Risk Assessment of Blockchain Technology & Your Project Is Key

Building on blockchain is the “new world”, right??  But sometimes it feels like more risk than reward – especially in the frigid winter that Crypto seems to be embroiled in. And as with any emerging technology (I’m reminded of the early 2000’s emerging web2 world) blockchain risks and challenges are multiplying!

Don’t get me wrong, I’m bullish overall for Blockchain and its potential for remaking not only the world of finance, but also of gaming, privacy and access… and eventually, I believe we will get there – right now we’re just experiencing the inevitable growing pains.  

And they’re not made any easier in the current environment, when the LUNA and UST debacle seems to have awoken the sleeping “regulatory” giants.  In light of this, exploring the risks associated with blockchain technology and creating a referenceable list of sorts makes a lot of sense.

Let’s start with Regulatory Risk.

Since that’s top of mind for most with the SEC doing all of the saber rattling, projects need to be aware of the Howey Test, and if in the United States, what your exposure might be to KYC/AML (know your customer and anti money laundering) regulations – because you may need to implement geo-fencing of your dapp if you are not compliant.

Of note – while all of that is going on, the Senate is quietly moving forward on a bill that favors the CFTC.  It may not pass both houses this year, but clarity is starting to emerge!

 It also seems timely to talk about the fact that the ETH merge to PoS (which went off without a hitch – yay!) had some collateral risk that perhaps wasn’t considered – or maybe it was and it was thought to be ok and necessary.

ETH Merge to PoS Might Put ETH under SEC jurisdiction.

What?!  Yep… according to SEC Chairman Gary Gensler, who stated that Crypto that allows users to stake coins could be considered a security.  But according to the Howey test, it seems that Gensler is only looking at one aspect of the four points… and I wonder whether U.S. lawmakers will allow him to proceed on that assumption fully.  That would literally put every crypto except Bitcoin into the SEC’s bucket. (see note above. Looks favorable that CFTC will get the oversight role for crypto).

Stay tuned on that… but there’s more… let’s look at the Validators…

Apparently post-merge stats show that 42% of the block minting was done by Validator nodes controlled by TWO U.S. based companies, LIDO Finance, and Coinbase.  Which then puts ETH and all of the validators in the cross-hairs of whatever regulations get implemented within the U.S.  You may be thinking, yeah, but won’t there be more validator nodes coming online?  It’s a lot easier to set up a node in the PoS world.  You just need 32 ETH to stand up a validator node.  

Yes but not so fast.  Upon close scrutiny, there may not be enough in it for people to stand up a validator node.  For one, you can’t get back any of what you stake until the Shanghai upgrade is complete – expected to come online in around Mar/Apr 2023.  Will the date slip?  Likely.

ETH currently is pretty much a “centralized” blockchain.

The centralization status of validator nodes and regulatory uncertainty may be two of the factors that account for ETH’s price post-merge slide of 22.8% in the last 7-day period. 

Why the big hubbub?  Well, centralization brings up consensus risk – where a 51% hijack could be possible.  It’s the risk of collusion. Just as we discussed in our last post, two of the large thefts that occurred recently were due to compromised nodes that allowed approval of transactions that should not have been allowed.

Beyond centralization, there’s another risk that also played into ETH’s post-merge slide…

Development Schedule and Upgrade Risk

It’s a bit like Goldilocks and porridge – too hot, too cold, just right, interpreted as Rush to Release, Continuous Pushing of Release Dates, Hitting the schedule perfectly.  (The latter almost NEVER happens; welcome to tech projects!)

But as stated in our last blog post, “too fast” can result in security issues, buggy code, and hacks that so far this year have cost over $2 billion and we’ve still got months to year-end.

Let’s focus on “Too Cold” – Continuous Pushing of Release Dates.

And I’ll add to that: Missing expectations with what does get released.  This is an issue with almost all top blockchains: ETH, Cardano, and Solana to name three that immediately come to mind.

Managing Expectations is critical.

And with all of the Twitter, Discord, Telegram, and Reddit posts with users attacking different blockchains, by casting doubt or  posting disparaging comments in the attempts to support their specific preferences, it can be super hard to manage the expectations well – but that’s one of the challenges of the Blockchain ecosystem, right?

Let’s take ETH merge to PoS – we all waited SO LONG for it to happen, after continuous pushes of the merge date – and rightly so – the devs were being super cautious as there was a TON at stake – but nonetheless, once the change happened – the move to PoS was only a consensus shift (the change to a deflationary token will likely be a long term upside).  It meant nothing for the critical areas of transaction throughput or gas fee reduction – which are HUGE issues.  

The merge to PoS only alleviated ONE issue, and that is ESG-compliance (Environmental Social Governance).  And it’s big. The move to PoS cut energy use by 99% (to put in better perspective, it reduces GLOBAL energy consumption by 0.2%).  And it sets up the next phases that will get rolled out, the first being the Shanghai upgrade.

Even though we knew that gas fees and transaction throughput wouldn’t be addressed, and PoS sets the stage for the next series of stages, the feeling post-merge was that of a let down, rather than a pump of excitement.

