The Impacts of Evolving Regulations on DLT Security

The security of projects built using Distributed Ledger Technologies (DLTs) — especially blockchain — is notoriously bad. Outside of the industry, one of the things that blockchain is best known for is its frequent hacks. It’s not uncommon for multiple hacks with price tags in the millions to occur per week. This problem is exacerbated by the fact that DLT solutions generally don’t allow the effects of these incidents to be reversed like they sometimes can with the traditional financial system.

This issue of poor security has various potential causes, such as the relative youth of the technology and the lack of focus on security. However, enhanced security is a key factor for achieving mainstream usage and enterprise adoption.

Historically, regulations have lagged behind technology in the DLT space. However, several jurisdictions are working to open the doors to crypto, an action that might help advance DLT security.

Regulators and DLT

Many countries’ relationships with blockchain and other DLTs have evolved over the years. The technology was initially looked upon as a scam or a platform used solely for criminal activities. Over time, blockchain has achieved more mainstream acceptance and regulators, enterprises, and retail users have increasingly adopted it.

One of the most significant signs of DLT’s growing acceptance is the emergence of various laws and bills supporting and encouraging its use in different jurisdictions. 

Some examples include:

• EU DLT Pilot Regime Regulation: This regulation created a regulatory sandbox environment for companies to explore how DLT could be used in the financial sector under certain controlled conditions.

• Markets in Crypto-Assets (MiCA): MiCA worked to establish rules about cryptoassets across the entire E.U.

• UK Digital Securities Sandbox: A similar regulation designed to allow technological and regulatory experimentation with DLT in the UK.

• Deploying American Blockchains Act of 2023: A bill introduced in 2023 that was designed to support the adoption of blockchain and other DLTs in the U.S.

These are some DLT-focused laws but not a comprehensive list. Additionally, laws such as NIS2 in the EU could also encourage the adoption of DLTs since smart contracts offer greater resiliency than traditional, centralized IT infrastructure.

Likely Effects of Regulations on DLT Security

While Institutional DeFi is on the rise and regulators are increasingly accepting of blockchain technology, this doesn’t mean that they’re likely to accept the DLT ecosystem in its current state. For example, one of the most common enterprise applications of DeFi is in the financial industry, which is one of the most tightly regulated sectors in business. While regulations are willing to embrace the technology and its differences from traditional systems, they’re likely to hold enterprises to the same standards as with traditional infrastructure whenever possible.

This means that projects working in the DLT space will need to make certain changes, including the following:

KYC/AML

The vast majority of countries have some form of anti-money laundering (AML) regulation in place. Financial institutions are required to know who their customers are and not support organized crime, terrorism, etc.

While many exchanges have know your customer (KYC) systems in place, this isn’t true of all DeFi projects. With greater institutional adoption, a project may need to be able to prove that it isn’t providing services to organized crime groups, sanctioned countries, etc. This is more complex in the DLT space, which has a global network and uses largely anonymous accounts to perform transactions.

Additionally, projects may have to implement more in-depth and intelligent AML protections. This may include tracking transactions and looking for signs of money laundering and other suspicious or illegal activities.

Code Audits and Review

Smart contracts are one of the biggest selling points of blockchain and other DLTs for enterprises and regulators. The ability to run code on the decentralized blockchain has potential benefits for availability, resiliency, transparency, and decentralization.

However, the current state of smart contract security is poor overall, even compared to traditional IT. Blockchain's largely open-source nature makes it easy for projects to copy-paste code from one another, and anyone can deploy a dApp on-chain. Often, smart contracts and contract updates are deployed without a comprehensive security audit, leaving them vulnerable to exploitation.

With expanded involvement and investment from traditional financial institutions will come a greater need for enhanced code security. One of the most significant impacts of Institutional DeFi will likely be the adoption of application security (AppSec) best practices for smart contracts. While the tools and resources exist for the DLT space to implement strong security, projects are largely not motivated to use them since hacks are common and cause limited reputational damage.

Data Protection and Privacy

Blockchain and data privacy laws have a complex relationship. On the one hand, DLTs are designed to use largely anonymous accounts, which is good for privacy. On the other, blockchain immutability and transparency make it difficult for blockchain-based projects to comply with laws such as the EU’s General Data Protection Regulation (GDPR).

As blockchain use cases expand, projects will need to find ways to process more personal and private data while also complying with data protection laws. For example, the use of zero-knowledge proofs (ZKPs) to securely and privately store and attest to certain data on-chain may be critical to many future applications of DLT.

Preparing for Institutional DLT and Enhanced Regulation

One of the biggest challenges in the DLT space is the lack of clear regulation. Official views of the technology and its potential applications can change rapidly and unpredictably, and laws often lag behind the technology. A classic example is the long struggle the U.S. has had to define whether cryptocurrencies should be considered currencies or securities for regulatory purposes.

The regulatory landscape has been shifting toward greater acceptance of DLTs; however, this also means that DeFi and other on-chain projects need to begin prioritizing security to comply with regulatory expectations and requirements. For help in assessing the security of your project and positioning it for regulatory, institutional, and mainstream acceptance and adoption, reach out to Halborn.