in the DLT & Crypto-Assets Framework
EU Horizon 2020 MSCA
BAnDIT Project: (advanced Blockchain Attacks and Defense Techniques): Grant Agreement
A blockchain is a peer to peer distributed ledger that records transactions between two or more
parties in a verifiable and permanent way by storing them into a sequence of blocks. The blocks
are linked together into a chain which is secured using cryptographic primitives and a randomized
lottery mechanism. Each block contains a secure digest (or hash) of the previous block, an
unforgeable proof from the lottery, a timestamp, and a list of transactions. One of the main
advances that blockchain technology brings is the idea that once recorded the transaction in the
block, it cannot be (easily) altered without alteration of the previously recorded blocks (Vujicic et
Blockchain technology came to be known with the development of Bitcoin, a cryptocurrency
developed in 2009 by Satoshi Nakamoto, a pseudonymous name given to the unknown creator
(or creators) that gave birth to this decentralized cryptocurrency (Nakamoto, 2009). After the
creation of Bitcoin, the so-called “crypto market” saw a rapid take-off with the introduction of a
vast number of new cryptocurrencies. Today, there are more than 2,000 crypto-assets
outstanding (ESMA, 2019). The definition of “crypto asset” varies among countries. Also, crypto
assets may have different features and/or functions, hence many regulations have come up with
additional sub-categories. In one of the latest EU regulatory proposals on the crypto-asset
ecosystem (MiCA), crypto assets are referred as “digital representations of value or rights which
may be transferred and stored electronically, using distributed ledger”.
Nevertheless, in spite of their transparency, decentralization and suitability for further
applications, crypto assets are still considered a novelty and are characterized as a risky asset
class (Borri, 2019). While the distributed nature of blockchain technology reduces the cyber risks
that centralized market infrastructures have (such as the single point of failure) it is still subject
to other types of cyber risks (Saad et al, 2019), (Apostolaki et al, 2017). On these grounds, many
countries worldwide have issued warning notices for their citizens advising them of the potential
dangers of investing in crypto assets. In general, governmental measures span from restrictive,
permissive to encouraging. Although in reality, given the decentralized nature of this system, is
extremely hard to enforce a severe restrictive measure such as a ban (Ellul et al, 2020).
The ESMA (European Securities and Markets Authority) identified the most significant risks
regarding crypto assets as fraud, cyber-attacks, money laundering, and market manipulation. In
particular, ESMA emphasized that technology-specific risks are still under addressed while certain
existing requirements may not be easily applied or may not be entirely relevant in a DLT
framework (ex. GDPR). Recently, the EU Commission and the Council jointly declared their
commitment to establish a legal framework that will harness the potential opportunities that
crypto assets may offer while in the same time mitigate the associated risks they may pose to
European users and businesses.
Most recently, in an effort to determine the legal status of crypto-assets, as part of the “Digital
Finance Package” initiative, the EU issued two regulatory proposals. One proposal on “Markets
in Crypto-Assets”, which if applied would amend the already existing Directive (EU) 2019/1937
and a proposal for a regulation of the European Parliament and of the Council on a “pilot regime
for market infrastructures based on distributed ledger technology”. The main objectives of these
proposals are to a) provide legal certainty, b) to support innovation & remove the regulatory
obstacles which may be constraining fintech development, c) to protect European users,
investors and business by enabling trust and confidence in the market integrity and d) to maintain
financial stability on European grounds.
The new proposed regulation on DLT market infrastructure (under Article 6) is aimed to introduce
new requirements in order to tackle the novel risks pertaining to DLT. In other words, it sets a
norm for DLT infrastructure holders to provide market participants, clients, users and investors
with clear and honest information on how to carry out their functions and activities when
applying DLT, to ensure that overall IT and cyber arrangements related to the use of DLT are
adequate and to safeguard users’ funds and assets (ex. DLT transferable securities) if needed.
Also, under Article 9 of the same proposed regulation, it is maintained the need for cooperation
between the DLT market infrastructure, competent authorities and ESMA. As mentioned, DLT
market infrastructures must inform competent authorities and ESMA of any evidence of hacking,
fraud or other serious malpractice, technical or operational difficulties which may pose risks to
investor protection, market integrity or financial stability. As seen in (Ramos et al, 2020), markets
react to information regarding cyber-attacks and timely notification may make difference in
safeguarding users funds and restoring network security.
Introducing needed cyber security requirements is set to be proportionate to the nature, scale
and complexity of the DLT market infrastructure. Likewise, in order to ensure integrity and
security, competent authority of a DLT market infrastructure should be allowed to request an
audit in order to ensure that the overall IT and cyber arrangements are fit for purpose (paragraph
It is important that the overall cyber arrangements of the two proposed regulations, aim to
protect user funds from hacking, degradation, illegal access, loss, cyber-attack or theft, however
not much further explanation of the required technical measures is given. The proposed
regulation imposes a safekeeping mechanism for client funds in form of cash or cash equivalent,
DLT transferable securities, or the means of access to such DLT transferable securities, including
in the form of cryptographic keys, but it recognizes the existence of a regulatory gap regarding
reliability and safety requirements: “At the same time, regulatory gaps exist due to legal,
technological and operational specificities related to the use of DLT and crypto-assets that qualify
as financial instruments. For instance, there are no transparency, reliability and safety
requirements imposed on the protocols and smart contracts underpinning crypto-assets that
qualify as financial instruments. The underlying technology could also pose some novel forms of
cyber risks that are not appropriately addressed by existing rules.”
