Introduction

Bitcoin and follow-on cryptocurrencies or tokens are open source innovations. There is no gatekeeper determining who may and who may not build these networks, and modifying them or building them from scratch requires nothing more than an Internet-connected computer. This permissionless ecosystem for invention is one of the reasons we should celebrate and support the technology: it helps to break down many of the structural barriers that divide us, whether as producers and consumers, banked and unbanked, or rich and poor. The openness of the ecosystem also means that many will misuse the technology for selfish and malicious reasons. It is the goal of this report to help regulators, in particular securities regulators, identify the scams from the true innovations.

Part I of this report will give securities regulators, and anyone else interested, an overview of the large and ever expanding landscape of cryptocurrencies and derivative innovations (e.g. decentralized computing systems and tokens). Part II will break down the salient variables that could make a token look more or less like a security and the relevant risks to investors, and Part III will offer policy goals that a regulator in this space may wish to pursue. Before delving into these details, however, some background on Bitcoin and tokens generally may be helpful. Persons well-acquainted with the technology may, however, wish to skip ahead to Part II.

Bitcoin, Cryptocurrencies, and Tokens: What are they to Regulators?

It’s prudent to start with a brief overview of Bitcoin. Bitcoin is the original cryptocurrency; the first truly decentralized network for sending and receiving value over the Internet. Since Bitcoin’s invention in 2008,1 several “forks” (modified versions) and derivative innovations have emerged. Rather than refer to these derivatives as cryptocurrencies (a limiting term that implies use as currency) we shall generally use the broader term “token” unless speaking specifically about currency-focused projects. Irrespective of terminology, the fundamentals of these new tokens can vary, and some may functionally resemble securities when marketed and sold to investors.

Cryptocurrencies and tokens, broadly, are truly innovative. That is to say, they present an arrangement of technological components that is so novel and varied as to defy categorization as any traditional asset, commodity, security, or currency.

At root, units of a cryptocurrency are scarce items that can be exchanged and may have market value despite the fact that they have no institutional issuer or legally-promised redemption. In this sense, cryptocurrencies are somewhat like valuable commodities (e.g. gold or platinum). However, unlike gold or platinum, cryptocurrencies are entirely non-tangible. That is not to say, however, that they exist only in the minds or promises of men and women. In a literal sense, a bitcoin is a unique answer to a math problem and proof that you solved that problem2 or else had the unique record of the solution transferred to your control.3 There are a finite number of solutions to the math problem as it has been devised,4 and finding those solutions takes genuine effort.5 This too can be analogized to a precious metal: there is a finite amount of gold to be found and effort is required to find it.

The decision to value these finite solutions and therefore make the effort to uncover them can also be analogized to gold. Men and women need not seek gold. The value placed on gold by society is largely a sort of mutually shared desire or—less charitably—illusion. We could, instead, seek platinum or silver for use as a medium of exchange, store of value, or decorative object. Similarly, those interested in cryptocurrencies could seek answers to alternative math puzzles. A particular cryptocurrency, say Bitcoin, could even change its underlying math puzzle. However, such a change would be more like the collective actions of gold miners choosing to instead mine silver, and less like a single government choosing a different asset, or no asset, to back its paper currency.

Regardless of the particular analogies used to explain the technology, regulators will continually look at how a token is employed, what work it helps a user accomplish, and they will thus classify these activities as within or without their regulatory purview. The “how it is employed” question will always be more significant to any regulatory policy than the abstract and metaphysical “what is it” question. The unintended result, however, will necessarily be a confounding cavalcade of seemingly contradictory conclusions: “bitcoin is a commodity” (per a 2015 CFTC ruling6) “bitcoin is property” (per IRS guidance7) “bitcoin is virtual currency” (per FinCEN guidance8) “bitcoin is money used for money transmission.” (per various state money transmission regulators9).

Compounding the complexity of this analysis is the fact that Bitcoin’s underlying blockchain—the shared ledger that lists all transactions on the network—can also be used as an irreversible public broadcast channel for any recordkeeping or recordkeeping-related purpose.10 The original and still primary use of the Bitcoin blockchain is moving scarce tokens, or to quote François Velde of the Chicago Federal Reserve, “Bitcoin is a system for securely and verifiably transferring bitcoins.” Blockchains, however, can and are beginning to be used for securely and verifiably transferring other financial assets (by, e.g., Nasdaq11), identity credentials (by e.g. Blockstack12), automobile loans (by e.g. Visa13), document notarizations (by e.g. Proof of Existence14), machine-to-machine messages on the Internet of Things (by e.g. IBM15), and more. And even if the Bitcoin blockchain is being used for these alternative purposes, some amount of bitcoin will always be involved in order to write to the ledger, even if it is a nominal amount.16 Within these various uses will lie some obviously regulated activities, such as platforms for trading securities, but also many generally unregulated activities, such as trading and transferring tickets to a concert or keeping records of online video views and charging for access.

As a final complication, Bitcoin is an open source innovation; its codebase can be “forked”17 in order to make derivative tokens, similarly it can be a source of inspiration for all manner of new projects. These projects may simply use the scarce, fungible, and transferrable nature of a Bitcoin-like token to represent a legal right. For example, the token may represent a claim on the issuer’s future revenue or a claim to valuable physical assets or funds that the issuer secures. Many of these issuer-backed tokens may, transparently, be securities. Other token projects seek to decentralize an online service, just as Bitcoin effectively decentralizes online money transmission, and the tokens that power these networks may more closely resemble valuable commodities used within the ecosystem

At a conceptual level, Bitcoin is a network of strangers who provide an online service — electronic money transmission and value storage. The bitcoin software (specifically its consensus mechanism) and its verifiable public ledger (the blockchain) ensure that participants perform this service faithfully, thus obviating the need for service-users to trust any particular service-provider within the network. The Bitcoin “cryptocurrency” or “token,” itself, is simply a scarce unit of value, and the blockchain is a public ledger that accounts for the global distribution and transfer of this scarce unit amongst participants. This scarce unit is algorithmically and automatically awarded to the participants based on their efforts to power the service, thus incentivizing and rewarding honest participation in the open network. The scarce unit is also the medium of exchange that users of the service must obtain and then utilize in order to pay for that service. If I want to pay a friend by making a Bitcoin transaction I will need to attach a bitcoin-denominated fee to my transaction that will incent miners to put my transaction into the blockchain, thus indicating to the world that I’ve paid my friend.

That conceptual model can then be applied to other online services beyond money transmission. For example, a network of strangers organized through software and public ledgers could be incentivized to provide cloud storage services or cloud computing services, and a scarce unit inherent to that network could be used as a medium of exchange and an automatic reward for honest participants who help provide the service by offering storage or computational power to the network.

“Scarce unit” is an unwieldy phrase to say the least. Because cryptocurrency development is an open source movement, no one has the last say regarding what anyone of these things should be called, and several terms are used reflecting the various purposes that any particular scarce unit might service within a decentralized service, most prominently: cryptocurrency, token, or coin. These terms are used without precision and interchangeably. The particular term is immaterial as compared with the general idea represented: a scarce unit used as a medium of exchange and reward for participation amongst a network of strangers that collaborate to provide a service. Again, for the remainder of the report we shall use the term broader term “token” to describe the scarce-units in both currency-focused projects as well as non-currency focused projects.

The first section of this report will further explain “forking” and new tokens. The second section will identify distinctions amongst various types of tokens and the risks suggested by these distinctions.18 The final section will offer a rubric that securities regulators may find instructive when determining whether a particular token is or is not being used as a security or investment contract.19

A Primer on Forks, New Cryptocurrencies, Tokens, and Tokens on Top of Token Networks

Forking Software

Fundamentally, Bitcoin or any other token network is merely software running across a network of peers20 that creates and maintains a shared ledger21 accounting for holdings of a scarce token.22 Bitcoin’s network software is open source, so it can be duplicated and modified without seeking a license from the copyright holder.23 Most other token networks also utilize open source software, meaning that they too can be copied and modified to create derivative innovations. These modifications can result in software that remains compatible with the parent network or ceases to be compatible. Changes that do not break compatibility are sometimes referred to as changes to the software’s policy rules. Changes that do break compatibility will necessarily be changes to the software’s consensus rules—referring to the rules upon which the entire network must agree.

An example of a policy rule could be: refuse to relay transactions sending less than a certain amount of bitcoin.24 Some examples of the consensus rules within the Bitcoin core software are:

Miners of new blocks may only create a certain number of new bitcoins; currently 12.5. 25

Transactions must have correct ECDSA signatures 26 for the bitcoins being spent. 27

for the bitcoins being spent. Transactions/blocks must be in the correct data format.

Within a single blockchain, a transaction output cannot be double-spent.28Creating any custom modification of core protocol software is called “forking the code.”29 The term “forking” can be tricky to understand in the context of tokens because the term is also used to refer to a split in the network’s shared ledger—a “fork in the blockchain.”30

Forking Blockchains

Running forked software that does not alter the consensus rules does not “fork” the blockchain; users of this software will agree with the parent network over the state of transactions on the ledger. To give an example, if someone wants to develop new Bitcoin mining software that is compatible with the existing Bitcoin network but better utilizes her own particular mining hardware, then she may fork the original Bitcoin core software and take care to not alter the consensus rules. She is running forked software but her mining activity does not fork the Bitcoin blockchain.

