Abstract: Tether is a crypto token based on top of Bitcoin and Ethereum’s blockchains, the value of which is pegged to the US dollar by centralised USD reserves. There is scepticism about Tether, with accusations that the system is not backed by sufficient reserves. We think that this Tether scepticism is mostly focused on the wrong issue. We have found possible evidence in published financial data that the impact of Tether is visible in Puerto Rico’s banking system. Tether is likely to be, or is already, encountering problems related to regulation and we think this should be the primary long-term concern for Tether holders.

About Tether

Tether is a scheme that allows fiat currencies such as the US dollar to be used on the Bitcoin (and Ethereum) blockchain. The abstract of the Tether white paper explains:

A digital token backed by fiat currency provides individuals and organizations with a robust and decentralized method of exchanging value while using a familiar accounting unit. The innovation of blockchains is an auditable and cryptographically secured global ledger. Asset-backed token issuers and other market participants can take advantage of blockchain technology, along with embedded consensus systems, to transact in familiar, less volatile currencies and assets. In order to maintain accountability and to ensure stability in exchange price, we propose a method to maintain a one­-to-­one reserve ratio between a cryptocurrency token, called tethers, and its associated real­world asset, fiat currency. This method uses the Bitcoin blockchain, proof of reserves, and other audit methods to prove that issued tokens are fully backed and reserved at all times

The Tether token therefore exists on top of the Bitcoin and Ethereum blockchains, with around 97% and 3% of its tokens existing on each chain respectively. On Bitcoin, its tokens exist similarly to coloured coins and use the Omni layer, whose protocols interpret extra meaning from some surplus Bitcoin transaction data — for example, the creation or transfer of Tether.

The primary use case of Tether appears to be financial speculation, with many exchanges allowing their customers to buy and sell Tether in exchange for crypto tokens such as Bitcoin. Currently, around 2.2 billion Tether, representing US$2.2 billion, exist. As the chart below illustrates, about 85% of Tether holders are known, with the largest holders being the biggest crypto token exchanges. There is likely to be some mechanism by which these large holders can redeem Tether directly for USD, which we speculate on at a later point in this report.

Tether owners in February 2018 listed in millions of USD. (Source: Tether rich list, Tether transparency report)

The Tether hack

It appears as if the Tether treasury wallet was hacked in November 2017. US$31 million was stolen and sent to an external Bitcoin address, where it remains in quarantine. On 21 November, Tether released a forked client of OmniCore. This froze the stolen funds and was essentially a hardfork of the Omni layer. Since the Tether company backs the Tether token with real USD, Tether users had to upgrade, since Tether would obviously only back the tokens on their chosen side of the fork. As Tether put it:

We strongly urge all Tether integrators to install this software immediately.

The hacking incident demonstrated that Tether is effectively in complete control of the ledger, as they can force a hardfork at will and reverse any transaction — although there may not have been any doubt about Tether’s control beforehand. This raises the question of why Tether bothers to put the database on the Bitcoin and Ethereum blockchains at all — it would be far cheaper for Tether to create its own public database without needing to pay fees to the miners. Although the Tether company was and is able to freeze funds, the process is technically difficult and time consuming, as it requires new software to be written and released and for all Tether exchanges to upgrade.

Who controls Tether?

The Tether “About us” page only appeared between 5 December 2017 and 7 December 2017, and it revealed that Tether had the same management team as the Bitfinex exchange, as the table below illustrates. This is approximately when Tether is said to have received a subpoena from the US Commodities Futures Trading Commission (6 December 2017). Prior to this point, Tether did not disclose its management team — on the website, at least — although it was widely believed that Bitfinex was behind Tether. The timing appears to suggest that the subpoena may have prompted the greater transparency.

Bitfinex Senior Team Tether Team
JL van der Velde (CEO) JL van der Velde (CEO)
Giancarlo Devasini (CFO) Giancarlo Devasini (CFO)
Philip Potter (CSO) Philip Potter (CSO)
Stuart Hoegner (general counsel) Stuart Hoegner (general counsel)
Matthew Tremblay (chief compliance officer) Matthew Tremblay (chief compliance officer)
Paolo Ardoino (CTO)
Chris Ellis (community manager)

Tether and Bitfinex have essentially the same management team. (Source: Tether, Bitfinex)

The Paradise Papers, released in November 2017, revealed that Bitfinex’s CFO and CSO are owners and directors of Tether respectively. There was already little doubt about the link between Tether and Bitfinex prior to full disclosure on Tether’s website.

