs: This is another big issue when it comes to Blockchain technology, since users do not understand the value of digital products, and some users are conservative and may not prefer to acquire digital tokens. Although some people are preparing for a digital world, the majority of people do not believe in the value of digital products.

11

4.) Adoption: A number of obstacles remain to bringing Blockchain into a company, especially for start-ups. As a result, not every company or industry can implement a Blockchain solution [27].

2.4.3 Completion time Due to the issue of synchronization between Blockchain technology and the application interface, the transaction completion time represents a huge problem, as the Blockchain network size has grown extensively over time. A large amount of time is required for a complete traversal though the miners to verified, unless the user accepts paying a higher price for the Ethereum network. This factor depends on the structure of the algorithm behind the Blockchain protocol. For example, with Bitcoin the user needs to wait for hours to a day to receive confirmation from the network, due to the protocol procedure. This can result in a poor user experience of the application. People consider completion time or waiting time as one of the greatest barriers in Blockchain technology. This can also affect users, for example if the next auction starts without damaging the system structure or chain in the case of a problem relating to failure of completing a transaction. In this research, we consider that time varies with cost in the Ethereum network.

12

Chapter 3 Methodology and Hypothesis

This chapter introduces the methodology used in this research in order to collect data, which takes a quantitative approach by using an online survey. The platform is then implemented in view of the survey results, which determine the demands and dislikes of the customer.

3.1 Methodology This part presents the methodology applied in this research, as well as the techniques used to collect data. This research is focused on a quantitative approach. All of the results produced from this approach are used to analyze the outcome and evaluation sections, in order to implement the solutions. Only the risk analysis takes the form of qualitative research, with a probability and consequences risk methodology. This method is based on the current situation, with the possibility to recursive happened in most of the deployed platforms. The following sections describe the methods involved in greater detail.

3.1.1 Data collected In this research, data was collected using an online survey. A survey offers a way to examine what people think about an overall idea or concept, to test the basics of the hypothesis, and confirm the research question [28]. This research is about technology and digital art, in the form of the Art Value product. Therefore, an online survey is suitable for this research and can reach a higher diversity target group compared to personal interviews. Additionally, this research also conducts a number of personal interviews with art collectors, most of whom prefer face-to-face communication. Art Value organized an event for a live auction performance at Chelsea Street, New York City on November 2019. The concept for this event was to exhibit the interactive performance auction concept, which attracts audiences to be involved in a piece of artwork. At this event we also conducted some personal interviews to ask questions about the concept and gather feedback on interaction with the prototype. Most of the questions in the online survey are about digital products, Blockchain barriers, ideas about Blockchain technology, and how knowledge about Blockchain has become widespread. In the first question after implementing the smart contract, we simulate the result by using a Blockchain integrated development environment tool called Remix, which includes functions for approximating the gas price and detail about smart contracts. This allows a large amount of data to be collected on technical and user information, which is valuable for the business model and other uses.

13

3.1.2 Experimental tools For the online survey we use a platform called SurveyMonkey8. This is an online platform that provides basic tools to conduct an anonymous survey. After publishing the survey on social media, such as Facebook9 and Instagram, we can gather the results from all users for analysis. For smart contracts based on the Ethereum framework, the main language is Solidity. It remains in the developing process, so a significant change may occur between versions. For example, many functionalities changed between Solidity 4.0 and 5.0. Most of the resources that are available online are below version 5, so an improved version of the code and structure is required in order to run on version 5 and above. The possibility of change in the future is incremental. If the new version arrives, then a large amount of functionality may no longer work perfectly. In this research we use version 5.11 as the main version, but in some cases used version 5.12, which is newer but works in a similar way. For collecting the gas price, we use a Remix framework that has a special plugin to evaluate the code and translate it into the cost involved when establishing a contract in Blockchain, which is needed for payment by both parties. Gas price is varying by the code structure and the size of the smart contract, so with this plugin can easily return its value back to developer in order to improve and estimate the code for business in the long run. Once the code is published to the Blockchain, it can no longer be altered.

3.1.3 Probability/consequence matrix Many risk assessment methods are available for risk analysis. In this research we use qualitative risk analysis in order to prioritize project risk and accidents using a pre-defined rating scale. The score comes from the probability of impacts occurring on the platform [29]. The method used is a probability and consequence risk analysis [30] or a consequence and likelihood risk model [31][32]. The basic idea is to define possible risk situations that can occur with a product before and after it enters the market. In order to prevent severe situations, issues must first be identified, as well as how they happen, the likelihood of this occurring, the possible consequences, and the extent of the impact on entire platform. This can be adjusted to the 3 × 3 matrix shown in Figure 3.1.3. This model can then be used to identify the risk level and find a solution accordingly.

8 https://www.surveymonkey.com/ 9 https://www.facebook.com/ 14

Figure 3.1.3: Consequence and likelihood risk model10

3.2 Hypothesis from the research question This section describes the hypothesis of the case study, and explains the reason for the case structure chosen to run the experiment. The hypothesis encompasses the two-challenges of this research. Firstly, users usually prefer to purchase products online, because it is convenient and can reduce external costs. Online token-based products such as NFTs, which can be traded many times, can be highly profitable for many parties. This may increase over time, such as artwork in a real-time auction, and the price will also increase among participants. Many things can be sold in the art world, especially products that are limited editions, such as a Picasso artwork. This platform merges art collector and artist in order to deliver for both parties, as well as a third group that is interested in digital art products. Regarding synchronization, the hypothesis is to use Blockchain as normal storage, so that when the auction ends it triggers a function in Blockchain to generate an artwork. Then it returns the index of the artwork back to the user, such as a receipt. This requires less effort in terms of the business perspective. However, this solution may cause runner users who do not pay for an artwork, or who refuse to pay; this situation would destroy the structure of the chain as well as the user experience. Therefore, another hypothesis is developed for freezing the amount of auction activity, since Art Value is an online auction platform, to prevent runner situations. In this case the application essentially collects the amount that a user bids and keeps it inside the pending transaction after the auction ends. If the user does not win, the amount is released back. If they do win, the money is collected and the generated artwork is returned after the finalized auction.

10 https://exploringpossibilityspace.blogspot.com/2013/08/risk-management-out-with-old-in-with- new.html 15

3.3 Assessing the reliability and validity of collected data This section describes the assessment of reliability and validity of data collection and the research process of this project.

3.3.1 Reliability Data analysis and the discussion of results are based on surveys of real users online, and partial analysis based on major scientific publications from Google scholar, IEEE and other sources. The reliability of the qualitative result is reported in the identification of research questions and confirmation of real- world situations. Regarding the case experiment, which considers the use of an online framework (Remix) and plugin (Gas Profile) for simulation of the cases, there are certain limitations to reproduce this for real-world deployment. However, the case study returns a 100% real-world result regarding the variation of the network. In term of gas price on the user side, this depends on the network requirements. This research only presents approximate results on using local network.

3.3.2 Validity Regarding the validity of case testing, the smart contracts of both cases are tested on the Remix framework. Remix simulates the Blockchain application environment in order to prepare for establishing an application. The prototype case study focuses on reducing costs for the provider and providing solutions that can enhance user experience. The designed key scenarios are intended for evaluation, which is the best solution for real-world implementation. The validity of the experiment is ensured by using a trusted and well-known framework of Blockchain technology, including the testing framework (Remix). With this the results will have a high validity. Statistics of the collected data are calculated and analysed in Chapters 4 and 5.

16

Chapter 4 Data Analysis and Research Findings

This chapter presents and discusses the data collected from the online survey, personal interviews and testing. In addition to this data, we also present the privacy and risk analysis within the platform, based on real-world situations, and describe it in terms of ranks.

4.1 Data analysis In this research, data is produced by a survey to specify the barriers of Blockchain with regards to industrial business and improvement of customer aspects. The aim is also to investigate what customers think about the platform and to gather feedback by interviewing people online.