By contrast, developing and running forked software that does alter the parent network’s consensus rules will result in either a brand new blockchain or a fork of the parent blockchain (depending on whether the fork is backwards compatible—i.e. the software recognizes previously mined blocks in the parent blockchain as authoritative). Peers running this new software will recognize an alternative set of confirmed transactions (as compared with the list of transactions on the parent blockchain) on their own new network as authoritative.

Whenever a group of networked peers persist in running forked software with alternative consensus rules that—therefore—create an alternative blockchain, then these peers will effectively be creating a new token network and new tokens. The new blockchain will account for holdings of the new scarce token, and participants will be able to use the new network software to send these tokens to each other. Some early examples of token networks whose underlying software was forked from Bitcoin’s codebase include Litecoin,31 Dogecoin,32 and Peercoin.33 New token networks have also forked off from projects other than Bitcoin. For example Paycoin forked from Peercoin and Ethereum Classic forked from Ethereum.

Some varieties of forked token software recognize a common transaction history with their parent chains up until the moment of the fork. For example, Ethereum Classic forked from Ethereum and Bitcoin Cash forked from Bitcoin and both forks recognize pre-fork transactions from their parent blockchains as valid. Other forked token software starts from scratch with a new blockchain that does not include historical transactions from the parent chain. For example, Litecoin and Paycoin are forks of Bitcoin and Peercoin respectively but they did not adopt their parent chain’s transaction history.

When a forked token network recognizes a parent chain’s transaction history, users of the parent network, if they choose to also use the new network, will find that they have an equal number of the new-network tokens as they had tokens on the parent network at the time of the fork. Users can spend or use these new tokens without affecting the disposition of their tokens on the original network and vice versa.

Developing New Software from Scratch and Airdrops

Rather than fork a version of an existing token network’s software, a developer may also start truly from scratch in order to create a new network, selectively borrowing elements of prior cryptocurrency software or writing the code anew. A notable example of a from-scratch cryptocurrency is Ethereum.34

The first block in a from-scratch network’s blockchain would typically be empty because at the inception of the network no one yet has any tokens with which to transact. Alternatively, the developers of the new network could hard-code their own desired set of initial transactions and account balances into the first block. This could list certain amounts of tokens as belonging to addresses already generated by the developers as a reward for their work to develop the new network software, or it could assign new tokens to addresses created for investors who financed these development efforts. Releasing cryptocurrency software with a hard-coded first block and some initial distribution of tokens is referred to as a “pre-mine” and will be discussed further in the section on distribution.35

Developers could even set the first block to initiate with a transaction history copied from a moment in some other blockchain. A developer could, for example, decide that the first block of NewCoin will have the exact same set of positive balances corresponding to addresses on the Bitcoin blockchain at midnight Jan 1, 2018. This mode of distribution is referred to as an “airdrop” because users of the parent blockchain suddenly have access to a corresponding number of tokens on the new network as if they’d been airdropped onto them. As with a forked blockchain, users of the parent chain can, if the so choose, freely spend or utilize the airdropped tokens without affecting the disposition of their tokens on the parent chain.

Tokens on Top of Token Networks

Further complicating matters, several networks, most prominently Ethereum, are designed to empower their users to create further bespoke tokens “on top of” the parent network. The minting and transmission of these new tokens and their use is policed and described by the consensus mechanism and blockchain of the underlying network. For example, a random Ethereum user can create 20 units of their own RandomCoin on top of the Ethereum network and send them to Ethereum addresses controlled by her friends. There is no RandomCoin blockchain; the original creation of RandomCoin by our random user and any subsequent transactions to her friends and beyond are recorded in the Ethereum blockchain. Ethereum is not the only token network that has this functionality, but it is presently the largest.36

Token Project Variables that can Affect User and Investor Risk

When token software is forked or developed from scratch many key attributes may change as compared with Bitcoin—the original cryptocurrency. What implications will these changes have for investor protection policy, for securities regulation, or regulation generally? Three key questions can help assess whether these changes pose heightened risks for potential users:

How is the initial distribution of the token achieved? How decentralized is the community that powers the token? What functionality does possession of the token afford a holder?



From these questions we can arrive at three key variables: distribution, decentralization, and functionality. Each will be addressed in turn.

A. Distribution

Back in 2009, the very first bitcoins made it into the wild through mining. At this point in time, the only “person” running Bitcoin mining software was the man, woman, or group of people pseudonymously identified on mailing lists and Internet forums as Satoshi Nakamoto.37 Eventually, more individuals joined and obtained bitcoins either by mining or having bitcoins sent to them by friends for fun, as gifts, or in early exchanges or purchases, e.g. two pizzas were purchased in 2010 for 10,000 bitcoins.38

Bitcoin represents a particularly special case when it comes to distribution. As the first cryptocurrency—really a first running proof of concept for peer-to-peer Internet cash—very few individuals knew about it, and many of those who did, approached it with hearty skepticism. It would not be until two years later that bitcoin would reach parity with the dollar.39 In these early years it was not uncommon for people to actually lose track of the bitcoins they had been playing with as a hobby. For example, somewhere more than four feet deep in a Welsh landfill is what remains of James Howells’s hard drive.40 Howells was an early enthusiast who mined bitcoin for a few weeks in 2009. Later, after losing interest in the technology, he spilled lemonade on the laptop that stored the private keys to his mined tokens. Unaware of the value he was throwing away, he broke his laptop down for scraps and took the hard drive out with the trash. Later, at the height of the price rally, the bitcoins controlled by keys on Howells’s lost hard drive were worth as much as $7.5 Million dollars.41

Without online exchanges capable of matching interested buyers and sellers or being market makers themselves, the early spread of bitcoins was primarily through mining, gifting, and the occasional over-the-counter exchange. This stands in stark contrast to how many tokens are, today, distributed. Following the meteoric rise of Bitcoin’s price in 2011 and onward,42 several new token projects were developed.43 Many exchanges quickly offered markets in these new tokens44 so that token miners could quickly liquidate their mined tokens into bitcoins or dollars, and interested buyers could obtain new tokens without dealing with a complicated mining setup. In short, today much of the early distribution of a token will often go to those intending to speculate on future value, rather than participate in the platform via mining or software development.

Pre-Mines and Pre-Sales (Initial Coin Offerings)

Developers of tokens are faced with a distributional choice: should we release the token’s software at the point when no tokens yet exist and allow supply to grow as people run the software and mine the tokens (as it was with Bitcoin)? Or, should we internally mine or create some number of the total tokens that will ever exist before releasing the software publicly by hard-coding an initial distribution in the first block of the blockchain? This latter strategy is known as pre-mining.45 A developer planning to pre-mine will often sell off the pre-mined tokens to the general public at a set price in order to fund future development. She may even sell tokens long before any mining, either private or public, takes place. This is referred to as a pre-sale.46 Buyers may line up for this so-called “initial coin offering” under the assumption that they will be obtaining tokens at the earliest possible point, and, should the token turn out to be useful and/or popular, with the largest possible upside. However, should the token network fail to develop into a useful platform, any initial investment can and will, of course, come to naught.

In the most questionable examples of a pre-mined and pre-sold token, one will often find promises of a future guaranteed price floor for the token.47 This could, for example, be a promise that six months after the pre-sale the developer will offer to buy back the tokens from all willing sellers at $20 a piece. This may be rationalized or marketed by suggesting that each token is linked to some underlying reserve asset, perhaps a precious metal or partitions of a profitable fruit grove.48 Alternatively, the developer may claim to have integrations or partnerships with prominent retailers or online service providers, and may guarantee that the token will soon be accepted by these partners for certain real goods.49 Experience thus far has indicated that these sorts of hard sell arrangements are almost always scams.50

Recognizing the community-wide reputational and regulatory risk posed by pre-sale offerings,51 as well as the risk to users within token development generally, some cryptocurrency enthusiasts sought and developed alternative modes of initial distribution: proof-of-burn, airdrops, sidechains, private sales, and traditional capital formation.

Proof-of-Burn

In a proof-of-burn system, new tokens are distributed to those who provably destroy bitcoins by visibly sending them to a Bitcoin addresses known to have no known matching private key (making them unspendable).52 The motivation behind this scheme is to achieve a fair distribution of the new tokens, based on the relative desire of users to sacrifice bitcoins. It is believed that such a distribution scheme does not unfairly enrich the developers with speculative profits before any real progress on the platform has been achieved. The most notable example of proof-of-burn came during the initial release of the Counterparty token XCP. The motivation behind this distribution, as described on the Counterparty website, was fairness:

By opting to distribute all XCP by proof-of-burn, the Counterparty developers eliminated any speculation that they planned to get rich quick or redistribute risk unequally. On the contrary, they put themselves in the same position as everyone else, backing their ideas with destroyed bitcoin to obtain XCP in the hope of eventually benefiting financially from their own project and hard work.

It is hard to overstate how far removed Counterparty is from almost any other altcoin.