Tether management and owners. (Source: Paradise Papers)

Some think that Tether may have previously implied that Bitfinex doesn’t control Tether. For example, Craig Sellars, a Tether founder and advisor — and a former CTO of Bitfinex — stated on Reddit in spring 2017:

Bitfinex is a customer of Tether. If Bitfinex wants more USD, they make a request to Tether, just like all other Tether customers. Tether waits for USD to show up, and when it does, creates the necessary tethers and credits Bitfinex.

That comment left much open to interpretation but certainly did not explicitly state that Bitfinex does not control Tether. In this comment, a month prior to the above one, Sellars specifically states that he and Bitfinex CSO Phil Potter were discussing how to improve Tether. Sellars was also open about his simultaneous involvements in Tether and Bitfinex, as his LinkedIn profile indicates:

  • April 2014 to present: Tether founder and advisor
  • January 2015 to May 2016: Bitfinex CTO
  • April 2014 to May 2016: Tether founder and CTO

We do not think there is evidence that Tether misled the public about Bitfinex’s involvement, which some have claimed.

The Tether audit

The Tether homepage states that:

Our reserve holdings are published daily and subject to frequent professional audits.

The accounting firm Friedman LLP (FLLP) published a report in September 2017 in which  it confirmed that the USD balances that Tether was supposed to hold. The report stated that as of 15 September 2017, a bank held $382,064,782 in an account in the name of Tether.

However, the report did not disclose the names of any of the banks nor did it mention the jurisdictions in which the banks operate. The report also stated that:

FLLP did not evaluate the terms of the above bank accounts and makes no representations about the Client’s ability to access funds from the accounts or whether the funds are committed for purposes other than Tether token redemptions.

In January 2018, Tether ended its relationship with FLLP and explained with this emailed statement.

We confirm that the relationship with Friedman is dissolved.  Given the excruciatingly detailed procedures Friedman was undertaking for the relatively simple balance sheet of Tether, it became clear that an audit would be unattainable in a reasonable time frame. As Tether is the first company in the space to undergo this process and pursue this level of transparency, there is no precedent set to guide the process nor any benchmark against which to measure its success.

The statement indicates that there is a lack of transparency and the audit processes appears inadequate, or at least inconsistent with the promises made on the Tether website. This  likely contributed to the rumors in the cryptocurrency community — for example, claims that Tether is a Ponzi scheme.

Lack of transparency does not necessarily indicate fraud

Tether allows its users to send and receive USD. Transactions cannot easily be blocked and users require no permission — although one notable exception to this is Tether requiring all users to upgrade to a new client in order to block transactions, which is the cumbersome process that occurred after the $31 million hack.

Tether also potentially allows users a degree of anonymity when making or receiving transactions. Its characteristics potentially make it attractive to criminals, just like Bitcoin. While those with the ability to issue and redeem Tether, such as exchanges, are required to go through approval and KYC processes, individual users can use Tether merely by generating a public/private key pair, again just like Bitcoin.

Regulators are unlikely to be particularly happy about this and banks are likely to consider Tether with scepticism. Tether also requires the use of a bank, to hold the USD reserves required to back Tether. Many banks are likely to approach Tether cautiously, and accepting Tether as a client may violate a bank’s compliance procedures such as rules meant to prevent money laundering.

Therefore, Tether may have a problem: either the company may try to conceal aspects of how Tether operates from the reserve bank or the company may need to find a bank with compliance procedures that are not as strict as those of the most prominent financial institutions. We suspect that Tether may have struggled to find appropriate banking relationships and may have had accounts with many banks in many jurisdictions as it tried to find the right partner. We believe this is likely to be the primary reason for the apparent lack of transparency, rather than a lack of USD reserves. The transparency that some Tether stakeholders seem to expect may not be possible in the financial sector when the underlying activity is not clearly authorized or regulated by the authorities.

The Bitfinex exchange may have revenues in excess of US$1 million per day during the recent crypto currency bubble (assuming 100,000 BTC volume per day, 0.1% commission, and a $10,000 BTC price). Even if Tether were experiencing problems, Bitfinex may have resources sufficient to bail out the system. This wealth may also remove some of the incentive to run a fraud or a Ponzi scheme of the type some of the Tether sceptics allege.

Financial data from Puerto Rico

Rumors have been circulating that Tether may have some link to the unincorporated American territory of Puerto Rico. We decided to analyse public financial data to look for signs of unusual activity or strong growth.

We noticed strong growth in the cash balance (and the deposit balance) in the International Financial Entities (IFE) banking category. This sharp increase in cash reserves could be related to Tether. It is also possible for this growth to be related to a non-Tether aspect of the crypto currency ecosystem — for example, plans to make Puerto Rico a crypto utopia.

