Instilling trust in a decentralized financial infrastructure
By Vincent Chok & Glenn Woo
Trust, in the traditional finance context, used to lie in the hands of people. For instance, customers would have a personal relationship with a bank manager, who would be entrusted with their assets, and in turn, would be trusted to take out a loan.
However, in the fast-paced global and digital world of modern money, this has taken on a whole new meaning.
Redefining trust in the decentralized economy
Trust has become a critical element in keeping assets secure, as transactional relationships become less personal, with digital payments relying more on invisible infrastructure.
After all, the greatest threat facing institutions and individuals is not being hacked by a sophisticated system, but the making of an honest mistake – either through a phishing attack or a lack of good security and encryption practices in storing data.
In place of trusted relationships, networks of intermediaries act as stand-ins, to divert the need to place all trust in one, centralized place โ which in turn, makes them a lucrative target.
With the rise of blockchain technology, trust has become an automated part of securing digital assets. Systems of smart contracts ensure a system infallible to human error, and digital ledgers keep accurate records of all transactions, which cannot be amended to mislead users.
So, if technology aims to take away the burden of security from individuals, what role do trusted bodies play in this emerging financial ecosystem?
Scaling trust, liability and accountability
By many counts, the first decade of digital assets was fairly lawless, with phishing attacks and hot wallet hacks seeing millions of dollars being taken directly from users. Not to mention, bad actors turning to real-world violence or sim-swapping manipulation in order to access assets stored in cold wallets.
The response to many of these violations has focused on the legal liability of companies offering centralized services – such as hot wallet storage on their exchange – for users to interact with decentralized assets.
But this focus remains resoundingly one-dimensional, as legal liability is nothing without consequences. Players in the digital asset space must be held accountable for the way they run their services – even if they are merely acting as a portal to a wider ecosystem.
The root causes of โmost notable crypto-related hacksโ vary and are often complex, but most breaches could have been prevented โ or at least severely limited โ with a best practice that banking institutions, telecoms, and governments have already relied on for decades: hardware security modules (HSM).
These devices are heavily used in the banking industry and in all verticals where critical secrets must be protected. HSMs are physical computing devices that safeguard and manage cryptographic keys and provides secure execution of critical code. They have built-in anti-tampering technology which wipes secrets in case of a physical breach, are architectured around secure cryptoprocessor chips and have active physical security measures such as meshes to mitigate side-channel attacks or bus probing.
While individual retail investors are able to secure digital assets with individual hardware wallets, these products lack the core features required in an enterprise environment. Ledger Vault, for example, protects institutional investors from the operational risks of trading digital assets so asset managers and custodians can conveniently trade this new class of assets without compromising on security.
Learning from the past and using battle-tested infrastructure
Decentralized technology provides users with unparalleled freedoms in transacting, but it also requires them to become cybersecurity experts and asset custodians. There are security issues to consider from the ease of misplacing private keys through to the dangers of exchange hacks draining hot wallets.
In many instances, both users and industry players stand to gain from the lessons learned by traditional financial players, who have been facing many similar problems for decades.
In bilateral payments such as international wires, the trust between major banks and the difficulty to send money outside of the banking system makes it easy to retrieve money sent erroneously or following a hacking attempt.
In the world of digital assets, we donโt have that comfort. A mistake or a successful malicious act would most often result in an irrevocable loss of funds. It is crucial that companies providing digital asset storage go above and beyond the existing security paradigms by using both software and hardware to secure their transactions and funds.
For instance, Secure Elements (SE) are hardened microcontrollers with very few interfaces to the outside world, reducing the attack surface to the minimum. The integrity of these systems is critical, and specific engineering must be applied to the system to make it tamper-resistant. A SE, therefore, embeds strong physical protections to mitigate complex hardware attacks, such as side-channel analysis or fault injection.
A normal microcontroller can be compared to a set of lego bricks: practical to build, but trivial to disassemble or reverse engineer. Secure Elements are on the contrary, much more complex in their design with encrypted memory and physical reinforcement preventing unauthorized information extraction.
In other words, the SE is to the microcontroller what a tank is to a car.
Adopting better storage solutions will enable financial institutions and professional investors to unleash the full potential of digital assets, and will bring much-needed confidence to their shareholders, clients and regulators, as required by such a nascent industry.
Trust must go both ways
Designing our financial infrastructure to be one asset-holders can trust requires careful thought about how to do so without losing the benefits of decentralization.
It is also worth remembering that decentralization is not an absolute or none, but rather, it exists on a spectrum of varying degrees. There are also benefits for companies and individuals who work with external companies or service providers in lieu of trusting users to custody their own assets.
Custodial solutions offer a happy medium. Seeing as they are a regulated firm dedicated to servicing the custody portion of a transaction, individuals can rest assured that they are required to keep abreast of the best security measures.
Having the option of choosing a custodian also means users can choose who their assets are entrusted to. Security assurance is paramount, and while anyone can claim to have a secure product, it means much more coming from a trusted independent third party.
For instance, the CSPN Certification scheme is an industry-standard established in 2008 to qualify how to secure enterprise and financial institutions are by assessing firewalls, identification, authentication and access, secure communications and embedded software. It is imperative digital assets uphold to these same measures so innovative security solutions can roll out with ease.
Decentralized finance is not the end of trust but the evolution to a new kind of accountability
Only with a fully-formed ecosystem can legislators begin to set the boundaries of institutional responsibility. Regulation needs to back up the technology, and incentivize the creation of secure systems whilst punishing systems that lack accountability.
Trusting companies to take liability is not enough. Just because an entity can offer services, doesnโt mean they should, and the digital asset space stands to gain a higher level of buy-in from external speculators should it decentralize the risk, and support the expansion and specialization of service providers.
About the authors:
Vincent Chok is the Founder and Group CEO of Legacy Trust Company,โ a Hong Kong-licensed and Public Registered Trust Company. Under his leadership, Legacy Trust transformed from a traditional pension and family trustee to a leading provider of custody services for exchanges, OTC desks, investment firms, hedge funds, and various other professional industry participants who may be required by law to store their digital assets with a financial institution like Legacy. Prior to founding Legacy Trust Company, Vincent managed the mortgage financing and raised capital for commercial real estate in the Canadian Exempt Securities marketโ.
Glenn Woo is Head of the Asia Pacific region for Ledger, โa global leader in crypto-asset security with offices in Hong Kong, New York and Paris. โGlenn joined Ledger in October 2018, and is responsible for overseeing all Ledgerโs businesses in Asia Pacific. He has an extensive career in the financial services and technology industry, working for S&P Global Market Intelligence as Head of Hong Kong, Taiwan and Korea, and Shinhan AITAS as a consultant in financial asset custody. Glenn holds a BA in Business Administration and English Literature at Hankuk University of Foreign Studies.