Enhancing DeFi Security and Compliance Through Transaction Decoding

Alex, what is the focus of your work these days?

The focus of my work is heading up crypto custody. I'm founder and CEO of Trustology, which has been recently acquired by Bitpanda, will be rebranding as Bitpanda Custody. But the focus of my work remains exactly the same, and that is to make sure that we deliver the safest, fastest and easiest crypto custody solution for institutional clients. So this are folks like service providers, institutional investors and token issuers who need to safeguard their crypto assets as well as manage their crypto assets. And that includes managing them across the plethora of DeFi protocols for lending, borrowing, trading, etc. It's an exciting space, and Bitpanda is FCA regulated entity here in the UK, so we are fully compliant with all the AML requirements, and they were introduced in the fifth AML Directive. We also ensure we've got some of the best insurance in the market. So yeah, fully fledged service. We do our own tech and we provide a service to our amazing customers.

What is the motivation for your talk?

The motivation for my talk is to introduce some people to a topic that probably may not be obviously exciting, but it is exciting, which is compliance and DeFi. So DeFi, for those who don't know, is essentially financial services like lending, borrowing, decentralized exchanges and derivatives trading. But instead of doing so through a centralized entity like Coinbase, for example, call exchange and swaps, this are now decentralized services. And when we mean by that is that there is a smart contract, which codifies all the rules of exchange. So essentially, folks send funds to a smart contract. So this is weird because usually you send money to an individual or maybe a company account. Here, you're sending funds to a smart contract address, which means that the only way that somebody can then release those funds is if the smart contract code allows those funds to be released. 

That gives this huge ability to invent all new ways of providing sometimes traditional financial services and sometimes new ones without intermediaries, cutting costs, reducing risks and also providing a much bigger liquidity pool. Given the global nature of these services, it's a exciting stuff. But of course, all of that still ultimately requires you to be compliant if you are a financial institution such as a regulated fund. So a bit like in the days when we had everyone was talking about Big Data. It introduced veracity, velocity and variety. Well, actually, blockchain DeFi almost introduces the same increase in veracity, velocity and variety in terms of financial services Big Data introduced to data handling.

Before creating a new exchange was hard to do or creating a new asset like a utility tech was hard to do. Now it's super easy for someone to launch a brand new lending service or a decentralized exchange or a new token, which is exciting, but it means that compliance becomes that much harder. Instead of having a small number of assets and a small number of well-understood services, we have this Darwinian explosion of assets and services that you have to look at. And of course, all of that means you have to have super risk based approach to compliance. How do you do that? Well, with smart contract systems, you can start to look at the transaction that comes in. You have to understand what transaction is about to do. You can then look to see if that transaction is about to do something suspicious, send funds to terrorist financing, address or something like that or market manipulation. And then you should prevented if you think there is a sufficient suspicion to block the transaction and quarantine the funds or allowed to proceed. 

So, part of what crypto custody involves, if you're a technologist, is key management, creating private keys, keeping them safe, making sure they're never lost, and then transaction management, making sure that the transaction is approved by the customer, making sure that all the compliance checks have been followed and only once all those checks have been done a signing that transaction in a secure way with the key of the customer and then submitting to the blockchain for monitoring. Experian, for example, with the most popular smart contract system there is out there, a protocol there is, it has something called all the transactions are encoded. So it's very hard to actually know what you're doing because there's just hex. But there are ways to decode transactions by looking at the bytecode in front. And once you've figured out what the bytecode is, you can then look at databases behind it and figure out what the customer's actually about to do. So a lot of this is about decoding the transactions, which is quite tricky. So I'll talk a little bit about decoding transactions. It's actually it's a interesting topic as a technologist. And then the other thing that you need to do is be able to make sure that if you're about to sign the transactions to the blockchain, the outcome of that transaction does not end up transferring assets to suspicious addresses. 

And actually, that's hard to do unless you write an AVM simulator, so you need to simulate a transaction to understand what the actual transfer will be within the smart contract. Because if you're a criminal, what you can do is you can create a zero day smart contract whose only job is to transfer funds to suspicious addresses internally. So then normal checks don't work because the normal check will look at the smart contract address that somebody is transferring funds to. 

That is a zero day smart contract. They wouldn't be detected as suspicious. What their smart contract will do on receipt of funds will immediately transfer to suspicious address and that normally wouldn't be checked by AML systems. So what we've been working on is, in fact creating our own EVM simulator, figuring out before we submit the transaction that's about to happen, checking all those addresses to make sure they're not suspicious and only then submitting a transaction to the blockchain. So we'll talk a little bit about the complexities of decoding the transactions to understand what it is in the first place and then simulating a transaction to understand what the outcome of that transaction is once we understood and decoded what it is going to be. 

And that's the focus of the chat to dig deep into the internals of how transactions are handled on Ethereum and how you can decode and simulate the transactions for compliance checks.

How would you describe the persona and the level of the target audience?

It might be useful for a number of folks. I think if you're a developer, you might actually learn quite a bit about the internal guts of transactions. So I think anyone who is interested in the theory and low level protocol calls you might want to find out more about it. Anyone who is working in DeFi and crypto and within a regulated environment probably should come along. But even a compliance officer who may or may not be super technical or a chief compliance officer or even the CEO who ultimately is responsible for the the business, may not understand all of the detail, but they will get enough of the gist of what they should be worried about when work in the system. So I think there's a broad range of audiences. I think developers will probably get the most out of it. But of course, the C-suite and the legal and compliance teams, I think will benefit from this as well.