In the cryptocurrency space, a Proof of Keys campaign is akin to a Bank Run where clients – fearing liquidity of their deposit-holding institutions – withdraw all of their funds to prove that the funds are actually available. The collective action exposes custodians who through undisclosed hacks, fraud or any other reason do not have sufficient cryptocurrency on hand to cover deposits. On January 3, 2019 some cryptocurrency market participants orchestrated the first annual Proof of Keys movement. Yesterday marked the second annual Proof of Keys Day. Execution of this stress test of sorts lies within the cryptocurrency user community, however only a small segment actually participate. With recent reports of cryptocurrency exchange hacks robbing cryptocurrency holders of hundreds of millions of dollars, the apprehension is understandable, but is the Proof of Keys campaign a more effective way to guard against the failure of a Virtual Asset Service Provider (VASP) than regulation?
The leading practice for cryptocurrency exchanges is to store most digital currency in cold storage wallets that are not accessible by internet. A mass run on an exchange may result in significant amounts of cryptocurrency being transferred to hot wallets that are accessible to customers but also more susceptible to hacks. This creates a honeypot for cyber criminals and vulnerability for those exchanges with security shortcomings. It is tantamount to saying take the gold out of the vault and place it under the till. A false sense of security can also be established when only a fraction of depositors withdraw cryptocurrency from an exchange without incident. This does not guarantee that the exchange is solvent. Moreover, cryptocurrency users should be mindful that transferring funds to a cold storage device which they own and which stores their private keys does not necessarily mean that the user is in complete control of their cryptocurrency. Some cold storage devices are accessed through software platforms that insert an intermediary between the user and their cryptocurrency. A user can be prevented access through a bug in the platform software or through censorship by the platform VASP. Running a full node and transferring cryptocurrency to the node wallet is likely the best option, however this entails a node for each cryptocurrency held (bitcoin, ether, litecoin, etc.). With the Bitcoin blockchain sitting at about 250 GB in size setting up a full node may be impractical for many users.
Regulation may prove more effective than the Proof of Keys campaign. Cryptocurrencies reside on blockchains where analytics tools can be deployed to effectively monitor unusual activities in real-time, acting as an early warning system for custodians in distress. Coupled with insurance for cryptocurrency on deposit with regulated VASP’s, consumers could enjoy a similar level of comfort that they do with their traditional financial institutions.
As it stands today consumer protection in the cryptocurrency space is largely absent. Accordingly, some may feel that the Proof of Keys campaign is a necessary exercise if only to put VASP’s on notice that there is a chance that they may be exposed if they engaged in any financial shenanigans with customer deposits. However, with the FATF guidelines driving globally coordinated regulations in 2020, it may be time well spent getting engaged to influence regulatory provisions in such a way that they address concerns that brought about the Proof of Keys Day.
Jeff Bryan, BA, CBP, CCFP, CFE