4.1.1 Blockchain barriers THE BIGGEST CHALLENGE IN DIGITAL TECHNOLOGY (ECOMMERCE) Other Regulation 8% 5% Belief 32% Transparency 13%

Adoption 16% Time / Waiting time 26%

Figure 4.1.1: Survey on Blockchain barriers

This section discusses the survey regarding Blockchain barriers. The result shows the perspectives of participants, according to which belief (32%, as shown in Figure 4.1.1) has the greatest impact on digital technology, not only in Blockchain but also in eCommerce. The second most important factor is the time responsiveness of the platform, which is also encountered when using an eCommerce site. Pending transactions affect user experience, as people seek fast and reliable platforms more than good products with a slow process. Therefore, time responsiveness is also one of the greatest barriers in Dapps, according to the perspective of most online customers.

17

4.1.2 Participant feedback and results

BUYING FOR GAMING BUYING AS NFTS PRODUCT PURPOSE Yes No Yes No

Yes No 24% 29%

No Yes 76% 71%

Figure 4.1.2: Comparison of survey responses regarding willingness to buy for gaming purposes or to buy NFT products (from survey results)

In Figure 4.1.2, the left-hand chart shows that 71% of participants are willing to purchase digital products for gaming purposes. Meanwhile, as shown in the right-hand chart, 24% of participants are willing to buy NFT products as digital goods. Accordingly, this 24% and 16% are the main target customer group for this platform. Another result from the survey is the response to open questions about both types of digital product.

Online in-game purchase of Digital products for trading digital products purposes ONLY (NFTs)

Negative 17 (27.42%) 36 (58.06%) Neutral 16 (25.81%) 16 (25.81%) Positive 29 (46.77%) 10 (16.13%) Table 4.1.2: Results from survey responses

The results presented in Table 4.1.2 indicate that more people have positive feedback regarding in-game products than for NFTs, as approximately 16% of participants gave positive feedback about buying NFT products.

18

4.2 Online NFTs auction platform design and architecture This section explores the platform design of the Blockchain auction application for the Art Value app, or Art Value, as shown in the figure below.

Figure 4.2: Platform architecture

According to Figure 4.2, the system is separated into three main systems: front- end, back-end and Blockchain. In this architecture, different functionalities of the Art Value app online platform are represented for generating, distributing and trading artwork though live auctions. Artwork is initially represented in the form of NFTs. The front-end and Blockchain are mainly connected through the Web3.js library in order to call the function from the smart contract [33]. This architecture may change in future work, but this study focuses on this design.

19

The platform has three major services, which are the auction service, payment service, and other services such as the gallery, user profiles and a calendar. The auction service is divided into three types of auctions: generative, traditional and direct sale. A generative auction takes place when a user wins the auction, in which case the system generates an artwork with the winning number as an output. For example, if Mr. A wins the bid at 1345,00, he receives the number 1345,00 as an artwork that is generated via this platform, and Mr. A becomes an owner of that artwork.

4.2.1 Auction services The Auction services are separated into three auction types, as follows: 1. Generative: The product (artwork) is equal to the auction final price. According to Figure 4.2.1(a), every time the bidder bids a valid value, the auction display shows the current bid. This value comes from all participants who are interacting with the current auction. This is called an interactive performance, which allows users to be part of an artwork creation. The last person who bids (timeout) wins the auction, and the next process is to create a representative of the artwork by generating it as NFTs attached with a certificate to confirm its owner. In the worst-case scenario, the winner does not have enough money to pay for an artwork. This leads to a wasted auction and wasted time which impact on gas price. This may give the platform a bad reputation, and people who want an artwork may not get it if someone wins who was not supposed to be the winner. This research provides a basic solution for this case, as well as the best-case solution, in Chapter 4.

20

Figure 4.2.1(a): Generative auction flowchart

2. Traditional auction: The traditional auction is developed from the concept of online auctions found on eCommerce platforms such as eBay, in which the user bids for a specific artwork, and users need to bid at a higher price than the starting or current price. According to Figure 4.2.1(b), there are similarities between the generative and traditional auction. The major difference is that the flow of an artwork is displayed in the artwork display process. Artwork displayed in this auction shows only the ongoing artwork for the auction.

21

Figure 4.2.1(b): Traditional auction flowchart

3. Direct sale: The user directly buys the artwork for the price from the owner, who sets the price. And it offers similar buying and selling solutions.

In this way, the platform can maintain the flow of buying and selling artwork within the system cycle, by introducing more features that allow users to interact with the system in the traditional auction and direct sale. However, the generative auction is the main functionality of this platform. The process of creating and producing digital artwork within the platform that makes it is the most unique selling point of Art Value. By considering all of these factors, we can build an ecosystem around the platform.

4.2.2 Payment components Regarding payment services, we initially use Metamask for development, which allows the user to connect the wallet and application in order to participate in an auction. Later, we want to introduce credit card and token payment systems

22

for users with less knowledge about cryptocurrency, or crypto wallets, to enable them to enjoy the auction experiences at Art Value, as shown in Figure 4.2.2.

Figure 4.2.2: Wallet login flowchart

Metamask [34] is a browser extension for the integration of Dapp websites with Blockchain transactions or smart contracts. It provides many functionalities, such as signature encryption, personal signatures, connection to Blockchain via the Web3 library, and transfer of the transaction. It is an open-source plugin that can help developers to develop Blockchain applications (i.e. Dapps). However, it requires users to possess basic knowledge about web browsers to be able to install and setup the plugin, and it may not compatible with mobile devices, although some users may want to access the service via a mobile device. Accordingly, we introduce an alternative payment system called ‘Portis’. Portis was established in 2018 [35] and is quite new to the market compared to Metamask. Here, the payment system is embedded inside the platform or website, so no special knowledge is required for setup. As shown in Table 4.2.2, it has more advantages and better ease of use than Metamask. For instance, the 23

plugins required for use with a web browser may cause some problems, for example if the device is not supported or the user does not know how to install the plugin. With Portis, credit card payments would be easier to implement, since the functionality for this is provided. This allows easier use and interaction for users. The target customer group of Art Value is artists and art collectors, according to the personal interviews and surveys, who do not have a lot of knowledge about web browsers and how to install plugins. Therefore, the service should make it as easy as possible for them to understand and use it. Meanwhile, the disadvantages of Portis lie in the developer environment. Because it is new and has fewer resources available online, it is much harder for developers to understand all of its functionalities, but the development process may allow it to have other features in the future.

Advantage Disadvantage Metamask 1) Documentation 1) Development issues available 2) Extension required 2) Many resources 3) Not supported by all available browsers 3) Well known 4) Unstable 5) Requires users to have knowledge about extensions Portis 1) Embedded on 1) New platform 2) Few resources 2) No need to install an extension for use 3) Users not required to have knowledge about extensions

Table 4.2.2: Comparison of crypto wallets

From the token perspective, the concept of Art Value is an NFT-based project. Each artwork represents one token. But for the tokens in regular payment systems, such as the concept of Blockchain ERC-20 standard tokens is for FTs. FTs is basic concept of cryptocurrency or digital currency that are currently available in the exchange market nowadays [36]. And this can be implemented as one of the currencies using in the platform later. In the future, users can use these currencies to buy and spend on an artwork or to participate in an auction inside the platform. The advantage of this solution is that it avoids complexity during the auction, thus avoiding the need to redirect to another payment portal after an auction, which may cause some latency in the auction or the inability of the winner to complete the transaction in any other situation (i.e. insufficient money) [37].

24

4.2.3 Server component (back-end database) This component is responsible for handling data storage, which stores basic details such as live auction history, numbers, user profiles and so on. It uses NodeJS to implement a real-time system for a live auction, in order to view the flow of information of all participants bidding in an auction. There are future plans to include physical addresses, so that the artist can send an actual artwork to the new owner. Therefore, they need a system that is able to contain some basic information in another secure form, not publicly. This will be discussed further in Chapter 5.

4.2.4 Blockchain component The Blockchain component handles the data chain or transaction by developing smart contracts to create and store open information resulting from the auction, such as the winner (i.e. owner), artworks, unique key elements, and so on. Hence, Blockchain component is similar to the server component due to its data storage function. Regarding security, Blockchain is secure as it prevents people from altering details. However, this can represent a higher risk if someone wishes to publicly inspect details that are stored inside which can cause to privacy issue. This is the unique point of Blockchain: storing data publicly means that there are a lot of witnesses who can verify information which cannot be altered. From the privacy perspective, if smart contracts are not implemented correctly or securely, this will cause huge problems concerning data privacy. This is discussed further in Chapter 5. Blockchain responsiveness result in this research. The system needs to able to open another auction within the day or a specified time. Therefore, with the assumption of time responsiveness, the system can expect the auction run each day without any problems with Blockchain, as discussed further in the next chapter.

