SCA in a World of Decentralised Finance
First published: 05/07/2022
updated: 21/10/2022
Erik Vasaasen
Decentralised Finance, or DeFi, is an emerging financial technology based on distributed ledgers similar to those used by cryptocurrencies. Although its a topic we haven't yet covered, DeFi is increasing in popularity and is affecting the world of SCA. So let us look at how DeFi is changing the financial landscape and if it is stable enough to stay around for the long term. Note: cryptocurrency and blockchain technology should be familiar to the readers of this post!
Welcome: DeFi
Decentralised Finance has been in the news lately because of recent issues around "algorithmic stablecoins". In particular, the unpegging of Luna to TerraUSD. Exactly how a stablecoin works is a bit complicated, but here are the basics of what happened in this situation:
A stablecoin is based on two or more linked cryptocurrencies, where one is set to follow either the US dollar or the Euro. If the value ends up deviating too far, one of the cryptocurrencies is automatically sold, bought, or destroyed ("burned") in order to keep the entire system stable ("pegged") with the external currency. However, with TerraUSD, there was an extra feature: a guaranteed 20% interest on your deposit. This led to a $45 billion market cap, which disappeared in less than 48 hours when the algorithm keeping the system stable (the peg) broke down, leaving some investors with significant gains but many others with large losses.
Other DeFi schemes have similar promises. These include instant loans of millions of dollars without a bank or collateral and no risk for the lender, interest of up to 75% APY on savings, and lotteries without risk. But what are the goals of DeFi, and how is it linked to Strong Customer Authentication and the traditional payment market?
What is DeFi?
The promise of DeFi is simple: provide a transparent financial system based on blockchain technology and smart contracts. However, the technical implementation is a bit more complex:
Blockchain technology is a distributed smart ledger. A smart contract is a piece of self-executing code that can be put on this blockchain. With smart contracts, it is possible to implement various marketplaces where users can interact through their crypto wallets. Examples are exchanges for trading, lending and borrowing, and systems for implementing forms of non-fungible tokens (NFTs), which are used for selling art, or at least the web addresses of art.
When many smart contracts are linked, multiple tokens and currencies can interact on the same blockchain, leading to Decentralised Autonomous Organisations (DAOs) without a central authority. Ultimately, this allows token owners to vote on proposals, where the voting mechanism and implementation are executed as smart contracts.
So here is perhaps the true benefit of DeFi: instead of having a central authority (such as a stock market or bank) that monitors and is in charge, there is an algorithm that implements the marketplace. Moreover, seeing that all the transactions on the blockchain are public, it should be possible to make it much more transparent and equal than the traditional financial system, where there is a big gap between smaller investors and those running the trading platforms and banks.
A Small Selection of Weaknesses
While DeFi sounds like a good idea, many issues still need to be sorted. These extend from obvious fraudulent attacks to malicious malware and bugs. One of my favourite websites for following the world of cryptocurrencies and DeFi is Web3IsGoingGreat. Looking at the DeFi section, there are some interesting attacks taking place weekly:
- Flash loan attacks are where weaknesses in smart contracts exploit lending platforms that do not require collateral. For example, an April attack led to the theft of cryptocurrency valued at $182 million simply by borrowing enough funds on the exchange that the attacker could buy enough tokens to take control over the DAO governing the exchange. Once the attacker was in control, they gave an order requiring the DAO to transfer all funds on the blockchain to their external account - and this happened automatically and in a matter of seconds. In other flash loan attacks, exchanges are manipulated with large amounts of buy/sell orders, so the pricing mechanisms stop working.
- Rug pulls are where a service developer sells off all the cryptocurrency they control in the liquidity pool powering a service. Note that a DeFi exchange typically has one or more custom cryptocurrencies attached. So, as the developers often control 80% of the currency from when the exchange was created, they can sell off their holdings, leaving the remaining investors with nothing.
