When we look back at the state of cryptocurrency in 2022, it’s easy to focus on the headlines. The news cycle was dominated, after all, by a handful of articles that captured the public’s attention with extraordinary stories, where digital currencies were stolen, hacked, laundered, and more. Like a soap, there was drama at every turn, including even tragedy - during the Luna crash, when the contagion effect between Luna and UST dropped the value of both in a never-ending death spiral, one man committed suicide after losing US$2 million.
While it’s important to pay attention to these twists and turns - narratives are indeed easier to remember - it’s equally important to examine the mechanisms that enabled them to occur in the first place. Doing so may help the cryptocurrency community avert similar disasters in 2023, and restore retail and institutional confidence in an industry reeling from a prolonged downturn.
Most of the exploits, failures, and issues in 2022 can be categorized into a few trends, all of which we should seek to curb.
Poor corporate governance - The news of poor corporate governance in tech is not a novelty. Within just the last five years, we saw the rise and fall of both Theranos and WeWork. The former was led by Elizabeth Holmes, who is now facing criminal charges for her role in fabricating data about her medical devices, while the latter was led by Adam Neumann, who engaged in many acts of self-dealing, including paying himself US$5.9 million for the trademark rights to the word “We.”
Cryptocurrency was pegged to be different in 2022. There should have been controls in place to prevent the corporate malfeasance that characterized the early Wild West days of the industry. But FTX proved the world wrong. On November 2, CoinDesk journalist Ian Allison made a stunning revelation: Alameda Research, the trading firm founded by Sam Bankman-Fried, held most of its funds in FTT, the token created by FTX, an exchange also founded by Sam Bankman-Fried.
Questions of impropriety aside, Alameda’s vast holdings in FTT, rather than a third-party asset like Bitcoin or Ethereum, cast doubts on the exchange’s solvency. Sure enough, the article triggered a chain of events that uncovered financial wrongdoing from Bankman-Fried, invited an acquisition attempt from Binance that was eventually aborted, and culminated in the firm’s bankruptcy just nine days after the initial story broke.
When John J. Ray III was appointed as FTX’s replacement CEO, he famously said, “Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here,” implying FTX was even worse than Enron, a company he also presided over in the wake of its collapse.
The lack of corporate governance had been evident in many different ways. For one, FTX’s board of directors consisted of just Bankman-Fried, and a company representative rebuffed suggestions from a well-meaning venture capitalist to put one together with an unambiguous response. Without a board of directors, self-dealing abounded at FTX - from the company funneling US$8 billion of customer funds to sister company, Alameda, and even a loan of US$1 billion to Bankman-Fried. It even became evident that FTX has deliberately obfuscated the misuse of customer funds through software, which was just one of many knocks in an endless list showcasing the lack of financial controls.
While there is still debate on whether these behaviors represented intentional theft and fraud or just reckless business practices, analysts generally agree that it all could have been prevented with some semblance of corporate governance.
Proof of reserve - The poor corporate governance that plagued FTX could be addressed by proof-of-reserve, which will enable enterprises to show that they have control over the coins that they say they do. There are issues with how some businesses are handling PoR, however. Reportedly, some, such as Binance and HBTC, submitted their PoR without an auditor; others, such as Luno, Revix, Bitbuy, and Shakepay, did not follow the Merkle approach to user validation; and still, others took assets into account that did not have a cryptographic record, such as OKX, KuCoin, and Huobi.
For PoR to truly flourish as a safeguard on organizations (rather than just as marketing speak), it must be done by a third party. This auditor should provide transparency into the process of verifying the business has the correct value of customer funds, while protecting user privacy through hashing with a unique salt. But PoR needs to be taken a step further with proof of solvency. What good is it, after all, if a business has control of its funds if its liabilities exceed that value? The revelation of high liabilities could similarly trigger a bank run that would crater the business and its holdings.
The formula for PoS (Proof of solvency = proof of reserve + proof of liabilities) would go a long way toward ensuring a business can meet its obligations to all its stakeholders, from its customers to its creditors.
Social engineering - Cryptocurrency enthusiasts are viewed as technically savvy, leading the adoption of some of our world’s most cutting-edge solutions. But people in the ecosystem are just as susceptible to social engineering attempts as anyone else, as we witnessed in the Axie Infinity hack of US$620 million. This hack started from what seemed innocuous enough: an email.