4.3 Blockchain Synchronization In Blockchain, synchronization is always a big issue due to the significant extent of connection of the network. Some protocols may require an agreement to stay inside the network [38], which is open publicly to everyone. Each of the networks has created their own policy in order to obtain a consensus verification for each transaction, which can be an issue for the completion time or delay. It can take up to couple of days to confirm a transaction, due to the enormous size of the request propagation in the Blockchain network. In this research we evaluate solutions intended to create an improved situation for establishing the auction with the best possible time and experience for an online auction with smart contracts. The front-end and Blockchain have a considerable impact on synchronization, in order to satisfy user experience and prevent the possible failure of auction transactions.

25

4.3.1 Problem statement

Figure 4.3.1: Auction end flow

Auctions experience issues relating to time synchronization between when the auction ends and when the user receives the tokens. So, when the user receives a token, a notification is sent to the front-end, as shown in Figure 4.3.1. This means that the process is complete and the next auction can be initiated. If the transaction fails or encounters issues, the next auction cannot be opened immediately. Therefore, it is necessary to consider the optimal timing in order to avoid any issues that might occur during the process. The main questions to be solved in this chapter are as follows: 1) How quickly should the smart contract be create, accordingly to the gas price in order to establish a new auction, in a safe and secure transaction for users? 2) Which solution or communication design is the best way to implement at the lowest cost or precise cost?

4.3.2 Communication design This section is divided into two designs. The first one is the normal transaction, in which money is transferred after the auction ends, follows by a wait for verification. The second is the freezing method, which freezes the amount while the auction is in progress. This guarantees that users cannot make a false bid. The communication between Blockchain and the front-end is the most important part of the platform. This paper focusses on the communication between both sectors, mainly in acquiring the product. The purpose of the design is to reduce costs as far as possible, according to the best scenario obtained from research regarding the time of transaction according to the gas price in the Ethereum network. Thus, this part is separated into two cases.

4.3.3 Case 1: Traditional transaction The concept of a traditional transaction is to transfer the money of the winner only once after the auction end, by asking for the payment via a third-party wallet. This is done by triggering the function to create an artwork in a smart contract when the winner has been announced. The procedure to execute the function requires the execution cost, gas price and artwork price from the winner’s account. In this case, money was not collected from users who bidded in the auction at the beginning, because the smart contract or platform did not create the function to handle the money from all participants. It only checks the money from participants and then verifies the input from the front-end system. In order to create the artwork, it is necessary to convert between the string value

26

and byte value. Implementing the functions ‘getBytes’ and ‘stringToBytes’ produces the encryption function for the artwork.

Figure 4.2.1.a: Remix transaction record

The case 1 smart contract communicates either to create an artwork from an auction with the ‘createAuction’ function, or to retrieve an artwork from Blockchain storage with ‘getArt’ or ‘getAllArt’. In order to interact with the smart contract, we need to initiate the Application Binary Interface (ABI) definition from the smart contract. Remix Ethereum makes it far easier to obtain the ABI code, as shown in Figure 4.2.1. It provides an export environment function to use in another environment with the Web3 library, by saving the json file recorded from the transaction. Remix then generates the json application program interface (API) file for connected to the smart contract to create a transaction. Other than Remix, Truffle is also suitable for providing the API files after compiling the contract. Remix is much easier to use because it is a web platform, while Truffle is a software that needs to be installed on the local machine.

27

Code excerpt 1: Case 1 is a basic auction that only creates and stores artworks

4.3.4 Case 2: Freezing amount The second case is designed to solve the problems of case 1 by introducing a freezing amount function and improving the auction experience. It collects the money when users bid amounts into the system. If someone else outbids, the system releases the amount back to the owner after the finalized auction trigger. The advantage of this method is that it prevents runner users, meaning that users do not pay after the auction ends. This guarantees that an auction will not be invalid after the performance. Regarding the Art Value live performance, this problem was experienced after the auction end, when the winner refused to pay the amount they agreed during the auction and left the auction room. In this case it was not fair for the other participants and the artist who provided the artwork in that event. Therefore, this case wants to find the solution to such an issue. Even though it took place in real-world testing, there is a high possibility of it happening again in the cyber world, where it will be much easier to do it. To this end, we designed functions called ‘placeBid’ and ‘finalizeAuction’ for the major differences between two cases, since the previous case has different perspectives on the auction. This case offers an improved online auction, with the concept taken from online Dapp auctions [39][40]. We believe that this might be highly beneficial for improving the system. 28

Code Excerpt 2.1: notOwner and placeBid functions in Case2

The PlaceBid function enables the user to bid an amount in an auction. Once the bid is placed, the system makes the transaction from the user in order to freeze that amount in the system. With this structure of placing and finalizing bids, an auction can improve the contract. This offers a good way to run an actual auction with smart contracts, although the summation cost may be far higher than for Case 1 if the platform owner is the person who is responsible for the gas price.

Code Excerpt 2.2: finalizeAuction function for Case 2

Meanwhile, ‘finalizeAuction’ is the function that finalizes the result from an auction, regarding whether to collect, keep or return the money to its original owner.

29

The downside of the solution is the processing time and gas price, which may be inefficient in real-time performance if a large number of participants are included in the auction.

4.4 Data privacy policy The second question concerns the internal private policy of Dapps, that is, Blockchain applications. According to the idea of a public ledger in Blockchain, the entirety of a smart contract is saved inside Blockchain forever and nobody can alter it. Before the platform launches, it is necessary to consider GDPR and the privacy policy [42] to ensure that the user can trust the company (platform), and from the vendor point of view that the owner can protect the system from being compromised. An agreement provide compliance to all parties to follows, and to guarantee that the platform and users will not be actively harmful to the system. However, the user should not feel at a disadvantage after agreeing to use the system; otherwise this will impact on brand loyalty and may have other consequences that could occur in the future.

4.4.1 Problem statement Privacy is a major consideration for users and providers of Dapps. Due to Blockchain technology, everything is available in a public network for anyone to see. Since the data published in a smart contract includes the contract itself, this is also publicly available forever inside the Blockchain network, and nobody can alter it. Therefore, the strategy of providers should be considered carefully, alongside GDPR policy and standard policy. It is also possible to encounter unforeseen risks. Consequently, normal risk analysis and potential weak points are also very important when considering privacy. This raises the question of which strategy to implement for the system to provide and protect user privacy and the platform product.

4.4.2 Data protection agreement The Art Value platform is considered as a digital marketplace, so it is required to have an agreement between both parties. Thus, the strategy from provider need to be consider carefully alongside with GDPR policy [43] and standard policy. According to termfeed.com [44] for a website it is important to provide an agreement to inform users about the rules, but this is not required by any law. For eCommerce stores, a private policy is a requirement for open business. The terms and conditions are extremely important, as they legally protect the eCommerce platform, and customers need to follow the set of rules made by the platform owner. Therefore, this not only protects the platform owner, but can also protect the users. Therefore, for this platform two set of documents are available to secure the data and the system. We used an open-source website called termly.io [45] to generate the basic document structure, and adapted the rules according to the platform needs. From the perspective of Art Value, data protection first needs to be achieved from the user side. Users must not provide any sensitive data to the system, because of Blockchain technology, which makes it publicly available. So, we need to guarantee that no sensitive data is added to the smart contract. Second, as future features will deliver artwork to users, it may be necessary to consider 30

another way of delivering it rather than using normal post. This needs to be approached in future work, as it is outside the scope of this thesis. Art Value has a signup feature for users to provide their usernames, and a profile dashboard which displays all of the artwork that belongs to them. In this case we need to ensure that the user understands that sensitive data, such as their full name, can be linked back to the , which can be used to map their username in the platform database. If the database were compromised, this would represent a significant issue with respect to the mapping data. Even though data in the database would be encrypted, there is a 50% chance that this data could be hacked by an attacker [46][47]

4.5 Risk analysis The risk analysis will be based on a qualitative method for defined risk [48]. The focus is on identifying the risks and finding solutions. Before the platform launches on the market, a risk model should be considered to protect the system and forecast future perspectives of risk that have a chance of occurring. This section discusses possible risks that may occur once the platform is on the market.