The chart below compares the value of Tether issued versus the deposit balance for the IFE banking category in Puerto Rico. The match is far from perfect and we cannot draw any strong conclusion from the data. It will be interesting to see what figures the regulators in the region produce going forwards.

Puerto Rico’s IFE aggregate deposits versus Tether in millions of USD. (Source: IFE Accounts, BitMEX Research, Coinmarketcap)

In addition to the growth of the total cash balance, we noticed that the cash balance was growing as a proportion of total assets, as the chart below illustrates.

 Puerto Rico’s IFE aggregate cash as a proportion of total assets. (Source: IFE Accounts, BitMEX Research)

This kind of balance-sheet structure is unusual. Normally, banks lend most of their assets and only keep a small balance as cash. The table below shows a simplified typical structure of bank balance sheets.

Illustrative example of the balance sheets of a typical bank and a 100% reserve bank respectively. (Source: BitMEX Research)

Full-reserve banking results in a different balance sheet, which should be detectable by financial analysts even when looking at macroeconomic data. As of the end of September 2017, the ratio of cash to total assets for this category of financial institution in Puerto Rico rapidly climbed to over 70%. This may indicate the presence of full-reserve banking in the territory and that the practice is growing.

Full-reserve banking

Full-reserve banking (also called 100% reserve banking) is when a bank does not lend deposits but keeps all deposited funds either in the form of physical cash or electronically on deposit at a custody bank or the central bank. Full-reserve banking is a fringe concept in modern finance often associated with the Austrian School of economics and libertarianism (or even a Bitcoin type of philosophy). Full-reserve banking is said to make the financial system less susceptible to credit expansion, something Bitcoin is also said to be able to achieve. The main benefit of this is that it could make the economy less likely to experience business cycles, as we explained in our earlier piece.

Noble Bank

We looked at all the financial institutions in the IFE category in Puerto Rico, and identified two banks which claim to be full-reserve banks: Euro Pacific International Bank and Noble Bank International. Full-reserve banks are rare, so while we can’t rule out the existence of any others, it may be unlikely that any others are operating.

Extract from the list of registered IFEs in Puerto Rico. Noble is highlighted in red by BitMEX Research.(Source: Commissioner of Financial Insitutions of Puerto Rico)

Euro Pacific Bank is run by Peter Schiff, a well-known Austrian economist and Bitcoin sceptic. Due to this scepticism, we think it is unlikely that Schiff would become involved in a Bitcoin-related entity like Tether.

Noble Bank, however, is involved in the crypto space and therefore could be involved in Tether. Evidence of Noble’s involvement in cryptocurrency includes the following extract from a letter to the regulator that the bank sent in 2015:

Noble intend to operate an integrated financial market network for the trading, clearing, and settlement of real currency, Bitcoin and other digital currencies

Noble is also the bank that entered into a Bitcoin-related business partnership with Nasdaq in 2015. We suspect that the growth in reserves in this section of the financial services industry in Puerto Rico is related to Noble Bank and cryptocurrency, whether or not this involves Tether.

The founder and CEO of Noble Bank, John Betts, was also behind the 2014 Sunlot Holdings move to take over and potentially rescue MtGox. Sunlot was backed by Brock Pierce, one of the founders of Tether.

Of course, a previous professional relationship between the Noble Bank CEO and one of the Tether founders proves nothing, and the blockchain ecosystem is a small space so such connections are likely. We would like to emphasize that even if Noble Bank is the primary reserve bank of Tether, none of this is evidence that Noble Bank has done anything inappropriate or illegal.

In a Medium post, Noble describes how it lets “clients to create their own pools of credit” and explains the structure of this system with the following illustration.

(Source: Medium)

It is possible that the above model could be the underlying structure behind Tether, and this could explain how it is backed by US dollars. This would indicate the USD that back Tether are inside the Puerto Rican banking system with the reserves held by BNY Mellon, Noble’s custody bank, which is the largest custody bank in the world. If true, this would imply that Tether is not a Ponzi scheme, since the USD reserves are present and being reported to the authorities, and that the reserves may be relatively safe. Although, as we explain later in this report, this should not provide complete comfort for Tether holders in the long term.

Case studies

As we mentioned above, Tether has the following characteristics:

  • No permission is required to send or receive Tether.
  • Transactions cannot be easily blocked.
  • Tether users may be able to obtain a degree of anonymity.

These characteristics may make the system attractive for criminals and money launderers — and if criminal activity becomes too prevalent, the authorities may wish to shut the system down. This has already happened numerous times in the past, as the case studies below demonstrate. In a later report, we may dig into the history of these case studies in more detail.