The strategy of taking on more personal risk than developers of competing projects and forcing themselves to produce results before they could see any benefits is already bearing fruit. Counterparty is the first (and so far the only) protocol to have a working distributed exchange, built in record time despite having no outside funding of any kind.53

There are, however, notable downsides to a proof-of-burn distribution. If the tokens obtained via bitcoin burning are the total supply of the token then the token economy will be inherently deflationary. This static supply can mean that rapid shifts in demand can create large spikes in the price of the token, which could leave investors or users vulnerable to a pump and dump scam perpetrated by larger investors. Additionally, if the token fails, the user will be unable to recover her burned bitcoins; it is a total loss.54

Airdrops

A token airdrop is an alternative method of distribution that some believe can achieve a more equitable distribution of new tokens while avoiding any potential misaligned incentives between developer and user that might be inherent in a lucrative token pre-sale.

Key to the airdrop method is the fact that the cryptographic addresses on a blockchain tend to be generated using well-understood cryptographic functions.55 Every bitcoin address on the Bitcoin blockchain was generated by a user of the network as a place to be paid or receive mining rewards. In that process the user also generated a corresponding private key. Making a successful bitcoin transaction necessitates digitally signing a message with the private key corresponding to the bitcoin address that will fund the transaction. Users should keep their private keys secret to ensure no one else can spend their bitcoin. Bitcoin’s core software uses a well known cryptographic function to generate these addresses, keys, and signatures (the ECDSA) and most other cryptocurrencies have followed suit.

Developers who wish to airdrop their token at the start of their new network simply take a snapshot of some existing blockchain and use it to create the first block of their own blockchain. For example, the developers of a hypothetical AirdropCoin could copy the Bitcoin blockchain as it exists right this moment, and they could craft the first block of AirdropCoin’s blockchain such that the same cryptographic addresses have the same positive AirdropCoin balances as they had bitcoin balances on the bitcoin blockchain. Now a Bitcoin user, should she choose to install and use the new AirdropCoin software, can import her existing bitcoin private keys into the new software and, from there, spend her AirdropCoins. Typically, all blocks subsequent to the first block in the airdropped token’s chain would be composed organically of transactions initiated by users or miners of that new token; only the first block is hard-coded by the developers to match a moment in time from the parent chain.

Networks that support consensus over multiple user-generated tokens apart from the foundational token, e.g. ERC20 tokens built on top of Ethereum,56 may make airdrops even easier. The developer merely creates a smart contract on the network that allows anyone with a positive balance of the foundational token, say Ether, to claim some corresponding amount of the new token, gratis.

As with a proof-of-burn distribution, the developer of an airdropped token does not achieve a large windfall at the moment of distribution, but she is nonetheless able to bootstrap her network by gaining new users who will have tokens to use and a stake in the network’s longer-term success.

Unlike proof-of-burn, however, token holders do not have to give anything up to obtain the new token. If they had X number of Bitcoins (or whichever parent chain the developers choose to recognize) at the moment the new network was created, then they’ll have X number of new tokens without having to take any action or make any sacrifice. Recipients of airdropped tokens would therefore lose nothing if the new network was to come to naught.

Sidechains

Another method of releasing tokens into the hands of the public is via sidechain.57 A sidechained token is like a token with a pegged exchange rate to Bitcoin. To utilize a sidechain, a user need only send bitcoins to a special address which will temporarily lock those funds out of her control. Simultaneously an equivalent nominal amount of sidechain tokens will be released into her control and she will have access to whatever functionality the sidechain offers. The peg also works in reverse, releasing bitcoins back to the user’s control. This peg works algorithmically through verification of cryptographic commitments on the blockchains of the two pegged tokens. Therefore, the user of the sidechain does not need to rely on a trusted third party to guarantee the peg.

Again, a primary motivation behind this innovation is fairness and the avoidance of volatility risk native to simple tokens. As described in the sidechains white paper, the developers also sought to create an interoperable ecosystem where several blockchains (developed for different specialized purposes) could be knit together:

By reusing Bitcoin’s currency, these systems can more easily interoperate with each other and with Bitcoin, avoiding the liquidity shortages and market fluctuations associated with new currencies.58

Unlike proof-of-burn or air-dropped tokens, sidechain tokens can always be redeemed for tokens from the parent chain (likely Bitcoin). If the sidechain proves useless, users are not stuck with a valueless investment. The primary downsides to the sidechain approach are technical challenges. Ensuring that pegged bitcoins can be recovered by honest sidechain users, and never dishonestly recovered by interlopers, requires a sophisticated setup,59 and—for the most secure implementation—minor adjustments to the Bitcoin protocol itself—something that will ultimately require the political will of the community (or an economic majority at least) to enact.60

Private Sales

Rather than freely selling pre-mined tokens to the general public, a developer concerned with regulatory risk may choose to have a more limited sale. She may sell promises of her future tokens only to accredited investors or sell them to the public but only in dollar-value-limited amounts. Assuming full compliance with the relevant requirements in U.S. securities laws, these sales may then take advantage of JOBS Act safe-harbors from securities registration rules.61

This approach concedes that the initial agreement between the developer and her purchasers is, in fact, an investment contract and, therefore, a security. It, however, generally assumes that the token, once delivered to the investors pursuant to the terms of that investment contract, will not itself be a security. Future sales or re-sales of that token would not, therefore, be subject to securities regulation. Several lawyers and developers have sought to create a standard version of this limited token pre-sale instrument and have branded that standard agreement as a “Simple Agreement for Future Tokens” in reference to the “Simple Agreement for Future Equity” developed by Y Combinator as an alternative to convertible debt in late 2013.62

Traditional Capital Formation and Release by Mining or Dividend

Finally, some early stage token projects may eschew any of these public sales or distribution methods, choosing instead to raise funds solely from accredited private investors at least until the protocol is fully fleshed out, publicly released, and open for all interested users to begin mining or providing other such proofs of participation.63

Distribution and Risk

Rounding up these various distribution schemes we can imagine a hierarchy in terms of risk to the public. On the riskier end of that continuum would be pre-mined tokens offered for sale with attendant guarantees of future redemptive value or other hard-sell marketing tactics. Less risky would be tokens offered to the general public without any promise of future value, and ideally with some transparency as to who is working on the project, what the project intends to build, and how new tokens will enter circulation. Less risky still would be tokens distributed using a proof-of-burn or airdrop system. Finally, least risky would be a sidechained coin where users can freely move between the new currency and the long-established Bitcoin network at a known pegged exchange rate.

Token projects that eschew public distribution during early development represent a different species of risk with an alternative mode of controlling for that risk. They are financed following the traditional venture capital method. These projects have formal, accredited investors and are structured like any other early stage technology corporation. Token projects selling via a limited sale or SAFT agreement represent a hybrid approach. Initial investors are accredited or else capable of making only dollar-value-limited investments. This is a traditional approach to mitigating early-stage investor risk. If the project matures as planned, the tokens pre-sold in these agreements will ultimately be delivered and should be be functional and decentralized. Their subsequent resale from the initial investors to the public at large removes the mitigating controls of accreditation or dollar-value caps, ideally in exchange for an asset that is less risky being as it is no longer merely a promise of some developer but, in fact, a functional token that can be used within a decentralized network.

B. Decentralization

Decentralization is, perhaps, and overused term in the cryptocurrency and token community. However, there are certain fundamental qualities that differentiate a service, such as money transmission, that is provided by a company, e.g. paypal, and a similar service that is provided by an open group of participants working together via a peer-to-peer networking protocol, consensus software, and a blockchain, e.g. Bitcoin. This section will explain varying degrees of decentralization as exhibited by various token projects, and it will highlight where risks to users do and do not exist with respect to a decentralized network. We will proceed with five subtopics: (1) Consensus, the rules that govern participation in a decentralized network and the process by which those rules are enforced by miners or validators; (2) Scarcity, a particular rule within any consensus mechanism that establishes key economic relationships between participants; (3) Transparency, the degree to which the software establishing the consensus rules is developed in an open and auditable process; (4) the Abundance and Diversity of Developers and Validators, whether several unaffiliated persons are developing the software or, merely, a select few; and (5) the Profit-Development Linkage, the degree to which a handful of developers or validators are incentivized to take quick profits by encouraging investment in the token.

Consensus

As discussed in the first section, all cryptocurrency software will have policy rules and consensus rules. Policy rules are settings that an individual can choose to alter on her individual running instance of the software (e.g. I’d like my software client to refuse to relay transactions smaller than a certain amount of bitcoin). Consensus rules, by contrast, are those aspects of the software that must remain unchanged for the network to recognize the individual’s participation as legitimate. These are, in some sense, the constitutional rules of a cryptocurrency, setting fundamental variables like the total supply of the coin, rules for acceptable and unacceptable transactions, and rules for how the authoritative ledger of transactions—its blockchain—is assembled and maintained.

Again, within Bitcoin’s software, examples of these consensus rules are:

Miners of new blocks may only create a certain number of new bitcoins; currently 12.5 and set to decrease by half every 210,000 blocks.

Transactions must have correct ECDSA signatures for the bitcoins being spent.

Transactions/blocks must be in the correct data format.

Within a single blockchain, a transaction output cannot be double-spent.

For Bitcoin, the consensus rules can be found in the reference client version of the software, which is publicly shared on a website known as GitHub,64 and maintained by a loosely-defined group of unaffiliated developers colloquially known as core devs or core contributors. This software, often referred to as Bitcoin Core,65 is, however, merely an artifact of the “true,” binding, or de facto consensus rules as they exist in the network. The actual binding rules themselves are whatever actual participants on the Bitcoin network say they are, effectively voting by running their choice of software.66 It just so happens that, as of this report and for the foreseeable future, the consensus rules described in the Bitcoin Core software are identical to the rules that exist in the software run by network participants, but this need not always be true.

