Bitmex and Identity as an Attack Vector

OCT 05, 2020 • 4 Min Read

Jose Maria Macedo

Metus vulputate eu scelerisque felis. Nulla facilisi cras fermentum odio eu. Scelerisque fermentum dui

faucibus in ornare quam viverra orci sagittis. A iaculis at erat pellentesque adipiscing commodo elit. In

fermentum et sollicitudin ac orci. Ultrices sagittis orci a scelerisque purus. Faucibus ornare

suspendisse sed nisi lacus sed viverra tellus in. Mauris cursus mattis molestie a iaculis at erat

pellentesque adipiscing. Volutpat diam ut venenatis tellus in metus vulputate. Eu consequat ac felis

donec et odio pellentesque. Eu mi bibendum neque egestas congue quisque egestas diam. Quam

lacus suspendisse faucibus interdum posuere lorem. Quam id leo in vitae. Ut faucibus pulvinar

elementum integer enim neque. Id ornare arcu odio ut sem nulla pharetra diam sit. Molestie ac feugiat

sed lectus vestibulum mattis. Ipsum nunc aliquet bibendum enim facilisis. Euismod nisi porta lorem

mollis aliquam ut porttitor.

Iaculis nunc sed augue lacus viverra vitae congue eu consequat. Gravida neque convallis a cras.

Nunc scelerisque viverra mauris in aliquam sem. Non odio euismod lacinia at quis risus sed vulputate

odio. Purus faucibus ornare suspendisse sed. Turpis egestas maecenas pharetra convallis posuere

morbi. Nec feugiat nisl pretium fusce id velit ut. Nunc congue nisi vitae suscipit tellus mauris a diam.

Posuere sollicitudin aliquam ultrices sagittis orci. Urna nec tincidunt praesent semper. Turpis nunc

eget lorem dolor sed viverra.

suspendisse sed nisi lacus sed viverra tellus in. Mauris cursus mattis molestie a iaculis at erat

pellentesque adipiscing. Volutpat diam ut venenatis tellus in metus vulputate. Eu consequat ac felis

donec et odio pellentesque. Eu mi bibendum neque egestas congue quisque egestas diam. Quam

lacus suspendisse faucibus interdum posuere lorem. Quam id leo in vitae. Ut faucibus pulvinar

elementum integer enim neque. Id ornare arcu odio ut sem nulla pharetra diam sit. Molestie ac feugiat

sed lectus vestibulum mattis. Ipsum nunc aliquet bibendum enim facilisis. Euismod nisi porta lorem

mollis aliquam ut porttitor.

Iaculis nunc sed augue lacus viverra vitae congue eu consequat. Gravida neque convallis a cras.

Nunc scelerisque viverra mauris in aliquam sem. Non odio euismod lacinia at quis risus sed vulputate

odio. Purus faucibus ornare suspendisse sed. Turpis egestas maecenas pharetra convallis posuere

morbi. Nec feugiat nisl pretium fusce id velit ut. Nunc congue nisi vitae suscipit tellus mauris a diam.

Posuere sollicitudin aliquam ultrices sagittis orci. Urna nec tincidunt praesent semper. Turpis nunc

eget lorem dolor sed viverra.

lacus suspendisse faucibus interdum posuere lorem. Quam id leo in vitae. Ut faucibus pulvinar

elementum integer enim neque. Id ornare arcu odio ut sem nulla pharetra diam sit. Molestie ac feugiat

sed lectus vestibulum mattis. Ipsum nunc aliquet bibendum enim facilisis. Euismod nisi porta lorem

mollis aliquam ut porttitor.

Disclaimer: Delphi Ventures holds positions in ANJ and RUNE.

In crypto, anonymous founding teams have historically been seen as a risk. There are two main reasons for this:

(1) Reduced Informational Edge – Identity enables investors to determine whether a team has the necessary experience and track record to execute on its plans.

(2) Reduced Accountability – Identity acts as social capital that the team puts at stake in order to show their commitment to the project. Without identity, the costs of exit scams and rug pulls by founding teams go down. Even assuming no bad intentions, it’s much easier for an anonymous team to quit when times get hard, knowing they won’t have to live with the reputational consequences of failure.

Unsurprisingly, most VCs and institutional investors have historically chosen not to invest in anonymous teams. However, the Bitmex charges last week show us the other side of the identity tradeoff: in certain verticals, it’s impossible to truly succeed while having identity as an attack vector.

DeFi and Regulations

The promise of DeFi is to provide an open, borderless, permissionless, and self-sovereign financial infrastructure that operates in parallel to the traditional financial system. The success of Bitmex and more recently of DeFi shows that, despite how early we are in the industry’s development, there is clear demand for these services.

However, whether we like it or not, the aforementioned values clash directly with several financial regulations. In fact, in many core DeFi primitives such as exchange, derivatives, lending/borrowing and others, success means flaunting various state-level regulations.

For instance, the Bank Secrecy Act applies to any “financial agency” facilitating transfers of money which could be used by US criminals to launder money. Crucially, “financial agency” need not be a legal entity either as it includes “a person, issuer, redeemer, exchanger, entity, depository trustee or agent or any collection of such persons”. As such, developers with admin keys, users who create front-ends, companies hiring individuals to work on the protocols and others who either enable or profit from the contract may all be in violation of the BSA.

While all DeFi protocols will be in the line of fire as they grow and become more economically significant, the easiest targets are those with centralization vectors such as admin keys, legal entities, bank accounts holding large amounts of money and public identities associated with the project team. Even before Bitmex, we’d already seen the beginnings of this process as IDEX was forced to implement KYC, the UniSwap front-end blocked users from 10 sanctioned countries and Bancor blocked US citizens as well as users from 20 sanctioned countries.

Moving Forward – The Identity Discount

While so far the industry has seen anonymity as a risk, we predict that events such as Bitmex will increasingly push us towards a world where identity becomes an even greater risk. This will necessitate a change in approach from projects which will need to more fully disconnect from traditional infrastructure and embrace the tools of decentralization.

Rather than projects starting off as foundations and/or LLCs with vague plans to eventually decentralize, we expect projects to increasingly look to start off as DAOs from the get-go, leveraging tools such as Aragon Agreements to allow for quicker decision making at the early stages.

Rather than identities and LinkedIn profiles, we will increasingly see the rise of pseudonymous on-chain reputation: cross-referencing wallet activity, proxies for time spent on networks, Github profiles, public forum contributions, Tweet threads and other factors which cumulatively make up a user’s reputation. Wallet activity in particular can be used to extract various behavioral profiles as explained in this excellent post by Poolside Network and when combined with off-chain data mentioned above can create robust reputation scores for users. Like real-word reputations, we see these identities becoming extremely valuable, cashflow-generating assets, providing increased skin in the game for their bearers.

Rather than investors relying on the legal system and/or social capital to enforce the team’s incentives, we expect to see increased use of primitives such as DAICOs, Aragon Agreements + Aragon Court to help hold teams accountable. We also see token economic design playing an even more important role going forward as things like vesting schedules, token distribution, transparency and truly decentralized governance become paramount.

Create a free account to continue reading

Go Pro at 40% off

Immediately access the entire catalog of research for Delphi, Office Hours & private Discord