Liberty Reserve (2006-2013)

Liberty reserve was a Costa Rica-based centralized digital-currency service that let users  send and receive USD-denominated payments over the Internet. Payments could be made using email addresses and there was no procedure to identify those using the system. In 2013, Costa Rican authorities closed the service, accusing the system of facilitating the laundering of US$6 billion of criminal proceeds in the indictment. The founder of the service was arrested and sentenced to prison. The BBC described the service as follows:

Cash could be put into the service using a credit card, bank wire, postal money order or other money transfer service. It was then “converted” into one of the firm’s own currencies – mirroring either the Euro or US dollar – at which point it could be transferred to another account holder who could then extract the funds.

GoldAge (1999-2006)

Prior to founding Liberty Reserve, the same founders ran GoldAge, a gold-based payment platform that was also shut down by the authorities. As the US Justice Department put it:

The defendants had transmitted at least $30 million to digital currency accounts worldwide since beginning operations in 2002. The digital currency exchanger, GoldAge, received and transmitted $4 million between January 1, 2006, and June 30, 2006, as part of the money laundering scheme.

e-Bullion (2001-2008)

e-Bullion was a centralized Internet-based gold-payment system. In 2008, the co-founder of the system was murdered. As a result, the US government confiscated the company’s assets and the system was shut down.


DigiCash (1994-1998)

Perhaps one of the most interesting of the centralised pegged-payment platforms was DigiCash. Developed by David Chaum, DigiCash had strong anonymity technology based on blind signatures built into the system. The platform resembled modern distributed anonymity-based tokens like Monero.

Although DigiCash was centralised, the operator was unable to obtain details about the transactions because everything was anonymous, and therefore the transactions themselves were, in a sense, fully censorship resistant. However, the company eventually failed and in 1998 filed for bankruptcy.

Censorship resistance has two sides: one, that transactions themselves cannot be blocked and the second being that the entire system cannot easily be shut down. The first is relatively easy to achieve though anonymity-based technology such as ring signatures, while the second is more challenging.

The US Justice Department lists other examples of shut-down Internet-based payment systems, including the following.


E-gold (1996-2007)

On April 27, 2007, a federal grand jury in Washington, D.C., indicted two companies operating a digital currency business and their owners. The indictment charges E-Gold Ltd., Gold and Silver Reserve, Inc., and their owners with one count each of conspiracy to launder monetary instruments, conspiracy to operate an unlicensed money transmitting business, operating an unlicensed money transmitting business under federal law, and one count of money transmission without a license under D.C. law. According to the indictment, persons seeking to use the alternative payment system E-Gold were only required to provide a valid Email address to open an E-Gold account–no other contact information was verified. The indictment is the result of a 2½-year investigation by the U.S. Secret Service with cooperation among investigators, including the Internal Revenue Service (IRS), the Federal Bureau of Investigation (FBI), and other state and local law enforcement agencies. According to Jeffrey A. Taylor, U.S. Attorney for the District of Columbia, “The defendants operated a sophisticated and widespread international money remitting business, unsupervised and unregulated by any entity in the world, which allowed for anonymous transfers of value at a click of a mouse. Not surprisingly, criminals of every stripe gravitated to E-Gold as a place to move their money with impunity.”


On June 29, 2006, Andrew [Mantovani] was sentenced to 32 months in federal prison for cofounding Shadowcrew.com, an international online discussion forum with more than 4,000 members, many of whom specialized in identity theft and fraud. Shadowcrew members sent and received payments for goods and criminal services through digital currencies. One indicted member, Omar Dhanani, operated an illegal currency exchange, providing members a money laundering service in digital gold by anonymously converting their illicit cash. Dhanani stated that Shadowcrew members used digital gold in order to avoid traditional banking systems. A yearlong investigation by the U.S. Secret Service led to the October 2004 arrest of 21 individuals in the United States, with several other arrests in foreign countries.

Western Express International Currency Exchange Company (2002-2005)

On February 22, 2006, Vadim Vassilenko, Yelena Barysheva, and Alexey Baryshev were indicted by the state of New York for operating an illegal check-cashing and money transmittal business from 2002 through 2005. Their company, Western Express International, acted as a currency exchanger, knowingly exchanging criminal proceeds for digital currencies. Through its web sites, Western Express actively solicited overseas clients in eastern Europe, Russia, and the Ukraine to operate illegally in the United States. Clients using fictitious, often multiple identities committed a variety of cyber crimes, such as reshipping, phishing, spoofing, and spamming. Items purchased with stolen credit card numbers were resold for digital gold, which was further laundered through Western Express. A total of $25 million flowed through the company’s bank accounts over the 4-year period, in violation of New York banking regulations.