Changes that relax the consensus rules or remove certain rules (meaning that a wider range of blocks and transactions are now valid on the network) require a so-called “hard-fork.” This means that the new software will be incompatible with the existing software employed on the network and miners and nodes who have not upgraded will not recognize the participation of those who have upgraded. The two factions recognize different and irreconcilable ledgers from the fork onward.67

Effectively, a contested hard fork is the creation of a new token that shares a common transaction history with the legacy Bitcoin network up until the point that consensus rules were changed. This new network will include all users running the new software, and will not consistently recognize the contributions or participation of legacy users. The question of which side of the fork is the “real” Bitcoin, is basically subjective. Some may suggest that the legacy software represents the true Bitcoin and the new fork is a new currency that should brand itself differently. Others, however, might suggest that the new version is authoritative and represents the latest version of Bitcoin. Still others may argue that the network with more computing power, mining effort, is authoritative. Ultimately, however, both networks will be judged by the purchasing power that they retain. If real merchants refuse to sell goods or other currencies in exchange for either the new or the old network’s putative “bitcoins,” then that tine of the fork will stand no chance, rewards to miners working on that network will be useless.

Bitcoin relies on miners in order enforce constitutional rules because there simply is no other authority within the system. The blockchain is the authoritative state of the network and permission to alter that state in the next block (roughly a ten minute interval of time) is limited to the network participant who (a) solves an open-ended math problem by using guess and check,68 (b) broadcasts that solution to the network, and (c) whose solution is then built on (because some previous block solution must be used as an input to create future blocks) by sufficient other miners such that this chain of new blocks is the longest chain—has the most computing effort dedicated to it—as compared with any possible alternative states (forks) of the network.69

This is why a single individual, by marshalling as much computing power as the rest of the network combined, could, in theory, block future transactions (by refusing to put them in new blocks) or attempt to convincingly double-spend new transactions.70 Because this neerdowell has more computing power than the rest of the network combined she will, on average, be able to write new blocks faster, add them to the chain she prefers, and always have that chain remain the longest chain in the network—the authoritative state of Bitcoin.

This is referred to as “a 51% attack.” It’s important to point out that such an attack does not give the attacker the ability to spend any funds sent to Bitcoin addresses for which she does not have the corresponding private keys, nor does it give her the ability to create new bitcoins out of thin air. Any miner, even a miner who had a majority share of the network’s computing power, who attempts to change or break these basic consensus rules, is effectively advocating for a hard fork of the network, and she takes the risk that the network writ-large, miners as well as users, would refuse to treat tokens on her new fork as valid currency. While the revisionist miner may create new blocks that reward her with new tokens, if those tokens are not accepted in exchange for real goods or other currencies, then she will fail to profit from her actions.

Therefore, to reiterate, a 51% attack does not enable the attacker to fundamentally change Bitcoin; it merely enables the attacker to block new transactions and, potentially, double-spend transactions that were initiated after she obtained majority control. Moreover, the cost of such an attack is, necessarily, massive. There is fierce competition amongst Bitcoin miners, and specialized hardware components—application-specific integrated circuits or ASICs for short—have come to dominate the field.71 These ASIC chips have effectively no valuable application outside of cryptocurrency mining, therefore any attacker seeking to perform a 51% attack would need to make a very sizable investment in otherwise useless hardware merely to initiate the attack.72 Additionally, given the transparent nature of the blockchain, such double-spend attacks would be immediately visible and, if sufficiently large, would likely lead to a rapid collapse in the price of Bitcoin, leaving the perpetrator with little or no reward as measured in purchasing power.73 Given the high cost and uncertain benefits, a 51% attack against Bitcoin would not be a likely strategy for a rational actor seeking to commit fraud.74

This focus on computing effort as the measure and gateway for legitimate participation is referred to in computer science terminology as proof-of-work.75 There are, however, other possible consensus mechanisms for ensuring or incentivising honest participation within a cryptocurrency network. Two mechanisms warrant brief description here: proof-of-stake and permissioned distributed ledgers.

Proof-of-stake systems do not require the mathematical calculations and costly hardware investments of proof-of-work systems.76 In these cryptocurrencies the network semi-randomly selects participants for the privilege of writing the next block. To be eligible for selection, a participant must have an address on the network and some “stake” in the cryptocurrency. The details of what that stake must be can vary (and would be set in the cryptocurrency’s consensus rules), but, generally, those with more of the cryptocurrency will be more often eligible to write new blocks to the blockchain.

Permissioned distributed ledgers utilize merely the digital signatures of certain enumerated participants to determine who may write new blocks.77 For example, rather than having an open or permissionless distributed ledger wherein anyone may submit proofs of work, or anyone with a positive cryptocurrency balance on the network may submit proofs of stake, a permissioned distributed ledger could be set up so that only certain network participants, identified and authenticated by use of a public-private keypair, are empowered to write new blocks either at random, in alternating turns, or according to some voting rule. The advantage of this system is that no costly proof is needed to ensure honest and committed participation (because participation is limited, ex ante, to a set of entities deemed trustworthy).78 The disadvantage of this system is that dishonest participation must be punished outside of the protocol in the real world of politics, business negotiation, or law: fraudulent blocks or transaction validations must be removed from the ledger by the coordinated actions of the other, honest participants, and the dishonest participant must be excluded from future participation through a readjustment of the protocol and/or external legal action.79

Finally there is the possibility for hybrid consensus models. a token may begin as a proof-of-work system in order to create an initial distribution of tokens and later it may switch to a proof-of-stake system,80 or it may employ both simultaneously. So long as this shift or co-specification is widely discussed and development decisions are made in a decentralized manner, this should not raise concerns. More troubling, perhaps, are hybrid systems that combine elements of the permissionless models (work and stake) with elements from permissioned distributed ledgers.

As previously described, Peercoin, an early proof-of-stake token, suffered a series of attacks that led developers to switch to a model where only certain identified non-attacker participants were allowed to submit proofs of stake.81 This model is a form of permissioned distributed ledger—only certain identified participants may participate in the consensus process. Even more worrying is the example set by a questionable fork of Peercoin called Paycoin. Paycoin was developed by Homero Joshua Garza, formerly of two other ventures, GAW Miners and Great Auk Wireless, both of which have been the subject of investigations for fraud.82

Paycoin was nominally a proof-of-stake consensus system, like its progenitor Peercoin. However, changes were made to the software that created a hybrid consensus mechanism wherein certain enumerated addresses, presumably in the control of Garza or someone else its developers saw fit to benefit, were capable of providing stake and generating new tokens at an annual rate of 3,000% above a normal address.83 The result is a privileged class of participants who earn outsized rewards for participation despite the coin’s branding as an equitable proof-of-stake consensus model.84 There may be legitimate reasons to combine elements of permissioned and permissionless models, but key to any such effort will be transparency from the developers regarding how the system is set up, why it is necessary, and who is benefitting from being enumerated as a special participant (i.e. an address on the network identified as receiving some added powers or functionality within the consensus model).

With all of these consensus mechanisms outlined, what can be said for their relative risk to users or investors? One clear distinction can be made between the two permissionless systems (proof-of-work and proof-of-stake) and the permissioned distributed ledger. In a permissionless system there is a going market rate for participation and an open competitive industry seeking to provide updates to the blockchain. In a permissioned system there is a closed group of individuals or institutions who have ultimate authority over the blockchain, and should these entities collude in order to block the transactions of particular users, little could be done to stop them. Additionally, if—as would likely be the case—these permissioned users are also the developers of the software, then effectively any change to the protocol (e.g. decisions to enlarge the total supply of tokens, or reverse certain previous transactions, or freeze all transactions) could be effectuated without the agreement of outside individuals or the platform’s users.

Such collusion is also, in theory, possible in a proof-of-work or proof-of-stake system. Several powerful miners (proof-of-work) or currency-rich individuals (proof-of-stake) could join forces to obtain 51% of the mining or staking power and then refuse to add transactions from blacklisted users into the blockchain. However, given that any particular participant’s power is contestable by new entrants, such a cartel would be inherently unstable. This is particularly true if the user or group of users targeted for censorship offered large fees to a miner or stakeholder willing to break ranks and process the transaction or a new miner or stakeholder who enters the market and refuses to join the blocking cartel.

Additionally, a miner with 51% of the computing power on the network would not be able to change the scarcity of the cryptocurrency, reverse transactions that were recorded in the blockchain previous to her majority control, or make any other changes to the consensus rules, because the remaining 49% of the network would not recognize blocks with such changes as valid. She will have forked the network by mining these non-compatible blocks. She’d be, effectively, mining her own coin that is no longer, for example, Bitcoin.

The natural differences between commodities and securities may be instructive here. A group of individuals issuing a security have full control over the fundamentals of that investment vehicle: they can organize production within the firm, they can choose to offer more shares and dilute existing ownership interests, they have full control over the accounting internal to the organization, and the only external limits to these activities are legal—either through contract or regulation. A group of individuals producing some commodity, say gold, could attempt to withhold large amounts of gold from the market, flood the gold market with supply, create rumors about gold production, or choose to only sell gold to certain favored counterparties, but at the end of the day they can’t stop other producers or resellers from offsetting these manipulative activities with their own buying, selling, or rumor-mongering.

