Photo of Jared Butcher

Have you ever wondered how blockchains can be considered secure even though hacks of cryptocurrency exchanges routinely make headlines?  Or whether distributing a permanent ledger to every participant in a network might run afoul of privacy laws and regulations?  Data security and privacy are frequently part of the conversation about blockchain and technology in general, and they raise complicated legal issues for practitioners and clients to consider.
Continue Reading An Overview of Blockchain Cybersecurity Risks and Issues

Government regulators are increasingly focused on blockchain and cryptocurrency activity, a development that some, such as IMF head Christine Lagarde have called inevitable. In the US, the Financial Crimes Enforcement Network (FinCEN), the Commodity Futures Trading Commission (CFTC), and the Securities and Exchange Commission (SEC) have issued statements, enforcement actions, and penalties involving blockchain and cryptocurrency activities, and they are not the only agencies monitoring these activities.  As a result, it is important for industry participants to be prepared to respond to potential regulatory inquiries.

This is why Steptoe has partnered with Thomson Reuters to publish a “one-stop” guide to the regulatory landscape and best practices for responding to blockchain and cryptocurrency-related investigations.
Continue Reading A “One-Stop” Guide to Blockchain Regulation and Best Practices for Responding to Investigations

This post builds on our previous exploration of indemnification for smart contract risks.  Today, we suggest three tools to address these risks:  (1) cybersecurity insurance policies, (2) indemnification agreements with outside vendors, and (3) “make whole” agreements among the smart contract parties themselves.  Collectively speaking, insurers, vendors, and other contract parties can provide the best source of indemnification, assuming that the proper contractual arrangements are put in place.
Continue Reading Three ways to indemnify your business (or your client’s business) from smart contract risks

A Canadian digital currency exchange (QuadrigaCX) reported recently that a malfunction in a smart contract is responsible for a $14 million dollar loss of the cryptocurrency ether.  You can read more about the company’s technical explanation here, but the upshot is that a software upgrade performed by the company had an error in the code that prevented the smart contract from properly processing incoming amounts of the cryptocurrency Ether.  The error was not caught for a few days, and during that time, Ether sent to the company’s exchange was “trapped” in the smart contract.  Based on Ether’s current price, the amount of “trapped” Ether is valued at approximately $14 million.  It may go without saying, but the risk of currency becoming trapped inside a contract—and therefore rendered unusable, even though it technically remains in the possession of the owner—is not a risk traditionally associated with commercial transactions.  As the QuadrigaCX situation illustrates, smart contracts introduce novel risks that may increase exposure to financial losses.  In this post, we suggest that these risks and losses may be mitigated through proper indemnification; however, a review of existing insurance policies should be undertaken to determine if they provide coverage or, alternatively, if additional coverage should be procured.

Continue Reading My smart contract just ate $14 million—now what? Re-thinking indemnification for smart contract risks.

It is no secret that smart contracts have vulnerabilities.  Today’s post suggests a mix of best practices to limit potential liabilities that may arise when vulnerabilities interfere with smart contract performance.

But first, some background:  One recent survey of 19,366 Ethereum-based contracts found vulnerabilities in 45% of them.  Perhaps the most publicized example of a vulnerability was the DAO hack in June of last year, but hacking is certainly not the only way that smart contracts may be compromised.  There is potential for manipulation by insiders, which is of particular concern for smart contracts that operate based on “proof of stake” protocols, given the ongoing concerns that those protocols will not be effective in ensuring that the parties play by the rules.  Even without intentional interference by hackers or insiders, smart contracts may have software bugs that disrupt performance, and there is the possibility of unintended outcomes if the smart contract’s code fails to anticipate an unusual situation.  (Consider, for example, a complicated contractual pricing formula that depends on several variables and may cause the price to drop or skyrocket simply because the variables align in unanticipated ways.)