History has shown that centralised systems with certain characteristics (censorship resistance or anonymous transactions) tend to get shut down by the authorities. Tether shares some of the same characteristics as these extinguished services so it may also attract criminals and ultimately suffer the same fate.

In our view, Tether has two choices:

  1. Reform the system to include KYC/AML procedures that allow the operator to easily block transactions or freeze funds. In order to do this, Tether may need to fundamentally change its technological architecture and perhaps leave the public blockchains. Essentially, Tether would just be turning into a traditional (or full-reserve) bank.
  2. Continue as is and risk being be shut down by the authorities at some point.

If Tether is shut down, there is a risk that some users may lose access to their funds, perhaps temporarily. We do not recommend holding Tether for the long term, but not for the reasons some of the sceptics typically pronounce. We think that criminal usage of Tether is likely to be relatively low because of the use of Tether for financial speculation, which is probably the system’s dominant use case. Furthermore, we have not found any evidence of criminals using Tether to launder funds. As it stands, we think an imminent shutdown is unlikely.

The case studies above illustrate the two angles to censorship resistance (individual transactions and the system as a whole) and what distributed crypto tokens need to achieve in order to be sustainable in the long run. If a payment system cannot block transactions, doesn’t require permission for use, or offers anonymous use, it will probably eventually be shut down. This could be just as true for systems like Tether and Ripple as it was for Liberty Reserve, E-gold, and DigiCash. A potential way around this is to try to build a distributed system that cannot be shut down (i.e., censorship resistance for the system as a whole).  Whether Bitcoin or other proof-of-work-based systems can achieve this is still unproven, in our view.


Whilst many claims made in this note are cited, we do not guarantee accuracy. We welcome corrections.

A blockchain-specific defensive patent licence

Abstract: Although the impact of patents on society is debatable, they can have negative impact on the blockchain space. Opening patents up is potentially crucial to the blockchain industry. Unfortunately, however, technology innovators may need to obtain patent protection for defensive purposes. A defensive patent licence (DPL) may be able to protect the ecosystem from the harmful restrictions of patents or mitigate some of the risks. We explain some potential deficiencies and loopholes in the current DPL and take a look at a new, improved licence, a blockchain DPL (BDPL).

(Source: Mises Institute)

Patents in the blockchain space

The issue of intellectual property (IP) is somewhat controversial in the libertarian and blockchain communities. Although patents and copyrights are generally accepted by most, many libertarians regard these systems as unethical state-granted monopolies that impede economic prosperity. This negative view of IP is articulated by Stephan Kinsella in his article “Against Intellectual Property“, in which he describes a patent as follows:

A patent is a property right in inventions, that is, in devices or processes that perform a “useful” function. A new or improved mousetrap is an example of a type of device which may be patented. A patent effectively grants the inventor a limited monopoly on the manufacture, use, or sale of the invention. However, a patent actually only grants to the patentee the right to exclude (i.e., to prevent others from practicing the patented invention); it does not actually grant to the patentee the right to use the patented invention.  Not every innovation or discovery is patentable. The U.S. Supreme Court has, for example, identified three categories of subject matter that are unpatentable, namely “laws of nature, natural phenomena, and abstract ideas.” Reducing abstract ideas to some type of “practical application,” i.e., “a useful, concrete and tangible result,” is patentable, however.

Copyright, on the other hand, covers original works such as books, articles, movies, and computer programs. When it comes to the IP of blockchains or other technologies, patents seem to be more relevant than copyright, which applies more to works of art.

Whatever one thinks of the merits of patents, when it comes to assessing the efficacy of patents in the blockchain space, there are some specific considerations:

  1. A key feature of blockchains is their permission-less architecture, in which nobody has the ability to censor usage of the system (a.k.a. censorship resistance). If one patents a use or function in a blockchain-based system (such as a new transaction format), the patent holder and legal authorities may be unable to prevent its usage by others, potentially making patents unsuitable or unenforceable.
  2. A patent on a cryptocurrency mining technology could give the patent holder a competitive advantage over other miners. This could undermine the whole point of mining, which requires a degree of competition in order to be useful. If a miner or mining coalition achieves a significant proportion of the hashrate, they could censor some or all of the transactions, or even attempt to reverse transactions, potentially rendering the blockchain useless.

