In Mel Brooks' Spaceballs, the villains eventually pry the combination to the planet Druidia's defenses from the king: 1 - 2 - 3 - 4. "That's the stupidest combination I've ever heard in my life!" yells Rick Moranis, playing Darth Vader's comic alter ego, Dark Helmet. "That's the kinda thing an idiot would have on his luggage!" Maybe, but my reaction at the time was "Yep. That's me!" This was the mid-80's, a time as fake as now. Affectation infected us all. Which is why, back then, I carried around a leather attache case with a combination lock.
But it was set to 1 - 2 - 3. I never understood the point of having a combination lock on a briefcase. Anyone who really wanted what I was carrying (and why on earth would they?), could just take the damn case and slice it open with a box cutter. A combination lock on a briefcase only made sense if the case was booby-trapped -- like James Bond's, which reportedly self-destructed when Goldfinger's henchmen tried to force it open.
Goldfinger, you may recall, had an ingeniously Bond-villainous idea. He planned to explode a nuclear device inside Fort Knox in order to make the US gold reserve radioactive -- deadly for 10,000 years -- and thereby corner the gold market. Goldfinger had a relevant insight: I don't really have any gold if I can't use it, even if I still legally "hold" it. Call it Goldfinger's Touch.
Those simple 3 and 4-digit combinations may have been idiotic, but they were easy to remember. Today I have to keep track of a score of complex passwords, for everything from my bank account to the men's room door. Since I can't keep them all in my head, I have them all recorded on this app on my phone. I get at them with one master password -- the One Ring to rule them all! I also have them written down on a piece of paper somewhere. If I lose my phone or forget my master password, or can't remember in what safe spot I put that paper, then I have to go through the hassle of resetting a mess of passwords. But what if there's some I can't reset?
That's the problem facing Canada's largest cryptocurrency exchange, QuadrigaCX. A few weeks ago, I wrote about The DAO, and the Ethereum Hard Fork needed to prevent a smart-aleck coder from diverting a third of The DAO's assets to himself. http://www.brokeandbroker.com/4412/aegis-frumento-dao/. The Hard Fork required ether holders to go through some software hoops to properly implement it. Back then, in 2017, QuadrigaCX goofed up the coding, resulting in $14 million of ether being locked up in the Ethereum blockchain with no way to access it. That is the cryptoasset equivalent of Goldfinger's Touch. The ether was there, perfectly visible in wallets held by QuadrigaCX members, except they couldn't transfer it. To fix it, QuadrigaCX took $14 million out of its profits to make its members whole. https://www.coindesk.com/ethereum-client-exchange-14-million.
Lesson learned? Yeah . . . but not the right one.
Last December, QuadrigaCX's founder and CEO, Gerald Cotten, died while on a philanthropic mission to India. A tragedy for him and his family. And for QuadrigaCX's members, which they only discovered last week.
It seems that, in the wake of The Hard Fork debacle, Cotten decided to put certain QuadrigaCX access passwords into "cold wallets" for safe keeping. Cold wallets, or cold storage, sound more impressive than they are. They are just ways to store passwords off-line so they can't be hacked. Wikipedia describes all sorts of cold wallet devices -- from paper stored in real safes, to encrypted thumbdrives and CD-ROM disks -- each with its pros and cons. https://en.bitcoin.it/wiki/Cold_storage. My phone app with all my passwords is a cold wallet. It is relatively safe from hacking attacks. But among the dangers of cold wallet storage, including theft, fire, paper deteriorating, thumbdrive corruption and broken disks, Wikipedia lists the most obvious last: "If access to the wallet or knowledge of its location is lost, or encryption passwords are lost, the bitcoins are gone forever."
QuadrigaCX just filed for bankruptcy protection. It noted earlier this month that it was having technical issues accessing its members' hoard of ether. https://blockonomi.com/quadrigacx-loses-cold-storage-crypto/. It now seems that the issues weren't technically "technical." After Cotten died, no one else at QuadrigaCX knew how to get into the cold wallets that hold the cryptographic keys needed to transfer $140 million worth of its members' ether. https://www.cnbc.com/2019/02/05/millions-in-cryptocurrencies-frozen-after-quadriga-founders-death.html. With Cotton's demise, QuadrigaCX forgot its passwords. What would Dark Helmet say to that?
This is the stuff of comedy or tragedy, depending whether you own any of that ether. If you do, you really do still own it. It's all there on the Ethereum blockchain. You just can't use it. That's how Goldfinger's Touch works. But this farce also points to a critical aspect of cryptoasset regulation -- one centered on this question: What does it mean to have "custody" of a cryptoasset?
This is not entirely new. Rule 206(4)-2 under the Investment Advisers Act of 1940, the infamous Custody Rule, requires advisers to hold client funds and securities in the hands of a "qualified custodian." Great, if we're talking about typical cash and securities. But what if there's nothing to take custody of, such as non-trading interests in limited partnerships or private limited liability companies, which can only be transferred with the consent of the issuer? In those situations, the ownership is documented by a limited partnership agreement or operating agreement, there are no negotiable certificates or anything else that can be stolen or misplaced. In those cases, "custody" is a meaningless concept. But the SEC couldn't just let it go: for those ethereal assets, the Custody Rule requires instead that you meet certain financial audit and disclosure requirements.
And what, you might legitimately ask, does one have to do with the other? A couple of years back, I defended a client in an SEC case that included a Custody Rule violation on the side. We argued that financial reporting has no rational relationship to the safe custody of non-custodial assets. Had that case gone to trial, we were prepared to attack the Custody Rule itself, for being, in legal jargon, stupid.
And yet, custody may be THE regulatory issue when dealing with cryptoassets. Unlike its lame solution in the Custody Rule, the SEC needs to get it right this time. Goldfinger's Touch does not affect how the cryptoasset is "held." As we see with QuadrigaCX's quandary, who "holds" the ether is not the problem. The ether is perfectly safe -- too safe, if you will. The Ethereum blockchain sees to that, no regulatory help needed. The problem is rather that the ether is useless because it can't be transferred. Therefore, the first goal in regulating cryptoassets must be to ensure that the keeper of the cryptographic keys needed to transfer those assets does not lose them. The Custody Rule does not speak to this. No existing regulation really does, because until now, an irrevocably lost key posed no real danger. It only matters when the assets exist on a blockchain that won't transfer assets without proper passwords and that no person can override.
This also highlights a dilemma. If custody of the keys needed to transfer cryptoassets is regulated, then those keys must come under some form of centralized control. What, then, of the concept of the uncontrolled decentralized blockchain? The tension seems inevitable, because what happened at QuadrigaCX could happen to any coin exchange. I trust the blockchain to securely hold my assets; I don't need regulators to protect me there. But I can never really trust the keepers of the keys I need to transfer my assets. They, alas, are only human.