Continue Reading Best Practices for Limiting Liability Arising from Smart Contract Vulnerabilities

We have suggested previously that arbitration may be a preferable alternative to court for smart contract disputes to (i) ensure a knowledgeable decision-maker handles the dispute, (ii) protect proprietary information, (iii) gain flexibility in scheduling and procedures, and (iv) pre-select the right forum.  Of course, arbitration doesn’t happen on its own – it typically requires a properly drafted arbitration clause.  This article provides several suggestions to consider on that point.

Notwithstanding all the hype associated with smart contracts, the real-world applications on the immediate horizon make use of distributed ledger technology (DLT) in ways that are not likely to necessitate fundamental changes in the dispute resolution procedures in those contracts.  Consider the example of commercial lending.  A smart contract may include protocols for the use of DLT to disburse loan proceeds and manage payments, but the inherent limits of the technology make it ill-suited to resolve a borrower’s default, leaving that circumstance to be addressed by the legal terms in the contract in the same way a default would be addressed under a traditional contract. That said, there are some aspects of the arbitration clause that should be re-considered when dealing with smart contracts:

Continue Reading Tips for Drafting Arbitration Clauses in Smart Contracts

Many in the blockchain industry expect smart contracts to enjoy significant (perhaps exponential) growth in real-world applications beginning this year.  This was the general consensus at the industry’s first ever Smart Contract Symposium in New York City this past December.  More than 250 leaders in blockchain, finance, law, and other industries gathered at the Microsoft Technology Center to discuss and promote the adoption of smart contracts for commercial use.  The Digital Chamber of Commerce followed up with a whitepaper identifying twelve business use cases for this technology, ranging from simple identity verification and payment processing to more complex processes like supply chain management and even cancer research.

The bottom line is smart contracts are coming (and may have arrived already for some).  No doubt smart contracts will offer many benefits in terms of decreased transaction costs and increased transparency and security, but even the best-designed smart contracts may deviate at times from the outcomes anticipated by the parties and may have vulnerabilities that can be exploited by the parties or outsiders.  So what happens when contract disputes arise?  Particularly if you are in-house counsel (or if you count in-house counsel among your clients), how can you be sure that the historical best practices for dispute resolution will continue to yield optimal results?  Or even tolerable results?

Continue Reading Four Reasons to Put an Arbitration Clause in Your Company’s Smart Contracts

The election cycle has reached its predictable fever pitch, and one issue receiving particular attention this year is the vulnerability of electronic voting systems to tampering, either intentionally (think hacking or voter fraud) or unintentionally (think hanging chads or lost ballots). Although it is unlikely that a consensus solution will be implemented in the near future, experts in both public and private sectors are advocating a technology upgrade for America’s voting systems, and blockchain technology may offer the best hope of eventually cyber-securing our elections.  Potential applications of blockchain technology are still in their infancy, but voting systems that adopt the technology may be able to provide significantly higher levels of certainty, transparency, and security, making elections much more efficient and much less susceptible to fraud, hacking, or simple human error.

An estimated 70 percent of states use some form of electronic voting, but aging technology has increased the susceptibility to insider manipulation and hacking. In one incident drawing national attention last year, Virginia decertified certain electronic voting machines, after state officials determined that the machines posed a serious risk of being compromised by hackers.  This year, experts have repeatedly demonstrated the ease with which some electronic voting machines can be tampered with.  Recent examples include a team at Symantec and Princeton professor Andrew Appel, both of whom conducted successful mock hacking exercises to illustrate the risks facing this year’s election.  In August, the Senate Homeland Security Committee warned that “a cyberattack by foreign actors on our elections systems could compromise the integrity of our voting process.”

Perhaps the most prominent election-related security breach this year, however, involved the release of Democratic National Committee and Clinton campaign emails obtained by hackers. Although not related to voting machines, these hacks demonstrate the risks posed by the growth of online voting, which is now offered by 32 states mostly for military and other citizens located abroad. In short, online voting exponentially increases the accessibility of the system, which exponentially increases the associated threats.  In fact, the Department of Homeland Security’s cyber-division has warned against the adoption of online voting for any elections at this time, due to risk of tampering and potential loss of voter privacy.

Continue Reading Is a Tamper-Proof Election Possible with the Blockchain?