Therefore, although the efficacy of patents is debatable in general, many consider them negative with respect to blockchains and desire to avoid the usage of enforceable patents in the blockchain space altogether. Achieving this preferred outcome is not simple; it’s not sufficient for those who develop technology in this space simply to avoid patents. This approach would be vulnerable to so-called patent trolls who could patent these technologies at a later date and possibly hold hostage those blockchain businesses and users who use the patented technology. A form of protection against patent trolls is required.


One such tool to prevent or mitigate the risks of patent trolls is the DPL. Companies already using this include the Internet Archive and Blockstream. By signing the DPL, these companies essentially allow any company or individual to use all of their patented technologies for free, as long as they also join the DPL. In order to join the DPL, one must commit to put all one’s respective patents inside the DPL and to not make an infringing patent claim against any DPL member. This effectively forms a club, which anyone may join, whose members need not worry about using the patents owned by any other member. The use of DPLs is purely defensive, and the more entities that join the DPL, the better it is for the blockchain community.

Problems with the DPL

We have spoken to some patent holders in the ecosystem as well as legal experts, and some have identified potential deficiencies within the DPL. The DPL is a first-draft attempt at this scheme and many seem to acknowledge that there is significant scope for improvement.

Potential DPL loopholes include:

  1. The DPL mentions the licence can be revoked if a member transfers a patent to a separate, non-DPL entity that does not abide by the terms of the DPL. However, this restriction only applies once member has joined the DPL. It is possible, in theory, for an entity to transfer patents to an associated company before joining the DPL. In this scenario, the new DPL member who transferred the patent could collude with the company who received it to engage in aggressive patent claims against other DPL members, while still being free to use other patents in the DPL.
  2. Although the DPL prevents members from enforcing their patents among other members, it does not prevent third parties from enforcing patents. A third party may restrict some DPL members from using a patent while licensing that same patent to other DPL members. If this occurs, as in the figure below, any DPL members obtaining the rights to use the patent could have an advantage over other DPL members, which is exactly what the DPL was set up to prevent.

Company H is not a member of the DPL but it licenses the use of its patented technology to DPL member company A while engaging in enforcement action against the other DPL members. This gives company A an advantage, while company A is still a valid member of the DPL. (Source: BitMEX Research)

The new BDPL

A proposed blockchain-specific DPL scheme, the BDPL, aims to improve on the DPL with amendments and additional terms that hope to correct the loopholes identified above. The BDPL still retains the core defensive properties of the original DPL, granting a licence to all members who join the BDPL.

This first loophole is fixed with an amendment to one of the terms in the licence. The original DPL merely prevents a member from making any non-defensive patent claim against another member. The new terms also prevent a member, “whether individually or in collusion with each other or with any other person”, from making a non-defensive claim. This stricter requirement may make the type of collusion mentioned above more difficult.

The second loophole is fixed by adding a new term to the licence. This is a requirement that specifies that the licence will be revoked if members use any patent licensed by a third party, when such a licence “is or is likely to be” enforced and restricted from use by another BDPL member. This should prevent a scenario such as the one illustrated above.


In our view, this new BDPL offers an improved, more robust alternative to the existing system. However, it is more onerous in some respects than the old scheme — for example, there are stricter requirements about making public notices. In addition, closing the circumvention loopholes requires a tradeoff: a BDPL member could be caught between a rock and a hard place if it licenses a crucial technology from a non-BDLP member who then begins enforcement action against other BDLP members without the knowledge of the licensee. Fixing this problem within the licence may not be possible, although mitigating this risk could be possible with additional licensing terms preventing aggressive action against other BDPL members.

Providing patent owners with more choices can only be beneficial and this new licence is a positive addition to the blockchain space. This scheme may be more robust and therefore more attractive to patent holders, while maintaining the defensive nature that can protect the ecosystem from the harmful effects of patents. We have spoken to patent owners who have indicated that they may prefer the BDPL to older schemes. While it would be beneficial were such defensive schemes to become popular, it is difficult to predict which, if any, will succeed.

We think the BDPL is both a significant improvement and more likely to be adopted than the DPL. If adopted, the BDPL could substantially benefit the ecosystem, mitigating one of the risks silently looming over the blockchain space.


The Ripple story

Abstract: In this piece, we briefly look over the history of Ripple and examine various disputes between the founders and partner companies, typically over control of XRP tokens. We then explore elements of the technology behind Ripple. We conclude that the apparent distributed consensus mechanism doesn’t serve a clear purpose, because the default behaviour of Rippled nodes effectively hands full control over updating the ledger to the Ripple.com server. Therefore, in our view, Ripple does not appear to share many of the potentially interesting characteristics crypto tokens like Bitcoin or Ethereum may have, at least from a technical perspective.