- Bugs, so many bugs: Smart contracts and algorithms are hard to implement correctly. An example of a bug being exploited was a "small" $5 million attack on Osmosis in June. Attackers could gain 50% on their "investment" simply by depositing and withdrawing their funds. Sadly, bugs are widespread with DeFi; just a few weeks ago, another blockchain platform (Elrond) was exploited through a bug, leading to a loss of a few million.
As the DeFi exchanges are almost entirely unregulated, several services will launder stolen funds for an attacker for a small fee. To quote one of the services: "Tornado Cash improves transaction privacy by breaking the on-chain link between source and destination addresses. [..] Whenever ETH is withdrawn by the new address, there is no way to link the withdrawal to the deposit, ensuring complete privacy."
What About PSD2 and AML?
Right now, the DeFi space is somewhat similar to what banking was over 100 years ago when fake banks and stock market scams were common. Since then, a lot has happened in the financial markets. An example is the Payment Services Directive 2, which is mostly about consumer protection and how the payment market should be supervised. One such consumer protection is the right to have a payment refunded, even if the payment is being disputed. A rough estimate is that more than half of PSD2 is concerned about consumer protection in one way or another. Some DeFi schemes have implemented forms of chargeback and dispute management (such as Merchantcoin), but none have been proven by the market so far.
Another challenge to DeFI is Anti-Money Laundering legislation (AML). There are three main requirements:
- Banks and other regulated companies are required to combat financial crime
- They're required to screen transactions both when it comes to the sender and the recipient and
- They're required to report suspicious transactions.
This means that when converting from a cryptocurrency to a fiat currency (such as the Euro), you'll be asked by your bank where the funds came from. While some services will document all the buys and sells done through exchanges, it is not always clear how transactions taking place on a DeFi blockchain are handled. What if a service like Tornado Cash was involved? How can a person prove that the funds are not stolen?
So, Can DeFi Work?
In Economics, there is a joke about an economist stepping on a $100 bill while walking down the street. He spots it but decides to walk right on by. "After all," he chuckles, "if that had really been a $100 bill, someone else would have picked it up already!"
Many of the promises made by DeFi schemes are much more unlikely than finding cash on the street, but that doesn't mean all DeFi schemes are scams or impossible propositions. Still, at least one aspect of DeFi investment is fundamentally important: the growth in its value should be linked to the value currently produced or to expectations of future production.
As such, if you are looking at investing in a DeFi scheme, ask yourself: How is the value produced? How is the cost of the underlying protocols covered? If the expected growth is from "other people's investment" you're likely taking part in a Ponzi scheme, and chances are that you will be one of the losers. This is why I believe two things must happen before DeFi becomes mainstream.
The first is to recognise that DeFi can be another way to implement securities, such as stocks and bonds. To do that securely, some form of regulation must protect investors. An example could be requiring all wallets to be linked to known identities, e.g. an eIDAS identity wallet, and have transactions protected by Strong Customer Authentication. Linking the wallets to known identities would lower the risks immensely and help solve the issues around money laundering.
Secondly, requiring that the customer is properly authenticated would help avoid people losing the contents of their wallets from attacks. In addition, investors have to realise that a DeFi-based investment won't have a much higher yield than the more traditional financial instruments. While you can find many examples of cryptocurrencies experiencing rapid growth, those are almost entirely driven by speculation. If we've learned anything, history shows us that the value of crypto can go down much faster than it can go up.
————
Update!
As of June 30th 2022 (just after I sat down and wrote this post!), the EU Council and the European Parliament announced that they reached a provisional joint agreement on the “markets in crypto-assets (MiCA)” proposal. While it is not final yet, this means that at least some of the DeFI cryptocurrency schemes will be regulated in the coming years. This regulation will cover Anti-Money Laundering, liability for loss of funds, and require that “crypto-asset service providers” will need to be authorised to be able to operate within the EU. It will be interesting to see how this regulation will work in practice given the free flows of cryptocurrencies that we see today.