Possible Risk Consequence Likelihood Result 1) Database compromised High High 9 2) Server down High High 9 3) User provides sensitive data High Medium 6 4) Data misuse High Low 3 5) Platform not functional Medium Low 2 6) Smart contract leakage High Medium 6 7) Register form compromised Medium Medium 4 8) Agreement term incomplete Low Low 1 9) Digital product duplicated Low High 3 10) Loss of customers/users Medium High 6 Table 4.5.1: Possible risk situations

Table 4.5.1 lists all possible risks that could occur when the platform launches. Possible consequences impacting the system are then rated from low (0) to high (3), as well as the likelihood, that is, the possibility that the risk will occur.

31

Figure 4.5.1: Probability consequence risk model

By mapping all cases of risk as shown in Figure 4.5.1, we can calculate the result from 푟𝑖푠푘 = 푐표푛푠푒푞푢푒푛푐푒 푥 푙𝑖푘푒푙𝑖ℎ표표푑. Each block in Table 4.5.1, represents different values and maps the risk formula. We can then rank each risk case as shown in Table 4.5.2.

Rank Risk Rank Risk 1 Database compromised 6 Register form compromised 2 Server down 7 Data misuse 3 User provides sensitive data 8 Digital product duplicated 4 Smart contract leakage 9 Platform not functional 5 Loss of customers/users 10 Agreement term incomplete Table 4.5.2: Possible risk ranking

Ranks 1 and 2 pose the riskiest situations for the platform and have the highest chance of happening. Both have a high possibility of taking place on the platform, website and application, which require internet access to the server or database. For this reason, these situations are ranked highest in the risk analysis. They have similar characteristics, which both affect the back-end system. Once the database is compromised, this can be a major cause of the server going down (or server failure). However, this can be caused by many things, from physical hardware to external action (such as malware or a virus) [49] and has harmful consequences for the business in terms of its brand image and brand reputation. Rank 3: this issue arises when the user accidently supplies their own data, or sensitive data, such as their real name that can be traced back to a real person. This risk is considered to have high consequences, because the main idea of this

32

platform is to retain anonymity of the user. Providing this type of information will also break the promises and anonymity of the provider. Rank 4: in this case the smart contract is used for storing artwork by its owner (i.e. the one who generated it) and subsequently for trading. Therefore, problems arise if contracts provide some variable or function that saves unnecessary information, such as name, that is able to map wallet ID (wallet address) with username, for example. This can be very dangerous as wallet ID can be mapped back to a real user, which provides no privacy to the owner of the wallet. Rank 5: from a business perspective it is important to maintain customers, in this case, users. Blockchain applications may require basic knowledge about internet browsers, in order to install plugin extensions (Metamask) or to complete the online transaction procedure. Due to this complexity, the user may withdraw their interest in the platform. Rank 6: it is easy to suffer from a malware trap or social engineering attack on a website. For example, most bank applications suffer from email phishing or fake links that redirect to the attacker site and intercept the information provided by the user. This has a medium possibility to occur. Rank 7: this is an issue when a platform owner or team member makes use of user data in the wrong situation. This explains the need for an agreement and policy to protect users, as well as protecting the provider in many cases. Rank 8: digital product duplication has a high likelihood of occurring, since Blockchain smart contracts are open-source and many existing competitors are available, such as CryptoKitties [19], Snark.art [50] and Larva labs [51]. Therefore, there is a high possibility to suffer from duplication. The impact is low, since if someone else is doing a similar thing but does not 100% copy a platform it will lose customers and revenue. Rank 9 and 10: if a website is not functional or does not work properly, this can result in a poor user experience and the loss of customers. According to postfunnel.com [52], 60% of customers have suffered from very bad service or experience and are unlikely to return. Another point is the ease of use of a platform; if the platform is too complicated for the target customer, in this case artists, they may not understand how the platform works or how to use it. This issue may also result in losing customers.

33

Chapter 5 Results and Discussion

This chapter discusses the two research questions concerning synchronization, and privacy from the testing and analysing from Chapters 4. The first section presents the results and discusses ideas arising from the experiment, as well as data gathering conducted for this study.

5.1 Testing results After creating the smart contract for both cases, the simulation for testing throughout Remix the framework was conducted online. The test was performed by simulating an auction with Remix and using the plugin ‘Gas Profiler’ to compute the gas price (in Gwei) for every interaction occurring with smart contracts.

Trans Cost Exec Cost Case 1 Open 773383 541375 Case 2 Open 614016 404200 Close 22705 16433 Total 636721 420633 Table 5.1.1: Open and close smart contract costs

During the test, we first calculated the cost of deploying the contract. The results revealed that both cases return a different price. This means that the code structure has a high importance for the price. According to Table 5.1.1, case 1 has little weight for code, but the gas price is higher than case 2, which has greater weight for the code. A line of code matters less than its structure, which in case 1 smart contract, have declared many variables that use the memory to store data and uses ‘Bytes’ as the data type, which cost a lot of gas to execute, in addition to causing a higher gas price. It also has more strings than case 2, which also brings a very high cost even though it has a function to convert strings to bytes and bytes to strings. Hence, considering data type also affects the gas price [41]. For Case 1, according to Table 5.1.2, the cost fluctuates depending on the auction. The results capture the cost after the artwork is generated. Case 1 costs fluctuate widely, since every time an artwork is generated the cost increases, and if the creator address is not the same the cost sequence begins again at the rate of 85,994 for transaction cost and 64,722 for execution cost. During testing we created 23 artworks with different wallets.

34

Auction Trans Cost Exec Cost wallet 1 114037 92125 w1 2 88503 66591 w1 3 92969 71057 w1 4 97435 75523 w1 5 101901 79989 w1 6 92969 71057 w2 7 88503 66591 w2 8 92969 71057 w2 9 97435 75523 w2 10 101901 79989 w2 11 106367 84455 w1 12 110833 88921 w1 13 115299 93387 w1 14 119765 97853 w1 15 128697 106785 w1 16 128697 106785 w2 17 133163 111251 w2 18 137629 115717 w2 19 92969 71057 w3 20 97435 75523 w3 21 101901 79989 w3 22 106367 84455 w3 23 110833 88921 w3 Min 88503 66591 Max 137629 115717 Avg 106894.6522 84982.65217 Table 5.1.2: Case 1 cost result

For Case 2, happened in one auction and the total price is more than case 1. The cost before the ‘finalizedAuction’ trigger is in a pattern that is divided into three formats, start wallet, update bid and different wallet; this is only the case for successful bidders. For unsuccessful bidders this can be divided into two formats, owner error and invalid amount, as shown in Table 5.1.4. When the error occurs, the price is static. Upon testing multiple times, the result has return the same price which create the same pattern. As a result, the price in this scenario is static at the rate of 22,330 transaction cost for the owner bid, and 24,927 for invalid input.

35

Trans Exec Cost Cost wallet 1 85994 64722 w1 2 36794 15522 w1 3 36794 15522 w1 4 36794 15522 w1 5 36794 15522 w1 6 55994 34722 w2 7 36794 15522 w2 8 40994 19722 w1 9 40994 19722 w2 10 40994 19722 w1 11 55994 34722 w3 12 36794 15522 w3 13 40994 19722 w1 14 40994 19722 w2 15 36794 15522 w2 Total 660510 341430 - Introduce wallet Update bids Different wallet Table 5.1.3: Case 2 cost result experiment

Trans Error Cost Exec Cost Owner bid 22330 1058 Invalids 24927 3655 Table 5.1.4: Error costs for case 2

Forecast cost for Case2 3500000

3000000

2500000

2000000

1500000

1000000

500000

0 151015202530354045505560

Trans Cost Exec Cost

Figure 5.1.2 (a): Bid forecast on Case 2 The price is obtained from Table 5.1.3, where the colour green indicates the minimum cost of 36,794 and 15,522 by adding each round with this number. 36

The predicted result then increases linearly, as shown in Figure 5.12 (a). The cost can be higher according to the other circumstances, such as different participants involved.