Jed McCaleb (left) joined Ripple in 2011. Chris Larsen (right) joined the company in 2012. (Source: BitMEX Research)


On 4 January 2018, the Ripple (XRP) price reached a high of $3.31, an incredible gain of  51,709% since the start of 2017. This represented a market capitalization of $331 billion, putting Ripple’s valuation in the same league as Google, Apple, Facebook, Alibaba, and Amazon — the largest tech giants in the world. According to Forbes, Chris Larsen, the executive chairman of Ripple, owns 17% of the company and controls 5.19 billion XRP, worth around $50 billion at the time of the peak, making him one of the richest people in the world. Despite this incredible valuation, many of the market participants do not appear to know much about Ripple’s history or the technology behind it. In this piece, we provide an overview of the history of Ripple and look at some of its technical underpinnings.

History of Ripple

RipplePay: 2004 to 2012

Ryan Fugger founded a company he called RipplePay in 2004. The core idea behind the protocol was a peer-to-peer trust network of financial relations that would replace banks.

The RipplePay logo during that period of the company’s existence. (Source: Ripplepay.com)

RipplePay’s basic theory was as follows:

  • All banks do is make and receive loans. A bank deposit is a loan to the bank from the customer.
  • A payment from Bob to Alice in the traditional banking system is simply an update to their respective loan balances to the bank, with Bob’s loan to the bank declining slightly and Alice’s increasing slightly.
  • RipplePay held that one could replace banks by creating a peer-to-peer trust network in which individuals could directly loan each other, and alterations to these loan balances enable payments.
  • Payments, then, are simply updates to these loan balances, provided the system can find a path of relationships from the payer to the recipient.

In this example, the person on the far right side of the lineup makes a payment of $20 to the person on the far left. Although the payer and recipient do not directly trust each other, the payment transfers through a chain of IOUs forged of seven people who are linked by six trusted relationships. (Source: Ripple.com)

The network architecture is not dissimilar to the idea behind the Lightning Network, except with counterparty risk, something which Lightning avoids. In our view, this model is likely to be unstable and the trust networks are unlikely to be regarded as reliable — and therefore we are unsure of its efficacy. Either the system would centralise towards a few large banks and fail to be sufficiently different to the existing financial system or it would be liable to regular defaults. However, the current Ripple system is very different to this original idea.

At the start of 2011, Bitcoin was gaining some significant traction and began to capture the attention of Ripple’s target demographic. To some extent, Bitcoin had succeeded where Ripple had failed, building a peer-to-peer payment network with what appeared to be a superior architecture to Ripple. In May 2011, Jed McCaleb, an early Bitcoin pioneer, joined Ripple, perhaps to address some of these concerns.

McCaleb had founded the Mt. Gox Bitcoin exchange in 2010, which he sold to Mark Karpeles in March 2011. According to an analysis of the failure of Mt. Gox by WizSec’s Kim Nilsson, the platform was already insolvent, to the tune of 80,000 BTC and $50,000, in March 2011 when McCaleb sold it. Shortly after this, Ryan Fugger handed the reins of the Ripple project to McCaleb.

This video from June 2011 describes some of the philosophy and architecture of Ripple after McCaleb had joined the project:

OpenCoin: September 2012 to September 2014

The Ripple logo during the OpenCoin period. (Source: Ripple.com)

In 2012, McCaleb hired Chris Larsen, who remains on the board today as the executive chairman and whom the current website describes as a co-founder of Ripple. This marked the start of the OpenCoin era, the first of three name changes between 2012 and 2015. Larsen is the former chairman and CEO of E-Loan, a company he co-founded in 1996, took public in 1999 at the height of the tech bubble, and then sold to Banco Popular in 2005. Larsen then founded Prosper Marketplace, a peer-to-peer lending platform, which he left to join Ripple in 2012.

Larsen is not new to volatile prices and price bubbles. E-Loan experienced a peak-to-trough fall of 99.1% between 1999 and 2001. E-Loan’s IPO share price stood at $14 on 28 June 1999 before selling for $4.25 per share in 2005. (Source: Bloomberg)

To address the success of Bitcoin, Ripple now planned to allow Bitcoin payments on its network, potentially as a base currency for settlement. This period also marked the launch of the Ripple Gateway structure. The community realized that the peer-to-peer structure did not seem to work, with ordinary users unwilling to trust counterparties sufficiently to make the network usable for payments. To address this, Ripple decided to form gateways, large businesses that many users would be able to trust. This was said to be a  compromise, a hybrid system between traditional banking and a peer-to-peer network.