Hackers affiliated with the North Korean government sent an email to a senior engineer at Axie Infinity, posing as company recruiters. The senior engineer was then led through a series of interviews for a position with a generous salary, which built enough plausibility for the worker to open an email containing the job description. The file infected the engineer’s computer, eventually giving hackers access to the Ronin blockchain. The hack could not have come at a worse time for Sky Mavis, the developer of Axie, as the players in emerging markets who quit their full-time jobs to earn from P2E were now spiraling into debt.
Affiliation with criminality - This is not so much a specific incident like the others on the list, but an ongoing issue. Ever since the advent of cryptocurrency, there were worries that bad actors would use it for criminal purposes, such as money laundering and sanctions evasion.
While crypto mixers were not developed to facilitate money laundering, bad actors use it to conceal illicit financial flows, including Lazarus Group, a North Korean cybercrime group.
Using notable crypto mixers as examples, the U.S. Department of Treasury brought this issue to the forefront. Built on Ethereum, Tornado Cash gives users a secret hash when depositing coins into the protocol’s liquidity pool. When the user intends to withdraw, he merely invokes his secret hash to prove ownership of the coins. In this way, Tornado Cash operates as a crypto mixer, while giving users the complete anonymity that would only be seemingly necessary for nefarious purposes, such as hacking. For example, the hacks used sanctioned mixer Tornado Cash to launder $2.34 million of funds in the TempleDAO hack.
Poor token design - In October 2022, decentralized finance platform Mango Markets lost more than US$100 million dollars. While some of the immediate reports classified the loss as a hack, the nature of the crime was more of an exploit, one that capitalized (quite literally) on loopholes in the smart contract protocol. Former FBI agent Chris Tarbell classified the scheme as market manipulation.
The scheme was quite clever. The perpetrator, Avraham Eisenberg, took different positions on MNGO tokens from two separate accounts, betting long on one and short on the other. He then used more funds to manipulate the MNGO price to go up and subsequently cashed out on the account banking on the token’s rise in value. Details of this scheme are public because Eisenberg has been very vocal about the incident, calling it a legitimate trading strategy. While he vowed to return some of the funds, he has since been charged with the Commodity Futures Trading Commission with violations against the Commodity Exchange Act.
Economic model exploits - Stablecoins are supposed to be, well, stable. Pegged to a relatively more stable currency like the US dollar, stablecoins are supposed to be less susceptible to the wild up-and-down price fluctuations that have characterized most cryptocurrencies. In 2018, Do Kwon of Terraform Labs, a graduate of the computer science program at Stanford University, created an algorithmic stablecoin. Built on the Terra network, the UST was backed by a sister token, Luna, the latter of which needed to be burned to create the former.
Some predicted that this mechanism would not work, and they were right. In May 2022, the Luna entered a death spiral, going from US$120 to US$.02 in the span of 48 hours. The loss was linked between the close relationship between the two tokens: People started to panic sell their UST for a slightly higher value of Luna, which drove more people to sell their UST, further lowering its price and encouraging more people to follow suit as its value continued to plummet.
With the wipeout of about US$60 billion in value from the Luna crash, the government may accelerate its plans to regulate stablecoins. In March 2022, the Biden administration proposed the regulation of stablecoins as part of an executive order on the responsible development of digital assets. 2023 could be the year that this idea evolves from proposal to policy, driven by the mounting pressure from consumers for more protective stablecoin regulation.
Looking ahead to 2023
As bad as some of these issues were in 2022 - especially if you experienced any of them first-hand - people should be bolstered by the fact that they are largely addressable.
As the industry matures, technologists will be more aware of possible exploits against smart contract protocols and economic models, DeFi aggregators that obfuscate the flow of funds, bridges that are used for chain-hopping and could also fall victim to exploits. Our soon-to-launch hackhub report contains more such insights for people who want to stay ahead of the curve.
New solutions related to security, privacy, and compliance shall emerge as part of what venture capital firm, A16Z, calls the “price-innovation cycle.” Cryptocurrency, of course, needs more than just technological innovation to succeed. Just as crucial is the regulatory environment. The recent sanctions against Tornado Cash, for example, have made it much more difficult to access the crypto mixer. More regulations and policies are needed to quash out tools like these that give the entire industry a bad name.
Finally, people in the industry should not just be cryptocurrency enthusiasts - they should be technologists, period. Central to this is advancing one’s knowledge of cybersecurity, especially as it relates to common hacks, such as spearfishing. More people embracing this orientation would bode well for our shared security since systems are only strong as their weakest link (the US$620 million Axie hack was again caused by a single bumbling engineer).
Innovations along these dimensions - technology, policy, and market education - suggest a more positive future for cryptocurrency in 2023. There may be light ahead of this crypto winter.