Forecast cost varying to participates for Case2 12000000

10000000

8000000

6000000

4000000

2000000

0

Trans Cost Exec Cost

Figure 5.1.2 (b): Auction forecast price on Case 2

In another possible situation for minimum costs due to the auction process involving other participants (wallets), we need to add the cost for updating the wallet and the wallet switching cost, as shown in Table 5.1.3 and Figure 5.1.2 (b), therefore, if the number of participants increases, the cost varies according to the high interaction between wallet owners. Another assumption is allowing only the wallet from platform owner to run in the smart contract for creating an artwork, and then later for other actions such as trading or in another auction the consequence outcome can be handle by the customer. If the platform owner wants to store the interactions record of an auction, the best way is to store them in a database that does not cost any gas price for storing the transaction.

5.2 Gas vs time model Synchronization in Blockchain is difficult to grasp, due to the many metrics in the network such as miners, power and gas price. In this research we focus on the gas price because of the amount spent on the transaction, which can result in the faster or slower completion of the transaction- . Furthermore, from the business perspective, all costs involved need to be calculated, as Art Value is designed to handle all of the gas price. This means that users pay only for the artwork, so that gas price gains significant importance in this scenario. If we design the platform to have high gas price because we need to make it faster for the next auction, then the cost will be very high from a business viewpoint Art Value will face sunk cost. This is the largest cause of failure in many start-ups. The sunk cost in this case is that businesses need to handle for gas price, which may be equal to or higher than the price of artwork sold in that auction. In this case, the gas price will be the invested cost and the artwork price will be the earned price. If the earned price is lower than 37

or equal to the invested price, it becomes the sunk cost. Regarding the time between auctions, in Ethereum it takes 15 transactions per second [53][54], according to the website Ether Gas Station [55], which indicates that the transfer time affects the gas price. In Ethereum network have categorized the transaction speed into three as followed. The first term is “Slow safe”, means that the gas price is guaranteed to be a cheap and successful transaction with a very low speed of confirmation, and the price come from 5% lowest in the network hash power. The second term is “Average”, it is where the price is acceptable, and timing is not fast or too slow so approximately 5 minutes or less. Usually the wallet set average as the default. And the last terms “Fastest”, it is the fastest transaction than every other categorized and it is also the most expensive. The price come from the lowest gas price that all the top miners in the network accepted, and the transactions will be confirmed by all the top pools. Finally, many websites about gas price state that paying more than the fastest price does not increase transaction confirmation faster than this price, in any circumstances. This means that the fastest price is the maximum time/speed [55][56][57][58]. Therefore, gas is very important for finishing the auction and beginning the next auction; the average time to spare between auctions is 5 to 30 minutes (average and slow safe). And importantly not less that slow safe, if so, the transaction can return failed due to insufficient gas. Even though Art Value decide to take all responsibility for all the gas price, participants who bid are required to hold a certain amount for security reasons of Blockchain itself. For example, in Metamask users are not permitted to conduct transactions with a gas price of less than 0.000021 ETH. In the user experience, it a little bit take a lot of time and if we consider with the expense the average price might be the most suitable for all parties, and if user want to pay more for the speed as they will that could be possible as well. Thus, the gas price obtained from the experiment in Chapter 4 is consuming gas in the smart contract that had created. It can be represented the minimum gas it should be but in the real-world it can have a higher price, depending on the other situation [59].

5.2.1 Strategy solutions After the testing experiment, different pros and cons emerged in both cases. The first case is not a full auction experience with Blockchain technology, but simply acts as storage. The second case is a fully functioning auction with Blockchain that offers a high possibility of greater expense than the first case, only if a large history is involved. The strategy is to use the second case, because when trading in the future it may be easier to collect the history and to re-trade an artwork to another user, as well as to prevent runners in an auction. Case one does not provide the guarantee of payment in the same way as case two, but regarding the cost case one will be cheaper in the case of a high number of participants. For a low number of participants, case two would be cheaper due to the fluctuation in case two. If case one is used to cut the cost in business model, the best solution is to introduce fees at the beginning of the auction to prevent the possibility of runner users. The risk analysis marks this as having a high possibility, which is discussed in depth in the next section about risk analysis, as there is a high probability of runners in an auction. In the 38

experiment case 1 is more likely to create and store an artwork in Blockchain, but if the auction is unsuccessful then the platform will be wasted because a runner won an auction. Introducing the fee at the beginning could resolve this problem. Case 2 implements a solution for this issue of the first case, regarding customer experience. It works more like a traditional auction, in which people reserve the money that users bid, including a correction for the amount that users acquire. Therefore, the solution depends on the needs of the platform. In this case the aim is for users to have a real crypto auction experience that is simple and secure.

5.3 Privacy and risk From the data privacy and risk results, from the information gathered during the meetings and interviews with testing groups, we can create an assumption of the risk scenario that may occur during the first launch on the market. With the probability and consequences method, we can obtain rankings for 10 risks that might affect the Art Value systems. The solution provided by this research on risk is based on the real-world start-up business and Dapps around the world. It can be used as a predicter or a way to improve the system or the business model. Many of the results affect the business area, so that improving the technical perspective can not only save the business, but should also improve it.

5.3.1 Solutions According to the analysis based on the method detailed in Chapter 5, solutions can be provided in many ways. This research considers the results based on the real world and perspectives on Art Value that were discussed in the meeting. However, some issue might not have a final result. Therefore, in this section discusses each of the ranked items from Table 4.5.2. To prevent Rank 1 and Rank 6 from happening, we need to implement the encryption method for the database and front-end interface, and not only hash the data or hash with salt. Hashing can be attacked with a rainbow table, and if access is gained to one user with a weak password it can be easy to determine the sequence of encryption, thus comprising the entire system [60][61]. The first solution for this attack is to introduce salt, which is an additional key to make the encryption result unique. It offers more complexity than the previous method. In this case the weak point is if someone can obtain the user salt or determine what is salt for the user. This means that they can also decrypt the password out of the database. The best solution may be to provide authentication to the database, to prevent unauthorized users from accessing it [62]. Furthermore, Rank 2 the prevention from the server failure, which could occur when the attacker tries to perform a DDOS attack on the back-end server. This sort of attack can be prevented by first identifying the attack with compute entropy and frequency- sorted, which can detect the possibility of a DDOS attack. We can then monitor incoming traffic to the platform server and analyze its characteristics [63]. Rank 3 risk can be prevented by notifying the user not to add any sensitive data to the platform. However, it cannot be 100% guaranteed that users will comply. The backup plan is to perform encryption from the front-end interface and back-end server. This solution may reduce the possibility of sensitive data 39