Another takeaway from this discussion of consensus is that within a proof-of-work or proof-of-stake cryptocurrency, there is only true resilience against fraud or manipulation when there is a large and competitive market for providing these proofs. To take Bitcoin, for example, the cost of gaining a 51% share of the mining power is constantly changing (and generally increasing as more people become involved and the technology becomes increasingly specialized) but one recent estimate puts that number at $120 million dollars in initial hardware investment, $8,000 per hour in electricity costs just to run the mining hardware, and as much as $5,000 per hour in electricity costs to cool the facility (because ASIC mining chips generate a considerable amount of heat).85

Additionally, for permissionless systems, the cost of these attacks scale monotonically with the value of the underlying currency. In proof-of-stake currencies this is intuitive, if the value of the currency rises, so too do the costs of having a given required stake for selection as a transaction validator. In proof-of-work, so long as we assume rational miners, a similar proportional increase in the cost-to-validate will hold. If the value of the underlying currency rises, the reward for mining a new block similarly increases. Rational miners will increase their capacity to mine new blocks until their marginal costs equal their marginal revenue. As miners compete to find the new, more lucrative blocks fastest, the difficulty required to attack the network scales with the value of the currency it secures.86

A new permissionless cryptocurrency or one with fairly little adoption, by comparison, may have a sparse market for proofs, and, therefore, a few large entities may exercise outsized control over its maintenance. This may be particularly true of proof-of-stake systems where a large portion of the currency is held by the initial creators of the protocol, and buying these units can only be accomplished via an exchange platform also controlled by the creators. In this scenario the creators can, in theory, reorganize the blockchain, block transactions, or change the underlying fundamentals (e.g. scarcity of the token) with impunity until sufficient tokens to qualify for proof-of-stake are purchased from the creators by unaffiliated users. In proof-of-work systems, at least, the ability to take part in consensus is predicated on dedication of fairly uniform and ubiquitously available computing power and not on possession some exotic digital asset sold only by those already invested in the network. Because of this weakness, many in the community perceive proof-of-stake as a consensus method that can only be built on top of an existing proof-of-work currency: switching the consensus mechanism from work to stake once the currency is already distributed across the network.87

Finally, hybrid systems present special challenges to a risk analysis. If certain addresses are enumerated as possessing special powers within the consensus mechanism (e.g. the ability to earn outsized rewards in the Paycoin example88) the technology should be viewed with healthy skepticism. Particularly worrisome are hybrid systems marketed as normal proof-of-work or proof-of-stake systems. In these cases, users will presume that rewards come in some fixed proportion to participation, that no special participants exist. If this presumption is untrue, the user has, in effect, been scammed. She was led to believe that participation would grant her a pro-rata stake in the token, when in truth some other stakeholders may have the playing field tilted in their favor.

Scarcity

The core software powering the Bitcoin protocol sets a maximum total bitcoin supply; accordingly, there should at most only ever be 21 million bitcoins in circulation.89 The rate at which new bitcoins enter the economy is also fixed in the software. New bitcoins are regularly created and awarded to the miner who dutifully works and finds each new block. On average, new blocks are calculated every ten minutes and the reward amount has been set, from the start in 2009 at 50 new bitcoins per block, to halve every 210,000 blocks (roughly four years). As of today, the reward is at 12.5 bitcoins per block and is predicted to halve to 6.25 sometime in May 2020.90 The final bitcoin block reward should be mined at some point in the year 2140.91

Various tokens may have a different total supply, or a different schedule for the creation of new tokens.92 Some may, instead, have no capped supply (i.e. they will always be inflationary). The nature of supply is an important variable in assessing investor or user risk because the scarcity of any given cryptocurrency is the central mechanism that establishes commonality between participants: I know that my bitcoin is 1/21 millionth of the total bitcoins that will ever be available; I know that the same is true of yours. If my understanding of the scarcity of some token is untrue (e.g. the software-specified cap is not correctly disclosed) my understanding of my position as it relates to other users is distorted (i.e. I may own more or less of the total supply than I’d suspected).

Software is, of course, merely a collection of ones and zeros, therefore changing any cryptocurrency’s scarcity (even Bitcoin’s scarcity) is potentially as easy as changing a few variables in code. However, the actual implementation of a change will necessarily require acceptance of the new software code by the network of Internet-connected peers that allow the cryptocurrency to function—miners, message relayers, users, businesses etc. That network, built as it will be of thousands of already-invested incumbents, would likely prove resistant to any change that ultimately dilutes the value of its holdings. The reverse, changes that decrease the ultimate total supply, may be less repugnant to incumbents. However, the mere fact that a known fixed supply has suddenly become flexible may be sufficiently unsettling as to make such adjustments unpalatable.

The Bitcoin community generally perceives changes to the underlying scarcity of bitcoins as verboten.93 Other token communities have been less reticent. For example, the underlying scarcity of the token Dogecoin was originally specified as 100 billion total tokens. Later analysis of the software indicated that a variable in the code, MAX_MONEY, did not, in fact, limit the total supply (it merely limited the maximum size of any one transaction). The community, after some discussion (and perhaps owing to the meme-based currency community’s whimsical and easy-going attitude), decided to carry-on as if this mistake had been deliberate. Dogecoin, once believed capped at 100 billion, became a perpetually inflationary cryptocurrency. Wow!94

Regulators should not be primarily concerned with whether a given cryptocurrency is inflationary or deflationary, but, rather, how transparent the community is with regard to disclosing these relevant economic fundamentals and discussing any potential changes. These concerns will be revisited in the next section on transparency.

Transparency

Strong transparency is the hallmark of all legitimate cryptocurrency or token projects. Three questions help a regulator to gauge the relative transparency of a given project:

Is the software code that powers the network open source licensed and is it widely available for review and analysis? When changes to that software are contemplated, are the proposed changes made public, and are discussions over the acceptance of those changes public? Is the blockchain created by the network publicly auditable?

Bitcoin provides a good model of transparency. Bitcoin’s software is developed under an MIT open source license.95 That means that anyone is free to “use, copy, modify, merge, publish, distribute, sublicense, and/or sell”96 copies of the Bitcoin core reference client. As discussed earlier, this reference client need not be copied exactly in order to ensure compatibility with the network. Individuals can change some aspects of this reference software, sometimes referred to as policy rules. For example, a user can alter the core software that she chooses to run on her hardware, in order to avoid relaying transactions below a certain size—perhaps because the user believes these tiny transactions are spam. Additionally, the bitcoin core software can be integrated into a larger software program that provides, for example, an alternative user-experience for a wallet,97 versions compatible with smartphone operating systems like iOS98 or Android,99 more robust key management for highly secure systems,100 scalability for use in a data-center,101 and any number of other tweaks, changes, or derivative products. As of this report there are: at least 15 versions of the bitcoin client, all with various design goals or device compatibility;102 at least 12 different software tools for integrating bitcoin payments into online shopping cart systems,103 libraries of bitcoin-related software functions and objects in no fewer than 7 different computing languages;104 and effectively too many mobile apps, browser plug-ins, and web-based wallets to count.

Much of this software is publicly shared and distributed using the online service GitHub.105 GitHub provides cloud-hosted distributed revision control and source code management for a variety of user-uploaded software projects (most are unrelated to bitcoin).106 One can think of GitHub as an online track-changes tool (as found in Microsoft Word or Google Docs) for software. Anyone can set up their own personal GitHub account,107 create a new software repository (like creating a new word document), and/or begin suggesting edits to any other public repository (like using the comment tool on someone else’s document). After edits are suggested by contributors, certain specified users can choose to incorporate those edits into the current version in the repository, these special users have what is called “commit access” to the repository.108 Github also stores a complete history of all changes made to the software since the repository was first created.109

The most notable Bitcoin software repository on GitHub is Bitcoin Core.110 This is the repository where a group of volunteer developers keep and maintain the current version of the Bitcoin reference client. By looking through the Bitcoin Core repository on GitHub, an observer or security analyst can see the entirety of the current source code, as well as every change to and past version of that code going back to August 2009. As of this report, a look at the GitHub repository shows that there have been nearly 18,000 accepted modifications to the code from over 550 different contributors since the repository was first created in 2009.111

GitHub also allows users to “fork” public repositories.112 Forking means that a new identical copy of the software is made available for tinkering, modifying, or incorporating into a larger project. Changes to this fork will not change the software in the original; effectively, it’s a tool for building derivative works or for making experimental changes without starting from scratch. As of this report, the Bitcoin Core repository has been forked over 20,000 times.113 Some of those forks remain compatible with the Bitcoin network as wallets, mining software, or other tools, other forks broke compatibility and went on to become functioning token projects such as litecoin.114 Some of those forks are forked themselves to create a derivative of a derivative of Bitcoin, as is the case with Dogecoin.115

Because of open source licensing and the use of public software repositories like GitHub, Bitcoin’s software has been scrutinized by a large, though ultimately unknowable, number of security analysts, critics, hackers, and academics. This means that it is unlikely that any backdoor or severe vulnerability exists in the protocol.116 This also means that it is extremely clear and widely known what the fundamental features of Bitcoin are: it is clear that the protocol puts a limit on the total number of bitcoins that will ever be in circulation, it is clear that the protocol demands that transactions be signed by the private key corresponding to the source address, it is clear that chains with the same bitcoins spent twice will not be recognized as authoritative by the network. These are the technical specifications upon which a user relies when she decides to trade real world valuables for bitcoins; it is important that they be public knowledge and publicly specified in the network’s software and documentation.