In other words, although certain jurisdictions have proposed or introduced regulatory
frameworks which provide assurances regarding the financial market and operations surrounding
cryptocurrencies, there is still a lack of assurances in terms of the core technology & cyber
security measures associated with it (Ellul et al, 2020). It should be noted that high cybersecurity
resilience is a precondition to sustainable innovation in an increasingly digitalized financial sector,
where protecting users, businesses and investors is a priority. In the recent years there has been
an exponential increase in number and severity of cyberattacks related to DLT and crypto-assets,
which has left many dubious in regard to the validity and trustworthiness of the DLT systems.
While, recent regulatory efforts in the European Union have been a step forward, further
research is needed in this domain. Besides identifying control points which can be used to apply
regulation (ex. crypto exchanges, wallet providers) a more relevant “use-case” analysis is needed.
Certain experts have argued for regulating technology via the agents who form the de facto
governance of public blockchain, e.g., by the imposition of certain fiduciary duties to core
developers and dominant miners (Walch, 2016). Nevertheless, having in mind that most public
blockchains are built on an open source software code, certain problems arise from this
approach. In other words, treating core developers and dominant miners as fiduciaries could
deter them from participating in what may be considered a socially beneficial projects, due to a
fear of potential liability - and without them contributing code and processing power (under
PoW) the system risks disappearing.
Moreover, core developers and dominant miners are usually not compensated highly enough to
bare the accountability standard of a fiduciary, and in a different case of elevated compensation
fees there could be a significant increase in the cost associated with running and using this
technology (Walch, 2016). Also, due to the way PoW system works, honest but rational miners
can have the incentive to eventually join pools and the colluding group will increase in size until
it becomes a majority, thus having the possibility to perform a majority attack and “double
spend”(Eyal and Sirer, 2018).
While cyber related challenges may be an opportunity for further regulation, a contradictory
unregulated perspective rooted in the paradigm of free-market approach could also be
considered as an alternative. In other words, considering cyber related problems as a “diminisher
of user trust” could incentivize market players (ex. crypto exchanges) to improve their cyber
resilience and compete better with alternatives. For example, instead of regulating a central
point such as a crypto exchange in order to ensure safety of user fund/assets, an alternative
would be to leave the establishment of cyber resilience for the crypto exchanges itself, which
could invest in cyber resilience as a way to strengthen user trust and attract more new members.
Also, instead of applying a fiduciary duty to dominant miners, an alternative measure could be
for public blockchains to improve the incentive design of the system, thus deterring miners from
acting dishonestly and improving the resilience towards majority and other similar attacks.
This work was funded by H2020 ITN Marie Skłodowska Curie Action grant n. 814284 ”BAnDIT” as
part of the EU Horizon 2020 program. The work was partially carried out at LINCS (Laboratory of
Information, Networking and Communication Sciences) and Nokia Bell Labs in Paris during the
CoViD-19 pandemic. The BAnDIT project (advanced Blockchain Attacks and Defense Techniques)
is an Innovation Training Network (ITN) for European Industrial Doctorates (EID) funded under
the European Commission’s H2020 Marie Skłodowska - Curie Programme. The project is led by
Universitat Pompeu Fabra and the other main participant is Nokia Bell Labs France. More
information about the project can be found at: www.upf.edu/web/bandit
M. Apostolaki, A. Zohar, and L. Vanbever. Hijacking bitcoin: Routing attacks on cryptocurrencies. In 2017 IEEE Symposium on Security and Privacy (SP), pages 375–392, 2017
D. Vujicic, D. Jagodic, and S. Randjic. Blockchain technology, bitcoin, and ethereum: A brief overview. In 2018 17th International Symposium INFOTEH-JAHORINA (INFOTEH), pages 1–6, 2018.
S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. White Paper. 2008.
N. Borri. Conditional tail-risk in cryptocurrency markets. Journal of Empirical Finance, 50(C):1–19, 2019.
I. Eyal and E. Gun Sirer. Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM, 61(7):95–102, June 2018. ISSN 0001-0782. doi: 10.1145/3212998. URL https://doi.org/10.1145/3212998.
M. Saad, J. Spaulding, L. Njilla, C. Kamhoua, S. Shetty, D. Nyang, and A. Mohaisen. Exploring the attack surface of blockchain: A systematic overview. ArXiv, abs/1904.03487, 2019.
J. Ellul, J. Galea and M. Ganado. Regulating Blockchain, DLT and Smart Contracts: a technology regulator’s perspective. ERA Forum 21, 209–220 (2020). https://doi.org/10.1007/s12027-020-00617-7
A. Walch. Code(rs) We Trust: Software Developers as Fiduciaries in Public Blockchains’ 2018.
S. Ramos, F. Pianese, and E.Oliveiras. A Great Disturbance in the Crypto: Understanding Cryptocurrency Returns under Attacks (Working Paper) September, 2020.
European Securities and Market Authority. Advice - initial coin offerings and crypto-assets, 2019. URL
Proposal for a Regulation Of The European Parliament And Of The Council on a pilot regime for market infrastructures based on distributed ledger technology COM/2020/594 final. October, 2020.url: https://eurlex. europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0594
Proposal for a Regulation Of The European Parliament And Of The Council On Markets in Crypto-assets (MiCA), and amending Directive (EU) 2019/1937 COM/2020/593 final October, 2020. url: https://eurlex. europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0593