issues [64] and may also prevent Rank 6 from occurring. The problem with Rank 6 comes from the vulnerability of the interface if somebody places a trap on the network, or installs malware on a victim’s computer, in which case it may be compromised. The best way to prevent this is to provide encryption at the beginning. For Rank 4, we need to make sure that when we implement the secure smart contract. In this sense, only the necessary storage variable for Blockchain should be provided. The storage variable will be saved in Blockchain forever. The first thing to consider in terms of smart contract security is to protect the overflow. Normally, Solidity has limitations on the maximum integer number. Art Value use integers to generate artwork so that it can easily hit the maximum point. In order to prevent this, the first action is to limit the maximum input from the user. The second action is to use the library ‘SafeMath’ provided by OpenZeppelin, which is an open-source library, to wrap up the arithmetic operation in the Solidity smart contract to prevent overflow [65][66]. To protect the smart contract, it is necessary to ensure that the code is implemented correctly and securely. We need to consider overflow and what variables need to be in the contract. Otherwise this issue will impact the system. Rank 5 concerns the business aspect, which will affected by technical problems such as a lacking or complex user interface, poor usability, and so on. To prevent this, the interface must be well designed and easy to understand. Creating a tutorial is one solution, but it may not be effective. With heuristics experienced design and evaluation is the best way to improve the user interface. Heuristic evaluation is used to improve usability principles in the interactive design, and it can prevent failure after release of the platform. This may also be an impact due to Rank 9, whereby the platform does not work properly. If the functionality of the website is enhanced, this situation can also be improved [67][68]. Rank 7, data misuse, happens a lot in the cyber world. This may be due to government policy. According to [69], several companies misuse data, such as Uber, the Minnesota police department, Facebook, AT&T, and others. Most misused data comes from employees or third-party organizations that may not be mentioned in the contract. For example, in Facebook’s situation the leakage of over 540 million records to third parties using Amazon’s cloud service causes a lot of privacy issues for almost all of Facebook’s users in its database [70]. Therefore, the impact has significant consequences. If the user data is protected, so that only authorized employees can access it, then this issue can be improved. Rank 8 has a very high probability of occurring, due to innovation and ideas which is cannot protected entirely of the idea. The best way to solve this issue is to protect the design of the platform, as well as the copyright and trademarks. The product should be registered as soon as possible in order to protect the idea, which includes patenting it. Lastly, the confidentiality of all employees or team members should be provided, since they are closely involved with this idea, and need to consider confidential relationships [71][72] Rank 10 is the case of an incomplete agreement. The solution is to consider agreement terms and conditions and the privacy policy before launching the platform. Regarding the GDPR, section 5.2 describes the solution. However, both documents need to be updated over time due to legal changes and

40

computer law in different countries, if the platform needs to run globally. This is out of the scope of this thesis, which is focused on Swedish law only.

41

Chapter 6 Conclusions and Future work

This chapter summarizes all previous chapters, offers suggestions about the basic idea behind the platform, and identifies future work regarding different aspects and areas similar to this research.

6.1 Summary of findings At the beginning of this research, the speed of transaction hypothesis is used to freeze the amount of auction activity, since Art Value is an online auction platform. Due to the conceptualization of the project, which is a start-up, this is an innovative idea that involves a lot of research fields. Therefore, this research aims to improve the system and gain advantages from it before launching onto the market. Although it is an innovative idea, many Blockchain developers have studied and implemented the basics of online auction systems, thus providing a baseline for improving our system. For example, with Blockchain smart contracts for the basic auction market, users can bid for a product. This is our base idea, which we improve by implementing artwork after the auction end. This is a very unique idea; the artwork will initially be abstract art, ultimately with a DNA code attached afterwards. Blockchain technology can prove the authenticity of an artwork with a certificate provided by the Blockchain network. In order to establish an online performance auction, research was conducted based on customers and target groups. First, we gathered information about the idea of Dapps and what people think about buying digital goods for personal purposes. The results of this survey were quite unexpected. Our hypothesis is that people are equally willing to buy NFT products as FT products, based on the revenue from CryptoKitties and CryptoPunk (from Larva Labs), which represents an enormous amount of income flowing into the market. This fuels our assumption that the market capital of the art market and digital art can be merged and result in a huge outcome. From our investigation into digital art merging we found one company that attempts to integrate both markets, similar to the idea of Art Value, called ‘Snark.art’. They have already launched many projects such as 89 Seconds Atomize [73] and sell video pixels of 20x20 represented as a token. To date, they have earned $134,450 and $276,480 as market capital. We conducted interviews and performed some research with them, and found that the most important factor for the success of the project is their target customer. They are passionate and profound about specific pieces of artwork, in addition to the portal to acquire them, which needs to be as easy as possible for users to understand. In establishing an online performance auction platform, research on users and the system is necessary. This research is focussed on smart contracts and user experience within Dapps. Again, the outcome of this survey was slightly unexpected, as NFT digital purchases of products that do not involve a lot of interaction turn out to be lower than expected result. Furthermore, many users prefer to buy a digital product for the purpose of gaming. The target group of this platform can be refined to a limited customer base. Therefore, we want to improve the experience between user and the platform. To conclude the outcome, people want to interact with the interface and enjoy seeing the flow of

42

numbers with more animation. Even though they are not going to win the auction, they feel grateful to be part of the artwork creation. The next major point of this research is platform development, which focuses on smart contracts of the Art Value app. We implemented two sets of code, which relate to 1) generating and storing artworks, and 2) the auction experience based on the freezing the amount solution. In terms of synchronization, the result of cost-efficiency regard to the transaction cost, we found out that many elements have been involved in structure of the cost. In business perspective, it not a good idea to spend extra cost for it. We believe that this is the best solution for this platform. With the Ethereum Blockchain architecture, the gas price has a high impact on the synchronization time, and finding the best cost also depends on the network. The aim in this question is to find the best practice time for the auction to be continuously open without conflict or damage to the structure of the Blockchain protocol. From the results, we obtain three groups of the additional gas price in order to verify the transaction, which also has an impact on the speed. The suggestion is to use an average price in order to maintain the cost and user experience. However, this impacts the time between transactions. If we choose to pay a lower cost than the network expects, this causes transaction failure and thus affects the business model and user experience. From the case mentioned previously, we aim to: 1) acquire the artwork as quickly as possible without high costs, 2) ensure better experiences and interaction, and 3) prevent runner users who do not pay after the auction ends. The best solution can be used in the first case, and by introducing a fee collected at the beginning of an auction. If the winner does not pay the amount they won or disregards the rule, the fee is not released. In this way the loss of reputation and business is avoided. Secondly, if the focus of the platform is to improve the user experience, the second method offers the best solution because it enhances the user experience with the Blockchain application with the realistic interactions of an online auction. In order to launch the platform on the market, we need to ensure compliance for all actors. In this research we focus on providing a privacy agreement and risk identification to prevent and solve the privacy issues that may cause data breaches in the future. That is why we need to make an agreement policy. From a security perspective, having a secure system is not sufficient, since vulnerability can occur anywhere, including from the user side. In this part of the research we investigate policy generated by open-source services, in order to attain the basic structure of a privacy policy and adjust it according to the platform perspective. This policy has already been adjusted according to the GDPR policy within EU/EEA countries. This may not be possible if the platform runs globally, so future work should improve it or create a new one according to the rules in each region. In risk analytics, probability and consequence risk analysis is used to analyze the risk from a system and business perspective. This allows a ranking to be created of 10 situations. In this research, we suggest the best solution for each situation to implement within the Art Value platform. The solutions are suggested from the research perspective and some business models may need to adjust accordingly. The riskiest situation that could occur during the first launch is that the database is compromised. Therefore, this should be

43

considered in addition to a website attack, among other threats. Blockchain is already used as a decentralized database, which may already be secure with the network; however, if sensitive data are published, this will be the most vulnerable for all actors. For this reason, this research focuses on possible risks that may impact Art Value. Outcomes and solutions for each situation from the risk perspective come from many existing solutions. It must be kept in mind that there is always a way to invade the system. The suggestion is to encrypt every medium, user and system. Secure communication is also one of the best ways to protect the foundation of the platform.

6.2 Future work Many areas of this platform can be improved and research from at least four disciplines can continue as the research topic. Therefore, this section discusses about four forms of future work based in different functionalities. The first involves research from a security perspective. This includes anonymity research and improvements to the platform, since a feature for the delivery of artworks in the future will require storage of recipients’ addresses. This would compromise the anonymity of users and the reputation of the platform owner, as mentioned in Chapter 5. Simulating an attack or testing the security feature can continuously improve the code and platform system. Another form of research is to consider the DNA of an artwork, that is, its unique key. The DNA of an artwork represents the artwork’s code, meaning that every piece of artwork would be assigned a unique key generated by Blockchain. This unique key can link back to the original detail of an artwork, like a QR code or a barcode found on grocery products. By developing this topic, it can be embedded in a physical artwork that represents the digital artwork generated by Art Value [74][75][76]. It is not just a key, but it can be used to build an abstract digital artwork, similar to Crypto Kitties. Regarding the improvement of risk management, if the platform builds a new feature it requires consideration of threats and consequences for the system. This study has focussed on recent features for this version of the platform. For example, if a gallery or calendar pages are implemented on the website, the calendar would need to sync with details of past to future features, because the concept of a calendar feature is to trace all auctions of an artwork, as if showing a database of artworks. Therefore, this feature would need protection regarding the detail of the artwork, and it should not be easily altered by someone else. Finally, the Blockchain protocol could be extended for a decentralized application to support and testing using different approaches such as EOS [77], TRON [78] or NEAR [79]. In order to improve transaction synchronization, there are other metrics to consider in this topic that were not approached in this research. Procedures in other Blockchain protocols, such as EOS, use different algorithms to Ethereum, with far greater possibilities to improve the speed of confirmation. An achievement of EOS is the ability to run a million transaction per second, while Ethereum can run just 15 transaction per second [80].