If we look at Cardano – it has taken huge heat being the tortoise not the hare.

And given the Vasil hardfork is the latest in the update of the Cardano blockchain, it appears to have met expectations, and will enrich smart contract capabilities, increase the chain’s throughput and reduce costs.  Cardano price rallied pre-hardfork.  Just like ETH did pre-merge.  And it’s price appears to be fairly stable at the pre-Hardfork rally.

A year ago – Cardano added smart contracts… and missed expectations.

As they learned, the smart contracts was such a HUGE step, and had so much excitement, that when it launched, the productivity was so slow, and the way Plutus was implemented by some dapps that launched prior to enough testing, the larger blockchain community came down hard on Cardano, At that time, Cardano dropped, a slide of approx. 26.5%.  

Deja vu with what we just experienced with the ETH merge and price drops.   Vasil so far has met the expectations, and while price isn’t surging (likely due to overall meta factors in the market), it’s not taking a dive.

Next up for Cardano will be focusing on layer-2 scaling with Hydra, which will further increase throughput.  That is scheduled for late 2022 or early 2023.  The tortoise seems to be on a roll. 

Understanding patterns can help us better manage protocol and project risks

Now that we’ve handled Too Cold, let’s look at Too Hot – Rush to Release

That steps us right into the next set of risks.

Development Risk (and Dev Team Risk)

You could say that the rush to release also has big downsides and creates its own slew of issues.  Solana is a good example.  It seems that whenever the market is moving quickly – lots of volume, Solana goes down.  This has been a consistent occurrence, even through repeated attempts to address and fix the issue.

Yet, they claim to be one of the fastest blockchains available.  What gives?

And how much patience do people have to be liquidated out of a position because they cannot gain access to deposit additional collateral?  How much loss will investors need to experience before they stop trusting the chain entirely?  As I’ve said before, don’t mess with people’s money!

The big red flag to wave here is that fixing things AFTER they are in production is A LOT harder than building and testing PRIOR to production.  We have a Hardhat cheatsheet and how-to guide that we wrote to help devs implement good testing practices.  

But as with anything, it’s how they’re set up and the thoroughness of the tests that get run that is really the proof in the pudding.

Which brings me to Dev Team Risk:

• Does your dev team have a standard process they follow for dev / test / staging / production?  
• Is there an ever-growing test suite that can be automated fairly easily and consistently to check for backward compatibility?  Regression testing?  
• And do you utilize Code Auditors and/or Bug Bounty programs?  
• Are your devs disciplined?  
• Or are they working at breakneck speed to get the project launched at all costs?  

The risks are clear.  Just have your eyes open – because if not done well, the hacks and theft resulting from uncaught bugs could cost you a lot more than your blockchain business dreams.  

And that leads us into how things are decided…

Governance Risk

Ask yourself these things:

• Can the team unilaterally decide to take a pretty risky action?  
• What are the checks and balances?  
• How are decisions made?  
• Is there a DAO? If so, how decentralized is it really?  The move to ETH PoS was made by less than 13% of the entire population of eligible voters.

Polkadot and Cardano have had a big focus on governance, and evolving their “decentralized” status to (hopefully) avoid SEC regulatory scrutiny.

There is so much to cover on Governance – it will make a good future blog post. Stay tuned for that!

Additional Risks that may come into play include:

Data Management & Privacy Risk

Review our blog post “Database for Web3 Dapps”, where we explore the immutable and public nature of any data stored on the blockchain – raising the question about scope of decentralized apps, and what actually needs to be stored on the blockchain.  It’s also imperative to understand the potential blockchain privacy issues that you need to accommodate.

I’ll let you go check that blog post and get a sense for the issues around data management and privacy that need to be well managed as more sophisticated Dapps (beyond finance) start to get built.  Suffice it to say, given privacy laws and regulations, this will be a big area for additional growth and development of Blockchain technology if it is to reach widespread adoption.

And don’t forget about risk with NFT’s – are you selling anything more than metadata? Pay attention to your storage and how it transfers when someone purchases an NFT.

Smart Contract Risk

The exposure of having a flaw in the logic of a smart contract is something that isn’t easy to fix after it’s been released on-chain – and could be devastating. Pay attention to the way your Smart Contracts are built (the logic flow) – as we wrote about in our “Smart Contract Design” and “Getting Started With Solidity Smart Contracts” posts.

Cryptographic Key Management Risk

This is a biggie – as two very large hacks (to the tune of $750 million combined) occurred through the compromise of private keys.  Be careful where you store your keys and be sure to avoid a common/single location where they are sourced and/or stored.  You can see more about the hacks that have occurred and the fixes here. 

Summary

There are more risks, I’m sure – but this is a good list of things to consider and make sure that your project is being thoughtful, and the development and governance won’t put customers or yourselves at risk unnecessarily.

Blockchain risk management is real. Know the risks, account for them, and manage your exposure – do not ignored or shove them under the rug, hoping nothing bad happens.

Best to take stock – and if you need a great dev partner, who understands these issues – to help you get things done and move you forward – reach out!