Additionally, the authoritative record of all Bitcoin transactions, the blockchain, is entirely public.117 This aspect of Bitcoin’s transparency adds additional certainty over the question of scarcity. While it is the software that ultimately describes which mining rewards are and are not permissible, it is the blockchain that records the full history of mining rewards, i.e. the full history of new money creation in the Bitcoin economy.118 Similarly, while it is the software on the network that would reject attempts to double-spend bitcoin transaction outputs, it is the blockchain that authoritatively records past transactions for the purposes of detecting such counterfeiting attempts.119

The blockchain also records the difficulty, i.e. the amount of computing power leveraged to solve the block’s proof-of-work calculation, of each newly mined block as well as the Bitcoin public address of the miner who solved that proof-of-work.120 This enables the public to view the competitiveness of the market for providing these proofs. To make another comparison to commodities and securities: just as a gold miner must, generally, reveal information about her highly successful operations in order to profit (through the act of selling the commodity), a Bitcoin miner cannot be rewarded for proofs without leaving a publicly auditable record of her windfall. This can be contrasted to a manager within a publicly traded corporation who must be trusted not to “cook-the-books,” and may be capable of profiting at the expense of others in the firm, or even shareholders, without leaving much trace, let alone proof of the value of her contributions to the firm or the legitimacy or fairness of her profits. To be clear, the difference is how controls are placed on would-be bad actors: in a public blockchain, the only way to become wealthier is to leave a public record. In a corporate setting, there may be similar records, but the fidelity of those records is based on legal compliance and honest accounting under the threat of regulatory sanction or shareholder prosecution should past malfeasance be revealed (rather than a verifiable, public, and real time proof of rewards given for proven efforts made).

Aside from the relative transparency of the software utilized within the network and the transparency of the records generated by that software, there is a final area for analysis: the relative transparency of discussions and processes undertaken to update that software. Bitcoin, again, provides a useful baseline.

Within the Bitcoin community, proposals to change the core software are always public. Bitcoin Core is widely regarded as the authoritative version of the software, it is the reference client. However, any software that upholds the consensus rules is, by definition, compatible with the Bitcoin network. One can think of Bitcoin Core as a rallying point around which the community discusses and ultimately chooses how to modify the software on the larger network.

Small changes to the reference client, i.e. fixes for small bugs or typos in the software, can be made by forking the public repository (creating an identical copy), making changes to that forked version, and then submitting a “pull request” to the core developers maintaining the core repository.121 A pull request is simply a formal request that changes made in a fork be incorporated into the original code.122 A small group of unaffiliated volunteer developers, referred to as the Core Devs, have permission on the GitHub repository to “commit” these changes to the core software, thus incorporating them into the reference client.123

More fundamental changes to Bitcoin Core, e.g. code that creates new features or changes the consensus rules, must be described in a formal specification document, called a Bitcoin Improvement Proposal or BIP.124 BIPs are shared amongst developer mailing lists and ultimately publicly displayed in the Bitcoin Core GitHub repository, the Bitcoin Wiki, and elsewhere online.125 The pros and cons of incorporating any BIP into the reference client are hotly debated in online fora as well as in person at publicly accessible conventions and conferences.126 Ultimately, these larger changes too, if eventually agreed upon, built-out and tested in forks, could be incorporated into the core software repository through a commit from one of the core developers.

While this description may appear to introduce a central point of control in our understanding of how Bitcoin is developed and maintained, it’s important to reiterate that Bitcoin “is” effectively whatever software the unaffiliated network participants choose to run.127 The reference client, Bitcoin Core, is just that; it’s for reference or exemplary purposes. It is a guide and baseline from which compatible software for the network can be made. So, for example, if the core developers were to lose their minds or be tempted by some dark cause, their malicious changes to that core repository would have no effect on the network or Bitcoin’s continued value, unless network participants writ large (miners, users, merchants, exchanges), sometimes referred to as the economic majority128 on the network, decided to run the new software on their machines. Additionally, any new software that breaks the consensus rules (the most important rules that prevent fraud) would fork the blockchain, and, unless merchants and exchanges accept transactions listed on the new fork, the new version will produce nothing of value and be abandoned in favor of the fork with the original consensus rules.

To round up this discussion of transparency, there are several key aspects of Bitcoin that are public and easily auditable. The software is open source. Key versions of that software, the reference client in particular, are publicly displayed in an open, online software repository—GitHub—along with comments, proposed changes, and all accepted changes to that software. The blockchain that the network generates is also, itself, public, and keeps records of all transactions as well as all new money entering the system as rewards for miners. Finally, discussions over major changes to the software are also had in multiple public fora both online and off.

The transparency exhibited by Bitcoin should be the model for all token projects. Several notable tokens follow this model.129 Within a token community that has already released a publicly available token, any deviation from these transparent practices may be cause for concern. Proprietary software, private blockchains, or closed development communities who announce changes without public debate, engender greater risks to investors and users, because such practices conceal from the participants the very economic and technological fundamentals upon which the digital asset is built. The resultant informational asymmetries are conducive to short-term scams and fraudulent marketing schemes. In such a new and rapidly evolving field, the norm will often be caveat emptor (buyer beware); buyers, or—at least—sophisticated proxies for their interests (critics, security analysts, regulators), must have visibility into the community and the code it produces in order to form a clear picture of risks and rewards.

Abundance and Diversity of Developers and Validators

As previously discussed, a token’s consensus rules are enforced by the individuals or groups who have authority to write new blocks to the blockchain. In a proof-of-work system, that set of individuals is open—the ledger is “permissionless”—it includes anyone willing and able to provide energy-intensive calculations to the network, and we call these participants miners. In a proof-of-stake system that set includes users holding sufficient amounts of the cryptocurrency, and in a permissioned distributed ledger, that set will be a group of participants specified ex ante in the protocol software, and identified according to a private-public keypair—these ledgers are “permissioned.” Any resulting class of validators can be characterized by how dispersed and diverse they are, and that dispersion or diversity will have implications for the soundness of the token network.

Additionally, the non-mining or non-validating participants on the network may or may not be a diverse group. Long-established cryptocurrencies or cryptocurrencies with strong, user-based development communities will generally have more diverse users. These platforms have multiple use cases and design goals in mind. These various use cases may conflict: for example a community of users who are primarily interested in censorship resistant payment technology (e.g. to make sure that political organizations can take donations even if the credit card networks refuse to process their payments) will often clash with a community of users who want to lower the compliance costs of running a token exchange (e.g. by putting more customer identification tools into the protocol).

When the class of validators and users is large and widespread, there is inherent inertia in the decision-making process. This inertia prevents malicious or questionable changes to the consensus rules from being easily enacted. In a proof-of-work system this inertia is especially pronounced, because changes to the consensus rules could affect the return on investment of miners. Miners on the Bitcoin network must, for example, invest heavily in application-specific integrated circuits, or ASIC chips for short, in order to remain competitive. These ASICs are not multi-purpose computing systems; they can do only one thing well: provide proof-of-work calculations to the Bitcoin network. Miners are, therefore, heavily invested in preserving the status quo of Bitcoin; any change that jeopardizes their future returns is often viewed with hostility.

This inertia would not be present in nascent cryptocurrencies with a small or centralized mining or stake-based community. In these communities, miners may also be the primary developers of the code as well its most ardent promoters and users. Without a competitive market of various stakeholders, monolithic changes to the protocol are more attainable—potentially even changes that benefit some core group at the expense of follow-on investors.

This inertia would also not be present in a permissioned distributed ledger. In such systems a core group of enumerated individuals or groups is empanelled by the developers to enforce the consensus rules. This group, acting together, can block any user on the network from transacting, double spend transactions, change the history of the ledger, and create new money from nothing.130

The best evidence of a healthy and decentralized community may be visible examples of disagreement, stalemate, and compromise between various stakeholders regarding proposed changes to consensus rules. The long running debate between Bitcoin stakeholders over changes to the block size cap (the maximum size, in megabytes, that a valid block to be added to the blockchain may be) provides a useful example.131

The size of a block corresponds to the number of transactions included in that block; so a block size limit is also a de facto limit on the number of transactions that can take place per block (i.e. per ~10 minute period).132 Additionally, if block space is limited, users hoping to get their transactions validated quickly may compete for inclusion by appending larger mining fees to their transactions; miners would sooner include transactions with substantial fees within a finite block than they would a feeless transaction.

The block size limit affects various stakeholders differently. Those focused on consumer adoption—exchanges and merchant processors—tend to want a larger maximum limit, because they do not want their users to suffer either delayed transaction validation or the larger fees that could be necessary to expedite validation if block space was scarce. Those focused on mining or the stability of the network writ large, tend to want smaller blocks because (A) there may be bigger rewards to miners if block space is scarce and users compete for inclusion with fees, and (B) smaller blocks travel across communications networks faster and prevent potential problems associated with network latency (like brief forks in the blockchain when two sides of the network disagree over which new block arrived first and is therefore authoritative).