44

6.3 References [1] Blockchain Hype Turns to Mainstream Adoption in Billion-Dollar Corporations [online], 2019. CCN.com. Available: https://www.ccn.com/blockchain- entering-corporate-mainstream-study/ [Accessed 2019-12-18]. [2] Kumar, S., Saraswat, A.S.| H.M., and Srivastava, R., 2018. Blockchain: A Revolutionary Technology. International Journal of Trend in Scientific Research and Development, Vol. Volume-2, No. Issue-3. [3] C, K., 2018. An Overview of Blockchain Technology. International Research Journal of Electronics and Computer Engineering, Vol. 4, p. 1.3 [4] Vidal Segura, M., 2019. User experience design and front end development of an online auction website. KTH, School of Electrical Engineering and Computer Science (EECS). [5] Simbelis, V.V., 2018. Humanizing Technology Through Post-Digital Art. PhD Thesis. KTH, School of Electrical Engineering and Computer Science (EECS). [6] What is a Hash Chain? - Definition from Techopedia [online], 2020. Available: https://www.techopedia.com/definition/32920/hash-chain [Accessed 2020- 2-9]. [7] Rajshree Srivastava, Kumar, S., Harshit Mohan, Animesh Singh, and Harshit Mohan Saraswat, n.d. ijtsrd12751.pdf. [8] ArcBlock, Inc., 2020. Technical WhitePaper [online]. Available: https://www.arcblock.io/en/whitepaper/latest [Accessed 2020-2-9]. [9] Shunsai Takahashi - Academia.edu, 2020. Proof-of-Approval: A Distributed Consensus Protocol for Blockchains [online]. Available: https://www.academia.edu/36075801/Proof-of- Approval_A_Distributed_Consensus_Protocol_for_Blockchains [Accessed 2020-2-9]. [10] Zheng., Z, Xie, S., , H., Chen, X., and Wang, H., 2017. An Overview of Blockchain Technology: Architecture, Consensus, and Future Trends. 2017 IEEE International Congress on Big Data (BigData Congress). p. 557–564. [11] Farah, N.A.A., n.d. Blockchain Technology : Classification, Opportunities, and Challenges, Vol. 05, No. 05, p. 4. [12] Ivelin Angelov, Jack K Rasmus-Vorrath, and Yao Yao, 2020. (PDF) Blockchain Security and Demonstration [online]. Available: https://www.academia.edu/35349686/Blockchain_Security_and_Demonstra tion [Accessed 2020-2-9]. [13] What are ERC20 tokens? | Ledger [online], 2020. Available: https://www.ledger.com/academy/crypto/what-are-erc20-tokens/ [Accessed 2020-2-9]. [14] ERC-721 [online], 2020. Available: http://erc721.org/ [Accessed 2020-2-9]. [15] EIP 721: ERC-721 Non-Fungible Token Standard [online], 2020. Available: https://eips.ethereum.org/EIPS/eip-721 [Accessed 2020-2-9]. [16] Blockchain Cuties - Cutest blockchain collectable game with adventures [online], 2020. Available: https://blockchaincuties.com/ [Accessed 2020-2-9]. [17] My Crypto Heroes (MCH, マイクリ) | Crypto game from Japan! [online], 2020. Available: https://www.mycryptoheroes.net/ [Accessed 2020-2-9]. [18] OpenSea: Buy Crypto Collectibles, CryptoKitties, Decentraland, and more on Ethereum [online], 2020. Available: https://opensea.io/ [Accessed 2020-2-9].

45

[19] CryptoKitties | Collect and breed digital cats! [online], 2020. Available: https://www.cryptokitties.co/ [Accessed 2020-2-9]. [20] Top Blockchain Games | DappRadar [online], 2020. Available: https://dappradar.com/rankings/category/games [Accessed 2020-2-9]. [21] Home | Ethereum.org [online], 2020. Available: https://ethereum.org/ [Accessed 2020-2-9]. [22] Hyperledger – Open Source Blockchain Technologies [online], 2020. Available: https://www.hyperledger.org/ [Accessed 2020-2-9]. [23] Instantly Move Money to All Corners of the World | Ripple [online], 2020. Available: https://ripple.com/ [Accessed 2020-2-9]. [24] Dr Gideon Greenspan, Founder and CEO, Coin Sciences Ltd, 2020. MultiChain White Paper | MultiChain [online]. Available: https://www.multichain.com/download/MultiChain-White-Paper.pdf [Accessed 2020-2-9]. [25] Kruglova, I.A. and Dolbezhkin, V.A., 2018. Objective Barriers to the Implementation of Blockchain Technology in the Financial Sector. 2018 International Conference on Artificial Intelligence Applications and Innovations (IC-AIAI). p. 47–50. [26] Moccia, 2019. The Remaining Barriers to Blockchain Adoption in Finance. Fintech News. [27] Blockchain Adoption Barriers in Startups and Enterprises [online], 2019. Due. Available: https://due.com/blog/blockchain-adoption-barriers-in-startups- and-enterprises/ [Accessed 2020-2-10]. [28] SURVEY | meaning in the Cambridge English Dictionary [online], 2020. Available: https://dictionary.cambridge.org/dictionary/english/survey [Accessed 2020-1-13]. [29] Risk Analysis vs Quantitative Risk Analysis, 2011. PM Learning Solutions. [30] Fadun, D., 2019. How To develop a Consequence Matrix. Risk Management and Insurance Platform. [31] The University of Queensland, 2020. Enterprise Risk Management Consequence and Likelihood Tables [online]. Available: https://ehealthresearch.no/files/documents/Appendix-Definitions.pdf [Accessed 2020-2-10].

[32]E Health Research, 2020. Risk Consequence and Likelihood Table [online]. Available: https://ppl.app.uq.edu.au/sites/default/files/Risk%20Consequence%20and% 20Likelihood%20Table%20-%20Form.pdf [Accessed 2020-2-10].

[33] web3.js - Ethereum JavaScript API — web3.js 1.0.0 documentation [online], 2020. Available: https://web3js.readthedocs.io/en/v1.2.4/ [Accessed 2020-2- 10]. [34] MetaMask [online], 2020. Available: https://metamask.io/ [Accessed 2020-2- 10]. [35] Portis - The Non-Custodial Blockchain Wallet [online], 2020. Available: https://www.portis.io/ [Accessed 2020-2-10].

46

[36] Etherscan.io, 2020. Token Tracker | Etherscan [online]. Ethereum (ETH) Blockchain Explorer. Available: http://etherscan.io/tokens [Accessed 2020-2- 10]. [37] What is an ERC20 token? [online], 2020. Blockchain Support Center. Available: http://support.blockchain.com/hc/en-us/articles/360027491872- What-is-an-ERC20-token- [Accessed 2020-2-10]. [38] Shkoor, M.A., 2019. Everything You Need to Know About Public, Private, and Consortium Blockchain [online]. Medium. Available: https://medium.com/swlh/everything-you-need-to-know-about-public- private-and-consortium-blockchain-54821c159c7a [Accessed 2020-2-10]. [39] brynbellomy/solidity-auction [online], 2020. GitHub. Available: https://github.com/brynbellomy/solidity-auction [Accessed 2020-2-10]. [40] Broad-Crawford, A., 2018. AnthonyBroadCrawford/ethereum-solidity- auction. [41] tak, 2019. How to reduce gas cost in Solidity [online]. Medium. Available: https://medium.com/layerx/how-to-reduce-gas-cost-in-solidity- f2e5321e0395 [Accessed 2020-2-10]. [42] Datainspektionen [online], 2020. Available: /other-lang/in-english/the- general-data-protection-regulation-gdpr/ [Accessed 2020-2-10]. [43] GDPR-compliance-statement [online], 2020. Available: https://www.virtual- college.co.uk/gdpr-compliance-statement [Accessed 2020-2-10]. [44] TermsFeed [online], 2020. TermsFeed. Available: https://www.termsfeed.com/ [Accessed 2020-2-10]. [45] GDPR Compliance Software for Websites & Online Businesses [online], 2020. Termly. Available: https://termly.io/ [Accessed 2020-2-10]. [46] Once hailed as unhackable, blockchains are now getting hacked - MIT Technology Review [online], 2020. Available: https://www.technologyreview.com/s/612974/once-hailed-as-unhackable- blockchains-are-now-getting-hacked/ [Accessed 2020-2-10]. [47] Attack of the week: searchable encryption and the ever-expanding leakage function, 2019. A Few Thoughts on Cryptographic Engineering. [48] E Health Research, 2020. Risk Consequence and Likelihood Table [online]. Available: https://ppl.app.uq.edu.au/sites/default/files/Risk%20Consequence%20and% 20Likelihood%20Table%20-%20Form.pdf [Accessed 2020-2-13]. [49] them, S. types; L. have a look at some of and Functions, T., 2019. Server down: causes and damages that it can cause to a company. Pandora FMS - The Monitoring Blog. [50] Technology Lab & Marketplace for Digital Art - Snark.art [online], 2020. Available: https://www.snark.art [Accessed 2020-2-10]. [51] Larva Labs [online], 2020. Available: https://larvalabs.com/ [Accessed 2020- 2-10]. [52] How Many Customers Are You Losing Because of Bad UX? [online], 2017. Post Funnel. Available: https://postfunnel.com/many-customers-losing-bad-ux/ [Accessed 2020-2-10]. [53] Mistake 2 out of 3: Falling into the curse of Sunk Cost [online], 2020. Available: https://medium.com/@lasse.k/mistake-2-out-of-3-falling-into-the-curse-of- sunk-cost-daa1bbac56eb [Accessed 2020-2-10].

47

[54] Ethereum 101 [online], 2020. CoinDesk. Available: https://www.coindesk.com/learn/ethereum-101/will-ethereum-scale [Accessed 2020-2-10]. [55] ETH Gas Station [online], 2020. Available: https://ethgasstation.info/ [Accessed 2020-2-10]. [56] Aziz, M. the C.F., 2018. Guide to Ethereum: What is Gas, Gas Limit and Gas Price? Master the Crypto. [57] Ether Gas: Limit, Gas Price & Fees (Everything You Need to Know), 2017. CoinSutra - Bitcoin Community. [58] Foundation, E., 2020. Understanding Serenity, Part I: Abstraction [online]. Available: https://blog.ethereum.org/2015/12/24/understanding-serenity- part-i-abstraction/ [Accessed 2020-2-10]. [59] [Video/Tutorial] What exactly is the Gas Limit and the Gas Price in Ethereum [online], 2017. Vomtom.at. Available: https://vomtom.at/what-exactly-is-the- gas-limit-and-the-gas-price-in-ethereum/ [Accessed 2020-2-10]. [60] How to Thwart a Rainbow Table Attack | LookingGlass, 2017. LookingGlass Cyber Solutions Inc. [61] Narayanan, A. and Shmatikov, V., 2005. Fast dictionary attacks on passwords using time-space tradeoff. Proceedings of the 12th ACM conference on Computer and communications security. Alexandria, VA, USA: Association for Computing Machinery, p. 364–372. [62] passwords - Is salting a hash really as secure as common knowledge implies? [online], 2020. Information Security Stack Exchange. Available: https://security.stackexchange.com/questions/35523/is-salting-a-hash- really-as-secure-as-common-knowledge-implies [Accessed 2020-2-10]. [63] Feinstein, L., Schnackenberg, D., Balupari, R., and Kindred, D., 2003. Statistical approaches to DDoS attack detection and response. Proceedings DARPA Information Survivability Conference and Exposition. p. 303–314 vol.1. [64] Five ways to prevent data leaks, 2017. Help Net Security. [65] OpenZeppelin/openzeppelin-contracts [online], 2020. GitHub. Available: https://github.com/OpenZeppelin/openzeppelin-contracts [Accessed 2020-2- 10]. [66] Fang, F., 2020. Ethereum Solidity: Memory vs Storage & Which to Use in Local Functions [online]. Medium. Available: https://medium.com/coinmonks/ethereum-solidity-memory-vs-storage- which-to-use-in-local-functions-72b593c3703a [Accessed 2020-2-10]. [67] Experience, W.L. in R.-B.U., 2020. Nielsen Norman Group: UX Research, Training, and Consulting [online]. Nielsen Norman Group. Available: https://www.nngroup.com/articles/ten-usability-heuristics/,/ [Accessed 2020-2-10]. [68] What is Heuristic Evaluation? | Interaction Design Foundation [online], 2020. Available: https://www.interaction-design.org/literature/topics/heuristic- evaluation [Accessed 2020-2-10]. [69] 5 Examples of Data Misuse | ObserveIT [online], 2020. Available: https://www.observeit.com/blog/importance-data-misuse-prevention-and- detection/ [Accessed 2020-2-10]. [70] Third-party errors left over 540 million Facebook records exposed | Engadget [online], 2020. Available: https://www.engadget.com/2019/04/03/facebook-

48

data-exposed-by-third- parties/?guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_refer rer_sig=AQAAAM59BTA6MnEiqqK1os5Q7iobNw8oVX7kGwm- mEnDNCEWie43sGuzLwDZ4662VXDWwFElAF1UEYyLbwD8zL2E41M9M9x dAwFIyB1DgSm3RrsmvVmSTS_fY_ys9QB6PtB2rkLGvPrn9tWvkZMNzCkcV JIEiDUSKHdZYa6wquMqbqGE&guccounter=2 [Accessed 2020-2-10]. [71] Protecting an Idea: Can Ideas Be Patented or Protected? 2018. IPWatchdog.com | Patents & Patent Law. [72] How to Protect Your Invention From Theft When Pitching It [online], 2020. www.nolo.com. Available: https://www.nolo.com/legal-encyclopedia/how- protect-invention-when-pitching-30208.html [Accessed 2020-2-10]. [73] 89 seconds Atomized by Eve Sussman & Rufus Corp - Snark.art [online], 2020. Available: https://www.snark.art/89seconds [Accessed 2020-2-10]. [74] Šimbelis, V., Lundström, A., Höök, K., Solsona, J., and Lewandowski, V., 2014. Metaphone: Machine Aesthetics Meets Interaction Design. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. New York, NY, USA: Association for Computing Machinery, p. 1–10. [75] Šimbelis, V. “Vegas” and Lundström, A., 2018. Synesthetic Experience in S T R A T I C. Proceedings of the Twelfth International Conference on Tangible, Embedded, and Embodied Interaction. New York, NY, USA: Association for Computing Machinery, p. 574–580. [76] Simbelis, V. ’Vegas, Ferreira, P., Vaara, E., Laaksolahti, J., and Höök, K., 2016. Repurposing Bits and Pieces of the Digital. Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. New York, NY, USA: Association for Computing Machinery, p. 840–851. [77] EOSIO - Blockchain software architecture [online], 2020. EOSIO. Available: https://eos.io/ [Accessed 2020-2-10]. [78] TRON Foundation : Capture the future slipping away [online], 2020. Available: https://debug.tron.network [Accessed 2020-2-10]. [79] NEAR Protocol | A sharded, developer-friendly, proof-of-stake public blockchain [online], 2020. Available: https://nearprotocol.com/ [Accessed 2020-2-10]. [80] BitDegree, 2018. EOS vs Ethereum: is EOS a Better Ethereum Alternative? BitDegree Tutorials.

49

Appendix A

Other data survey – 62 participants

Figure 8.1.a: Age of participants

Figure 8.1.b: Gender of participants

1

Appendix B

Extra: Testing results

Case 1 Result 160000 140000 120000 100000 80000 60000 40000 20000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

Trans Cost Exec Cost

TRITA-EECS-EX-2020:86

www.kth.se