The debate has generated some compromises. Rather than scale the blockchain by increasing block sizes many (if not most) in the Bitcoin community ultimately came to support a scaling solution called SegWit that compresses and truncates the transaction data such that more transactions can fit in the same size block. Ultimately, however, some big block partisans insisted that this was not a suitable way to address the scaling problem, and in mid-2017 some developers decided to fork the network by altering the block size consensus rule in a new version of the Bitcoin software that they developed and released. This fork has persisted and the new resultant token has been named Bitcoin Cash by its partisans.

The block size debate provides a useful example of decentralization because no single viewpoint or stakeholder has been able to easily and successfully advocate for the precise change they want. Instead, a variety of compromises and amicable separations have emerged. The diversity of stakeholders is a naturally conservative force in the evolution of the network. This can be frustrating from the narrow point of view of a partisan in the debate, however it is a boon to the network at large and through the long term—rash changes, fraudulent amendments, and inequitable revisions stand little chance of survival in a highly decentralized community of stakeholders.

Profit-Development Linkage

The final question central to an inquiry into the decentralization of a token is: Are developers also holding and selling a large share of the scarce tokens, and are they substantially profiting from that activity in the short term? The question is meant to determine to what degree the developers of a cryptocurrency are motivated by profit, and additionally, what the timescale of that profit-taking can look like.

With a long enough time horizon, anyone could be characterized as motivated primarily by the prospect of future profits. We often cultivate hobbies and skills primarily because of an enjoyment of the work, a desire to participate in a community, or to solve some personal problem in our own lives. If, however, as a result of our efforts we eventually make something of notable commercial value (say, a work of art, an innovative design for a boat hull, a patentable invention for irrigating crops) it would be unusual not to seek and take some profit from that work. Should we be particularly successful in monetizing our past passion, hindsight may make our otherwise tinker-like motivations appear to be driven more by greed than they really ever were.

Take, for example, the work of Satoshi Nakamoto, the pseudonymous inventor of Bitcoin. He, she, or they, certainly did not harbor the then outlandish belief that a new, toy-like Internet protocol for creating electronic cash amongst a small circle of curious developers would—with any certainty—go on to become a $100 billion prototype for stateless currency. As stories from the first two years of Bitcoin’s use indicate, the technology was largely prized by enthusiasts, hobbyists, and ideologically motivated individuals. Bitcoins were frequently lost in buried hard drives, at the bottom of landfills, in laptops ruined by spilled beverages, or in thumb-drives misplaced and never found again. Bitcoins were traded more for fun than profit (and often at a great loss if we look at the future price), as in the case of alpaca farmers accepting bitcoins on websites in exchange for woven socks,133 or the case of a million-dollar pizza purchase through a friend across an ocean.134

And still to this day several blockchain-based projects are developed by a community of dedicated volunteers; individuals motivated more by the desire to see some cooperative process or service (cloud storage, domain name registries, single sign-in identification, music production, and more) automated and decentralized, rather than any expectation of huge future profits.135

Others, however, plainly have less benign motives. Desiring quick profits, they hype their future technology, market it to trusting buyers online, promise future integrations and applications, all without developing much beyond a simple fork of Bitcoin or some other pre-existing open source token software.136

But motives and intent can be a difficult metric for regulators or law enforcement to uncover and rely upon in prosecutions. Both the truly radical innovations as well as the scams will often be pitched with similar rhetoric and bravado, or have similar delays in development. Rather than look at the promises or claims surrounding a token, it may be better to look at how the development process is financed, and how the technology is structured to reward (or not reward) the developers.

Earlier, in the section on distribution,137 we discussed pre-mining as well as promises of a future minimum price floor. These are notable indications of a strong link between development and profit. Developers creating a pre-mined currency will often retain large amounts of the scarce coin. These developers will often be the prime generators of hype surrounding the future promise of the network; the extreme example being a guarantee of a future price-floor for the token (a promise to buy back tokens at a set rate).138 If, in response to this hype, the price on exchanges surges once the currency becomes publicly available, the developers may have a strong incentive to sell their large holdings for Bitcoin or some other more reliably valuable asset. At this point the developers can walk away with large windfalls even if the underlying technology has yet to meet the expectations or promises of its marketing. It may simply be a forked version of Bitcoin with different branding, produced and released at almost no cost. When the promised innovations fail to materialize the price of the token on third-party exchanges may plummet, leaving follow-on investors who bought at the height of the craze with nothing.139

The clearest indication of an unhealthy link between network profits and development comes from the Paycoin example described in the previous subsection on consensus. In that example, Paycoin was marketed as a standard proof-of-stake based token. Paycoin was, in reality a hybrid consensus system utilizing concepts from both proof-of-stake and permissioned distributed ledger systems. Developers had enumerated certain network addresses within the code, identified with a public-private key pair, in order to grant those users disproportionately large rewards. It is not unreasonable to assume that these addresses were, in fact, in the control of Paycoin developers and promoters. In this example, developers have a very strong profit motive, while Paycoin grows they are benefited by these oversized rewards at the expense of normal users who presumed they were equal participants. The software, in a case such as this, is effectively a bargain that has been fraudulently and materially misrepresented.

These worst-case scenarios can be contrasted with a developer or group of developers who choose to distribute their new tokens only through open, competitive mining, or through a an airdrop or proof-of-burn140 system where bitcoins are sacrificed—not exchanged—by interested users wishing to obtain some of the token. Similarly benign would be development utilizing a sidechain,141 where interested users will simply move bitcoins into the new project, retaining full ownership and control over those digital assets and offering nothing to the developer in exchange.

In all of these benign examples, the developers have no means of taking quick profits from their network. Developers working on a token network that openly offers tokens, from the start, to competitive miners get no pecuniary benefit from each marginal miner that joins the network. Developers working on a token that can be obtained by proof-of-burn, do not gain bitcoins from each new user—those bitcoins are simply destroyed in the process. And developers working on a sidechain do not gain control over the bitcoins pegged by users in order to obtain sidechain tokens. The tokens may be branded as something new, but they are perfectly fungible with bitcoins. As the developers of Rootstock, a sidechain that seeks to replicate the smart contracting capabilities of Ethereum, explain,

The sidechain is a two-way mechanism, so when the miners receive the rootcoins in payment for contract execution, they can turn them back into bitcoin right away. So you have a one to one conversion rate. It’s actually bitcoins – we call them rootcoins in order to explain that those bitcoins are living in the Rootstock blockchain and not in the Bitcoin blockchain. It’s more a conceptual thing.142

All this is not to say that sidechain or proof-of-burn utilizing developers stand no chance of profit. Instead, such developers stand the chance to profit—fairly—in the long term from their actions, rather like early pioneers of a new and profitable industry. If successful, they will have helped build a system that generates strong network effects, making it indispensable to a large community of users. Their intimate knowledge of and long-running participation in that system will make them attractive employees or collaborators in business circles. Their own personal investment in the system may also prove lucrative, but they will be risking only their own capital and not that of any prospective user. And, they will—no doubt—profit from their own use of a successfully developed tool; much as any open source software developer is often motivated primarily to create and release a tool to solve some personal annoyance, like having to retype the same code over and over, or build a subroutine from scratch for each new client.143

C. Functionality

Our final question differentiating token risk is what functionality or powers does possession of a token grant the user. This may be analogized to the legal rights that attend possession of a bearer instrument, however, this should be understood merely as an instructive metaphor. “Possession” of some cryptocurrency or token is most accurately described as exclusive knowledge of some cryptographic secret (similar to a password) that is technologically necessary to record a token transaction (or perhaps record some other data) on the network’s blockchain. Mere knowledge of a secret string of numbers does not, in and of itself, generate any particular legal rights, liabilities, or relationships. For such legal rights to exist, either in contract or property, certain legal circumstances must obtain (e.g. I discovered and brought under my control bitcoins that had been abandoned or as of yet unclaimed, I manufactured bitcoins using my labor, I was gifted these tokens or received them in a bargained-for exchange.) What we refer to herein as “functionality” is the non-legal question of what capabilities will the user have on the network when she has knowledge of the private key(s) that correspond to funded address(es) on the token network’s blockchain.

Functionality across tokens varies from non-functional—a hypothetical future token being promised to buyers in a fundraiser or a token whose only value is contingent on an issuer honoring some promise—to functional because it is probably scarce and transferrable—e.g. Bitcoin—to functional because it grants access to a decentralized computing service—e.g. Ether, a token that allows users to write and run smart contracts on the Ethereum network—to functional because it allows users to vote amongst possible investments and claim profits—e.g. The DAO token that was launched and subsequently failed in 2016.

This section begins by explaining the most basic functionality that a token or cryptocurrency can have: the ability to send a provably scarce asset over the internet without the need to trust any intermediary. Then we will discuss more complex functionality that may adhere to a token. Finally we will briefly discuss what we’ll term non-functional tokens, wherein any usefulness or value inherent in the token is derived not from a decentralized network but rather from promises or guarantees made by the issuer or some other legally responsible third party.

Functionality Contingent on Scarcity and Decentralization

The basic case of functionality is Bitcoin. As François Velde of the Federal Reserve Bank of Chicago has remarked, “Bitcoin is a system for securely and verifiably transferring bitcoins.” Having bitcoins means you can send bitcoins; that’s about it. The nature of the bitcoin network, however, means that this seemingly simple fact is rather revolutionary.

Before Bitcoin there was no such thing as a scarce digital asset that could be sent person-to-person without relying on a trusted intermediary. Computer files like Word documents or images that we might attach to an email or send in a text message can, of course, be sent over the Internet. But when an image or document file is sent, it is not actually transferred from one person to another. Instead, a copy is made and both sender and recipient have the file. This inherent “copy-ability” of digital things makes electronic peer-to-peer value transfer much more difficult than in-person value transfer, where two people can meet and physically hand over something of value.

Before Bitcoin, if someone wanted to provably send another person money or value electronically, they would have to rely upon a mutually trusted third party to keep track of a ledger that described who gave up the asset and who obtained it. For example, when one uses PayPal to send dollars to a friend, she and the recipient must trust the company, PayPal, to deduct from the sender’s balance and credit the recipients. The same is true with online stock trading or any other online financial transaction; before Bitcoin, there was always a trusted institution in the middle.

Bitcoin replaces that once-essential trusted intermediary with a blockchain. Now, one Bitcoin user can send bitcoin to another and both can check the public blockchain to confirm that the sender has given up the asset and the recipient has obtained it. Every transaction is included in that ledger and so too, therefore, is a record of the total supply of bitcoins. This means that bitcoins are provably scarce and transferrable despite being non-physical assets.

But Bitcoin’s blockchain is not a magical autonomous authority on the internet; it is merely a record of transactions kept by a decentralized network rather than a record kept by a bank or other single trusted intermediary. It is this decentralization, as described in the previous section, that makes Bitcoin truly special. Bitcoin’s blockchain and its consensus mechanism allows a person holding a bitcoin to send that bitcoin to someone else irrespective of any person’s attempts to censor or prevent the transaction. That isn’t a promise from some person or company upon which that the holder relies; it is a consequence derived from the network’s rules and the protocol’s ability to incentivize continued, free, fair, and open participation in that network.

Thus the scarcity and decentralization afforded by the Bitcoin network is the fundamental functionality that a person obtains whenever they obtain a bitcoin. It’s rather like obtaining some amount of gold. Gold is functional for its holder because it is a reliably scarce commodity that is capable of being transferred and traded (quite literally handed from one person to another). As such it can be a store of value, hedge against other assets, and means of payment. Bitcoin is, in fact, a bit more useful than that, because, unlike gold, it can be sent over the Internet; in essence, gold but with a teleporter.

Functionality Beyond Scarcity and Decentralization

Bitcoin’s digital scarcity is revolutionary on its own, but more complicated and flexible token functionality feasible. The proof-of-stake consensus system described in the previous subsection on consensus144 provides a simple example of further functionality. As with Bitcoin, a proof-of-stake token network gives users the ability to prove control over tokens, and it allows the user to send those tokens to other users, but it also provides a further functionality: provable control over some amount of tokens (i.e. the stake) also enrolls the user in a lottery whose prize is permission to write a new block to the blockchain and receive any block rewards or fees that are generated from that new block.

Some developers, utilizing combinations of the technologies described thus far, have begun work on so-called app-coins, decentralized computing platforms, or decentralized autonomous organizations. These developers seek to create a digital platform that generates some kind of cooperative result but does so without utilizing any form of hierarchical or top-down control. The design goal is broad: complex cooperative organization with a network protocol supplanting all or most traditional legal or business structures. Examples are necessary to avoid unhelpful abstraction in the description of these new platforms. The easiest example is Bitcoin itself. Bitcoin is a system without top-down control that achieves complex cooperation: the transmission and storage of value.

A more extensive example, however, can suggest what the future may hold. To start, consider YouTube, the video sharing website owned by Google.145 Some aspects of YouTube are run via an open, user-driven market: for example, the choice of which ads to display generally comes down to a bidding process, the choice of which videos to watch comes down to a given user’s willingness to expend time and opportunity cost on a given video, and the choice of what videos will be on the platform comes down to whether individual content creators decide to upload their content to YouTube. Much of YouTube is already built from the interactions of users with other users—peer-to-peer interactions mediated through the technology—as compared with the interactions of employees, contractors, or subscribers with the corporation—hierarchical interactions mediated through law or corporate structures.

Ultimately, however, many—perhaps the majority of— decisions critical to YouTube’s success are made by the employees, managers, directors, owners and shareholders of YouTube and Google. These decisions include: designing the user interface, choosing whether to censor or remove user-uploaded content, choosing whether to display ads and how often to show them, choosing whether to offer a premium ad-free version, deciding how to design the server warehouses that host all these uploaded videos, figuring out who to pay to build and maintain that infrastructure, and who to hire or fire to develop the platform itself, deciding how to raise capital for future improvements or services. These are decisions made within firms rather than within markets; what Ronald Coase called the islands of socialism within a market economy.146

Now, imagine a fully user-owned and controlled YouTube. As with today’s YouTube, videos are uploaded by users and individual viewers choose their own programming. Unlike today’s YouTube however, the myriad other decisions that YouTube, the firm, would make are now made, also, by users. This sort of cooperative control could be achieved by use of a decentralized cryptocurrency specific to the platform—an app-coin.

Users buy or obtain these app-coins (we’ll call them YouCoins) and possession of the tokens grants the user certain non-legal rights (technical functionality on the distributed network). Most fundamental may be the right to vote on key decisions regarding how the platform is built and maintained going forward. Rather than having a centralized server warehouse, the platform uses the spare system resources of its users’ computers to host, store, and route content (not unlike how the BitTorrent file-sharing protocol allows for the distribution of large files without a centralized server147), and all of this shared infrastructure is knit together with software. Decisions over how to write and rewrite that software can be made through ex-ante specified voting rules (so-called on-chain governance). These rules can be as basic as simple majority and one token one vote, or as complicated as needed (with quorums, sequential voting rounds, veto powers attached to some YouCoins, etc.). If Condorcet, Kenneth Arrow, or the Framers of the Constitution can imagine it, it can be coded in software.

The platform could be ad-supported or it may be fee-based. For example, some number of YouCoins may be required for a user to upload a video, or to view a video. Users who uploaded videos may be paid in YouCoins each time someone views their content. Perhaps they can set their own prices. Other users who sell their spare disk space, network connectivity, or other distributed infrastructure can be rewarded with YouCoins based on the prices they set. The network can be set up to automatically use the cheapest reliable infrastructure first, but as the network becomes more heavily trafficked, infrastructure providers with higher marginal costs and higher prices may find that they too will be paid in YouCoins. This going-rate for use of the infrastructure can be utilized to automatically increase or decrease the prices set for video uploads or views.

Developers who suggest new code that improves the user interface or the underlying network infrastructure could be rewarded with YouCoins when a sufficient number of users vote to include their changes into the new version of the software. Curators who make particularly entertaining playlists of videos could be rewarded with YouCoins when enough users vote to post the curated playlist to the platform’s homepage. All of these user interactions (whether voting, uploading, viewing, curating, providing infrastructure, developing the software) are recorded (perhaps by pseudonym for privacy) and the identities of contributors are validated using a shared ledger and scarce tokens to make spam, sabotage, or other counterproductive participation prohibitively costly.

In this hypothetical example, the token is more than a currency; it is a system resource within a distributed computing platform. The coin is used not only as a means of exchange or payment but also as a means to account for, judge, and verify valuable community participation through provable viewership and payment statistics as well as votes cast in decisions over changes to the platform. It is also used to give would-be users a credible commitment that valuable participation will always be rewarded in the future through self-executing contracts and publicly auditable voting rules and records. The distributed computing platform, its transparent design, reliable recordkeeping, and scarce tokens, assure a prospective user: If you help the network by providing extra space for video storage, then you will be rewarded immediately and by the byte. If you generate popular content, then you will be rewarded immediately and by the view.

Under such a system, the token (our hypothetical YouCoin) is the native fuel that facilitates interactions within the cooperative. It also, however, would be a reliable metric for the platform’s success writ large. If the platform sees increased demand from new users and if the supply of the token is limited, then its value may increase against dollars or bitcoins. In some ways this increase is rather like the increase in share price for a successful corporation. In some ways, however, it is not. The value of the token comes from the individual actions of all platform participants who are using or holding the token—again rather like the value of a scarce but useful fungible commodity (like oil) within a particular industry. There is no hierarchical management structure with the ability to raise new capital, create liquidity, and offer or issue equity in this model. Instead, the collective actions of participants determine the relative supply and demand of the token, factors that in aggregate enhance or reduce the value of the whole.

For clarity, we can refer to tokens that are native to some particular consumer-oriented platform, e.g. our distributed YouTube example, as app-coins. A cryptocurrency- and blockchain-based cooperative, however, may have many applications as diverse as the range of centrally hosted web apps we know today (general cloud storage as well as simple video hosting, a network of self-driving cars, an online marketplace like eBay, a review site for local restaurants and businesses), and many of these platforms may share tokens, ledgers, and users. We can refer to these more general systems as distributed computing systems. Some, however, refer to such diverse and multi-purpose blockchain-mediated cooperatives as DAOs, decentralized autonomous organizations, or DACs, decentralized autonomous c