How Ripple gateways work. (Source: Ripple.com)

In late 2012, OpenCoin opposed the usage of the name “Ripple Card” by Ripple Communications, a telecom company that predated the launch of the Ripple payment network. This may illustrate the start of a change in culture of the company, with a willingness to use the law to protect the company, and a change in strategy to focus more on the Ripple brand.

Ripple Communications is an unrelated telecom company based in Nevada that held the Ripple.com domain and used the Ripple name before the Ripple payment network came into being. (Source: Internet Archive)

In October 2012, Jesse Powell, the founder and CEO of the Kraken exchange (which launched in 2011) and close friend of McCaleb, participated in Ripple’s first seed round with an investment believed to total around $200,000. Roger Ver is also said to have been an early investor in Ripple, apparently investing “before even the creators knew what it was going to be”.

XRP token launch: January 2013

Ripple released its XRP coin in January 2013. Like Bitcoin, XRP is based on a public chain of cryptographic signatures, and therefore did not require the initial web of trust or gateway design. XRP could be sent directly from user to user, without the gateways or counterparty risk, which was the method used for all currencies on Ripple, including USD. Ripple perhaps intended XRP to be used in conjunction with the web of trust structure for USD payments — for example, to pay transaction fees. The company set the supply of XRP at a high level of 100 billion, with some claiming this would help Ripple prevent sharp price appreciation. Critics argued that the XRP token may not have been a necessary component of the network.

In April 2013, OpenCoin received $1.5 million in funding from Google Ventures, Andreessen Horowitz, IDG Capital Partners, FF Angel, Lightspeed Venture Partners, the Bitcoin Opportunity Fund, and Vast Ventures. This was the first in many rounds of venture funding and it included some of the most respected venture-capital companies in the world.

McCaleb left the project sometime between June 2013 and May 2014. Although his departure appears to have only been widely discussed within the Ripple community starting in May 2014, later statements from the company indicates he ended his involvement in June 2013 when Stefan Thomas took over as CTO. Thomas had created the We Use Coins website in March 2011 and the 2011 “What is Bitcoin?” YouTube video.

McCaleb appears to have disagreed with Larsen on strategy and then was seemingly forced out of the project, based on support Larsen received from the new venture-capital investors. After leaving Ripple, McCaleb went on to found Stellar in 2014, a project said to be based on some of the original principles behind Ripple.

Ripple Labs: September 2013 to October 2015

In September 2013, OpenCoin became Ripple Labs.

In February 2014, Ripple implemented the “balance freeze” feature, which it activated in August 2014. This allowed Ripple gateways to freeze or even confiscate coins from any user of its gateway, even without a valid signature for the transaction. The motivation of this was said to be to enable gateways to comply with regulatory requirements, for example, a court order demanding the confiscation of funds. The default setting for a gateway was to have the freeze feature enabled, but it was possible for a gateway to disable this option by using a “NoFreeze” flag, such that tokens a gateway owed could not be frozen or confiscated using this feature. The largest gateway at the time, Bitstamp, did not opt out of the freeze feature.

In May 2015, regulatory authorities in the United States fined Ripple Labs $700,000 for violating the Bank Secrecy Act by selling XRP without obtaining the required authorisation. Ripple additionally agreed to remedial measures, the most onerous of which are summarised below:

  • Ripple Labs must register with FinCEN.
  • If Ripple gives away any more XRP, those recipients must register their account information and provide identification details to Ripple.
  • Ripple must comply with AML regulations and appoint a compliance officer.
  • Ripple must be subject to an external audit.
  • Ripple must provide data or tools to the regulators that allows them to analyse Ripple transactions and the flow of funds.

Ripple: October 2015 to present

In October 2015, the company simplified its name to Ripple.

The current Ripple logo. (Source: Ripple.com)

In September 2016, Ripple raised $55 million in funding in a round lead by Japan’s leading online retail stock-brokering company, SBI Holdings (8473 JP). SBI acquired a 10.5% stake in Ripple. As we mentioned in our “Public companies with exposure to the crypto space” piece, this is part of a wide range of SBI investments into crypto. SBI and Ripple have set up a joint venture, SBI Ripple Asia, which is 60% owned by SBI and 40% owned by Ripple. The company is hoping to provide a settlement platform using Ripple’s “distributed financial technology”.

In September 2017, R3, another blockchain company, sued Ripple. R3 argued that Ripple agreed in September 2016 to give it the option to buy 5 billion XRP at an exercise price of $0.0085 before September 2019. At the peak, the intrinsic value of this call option was worth around $16.5 billion. R3 alleges that in June 2017, Ripple terminated the contract, despite having no right to do so. Ripple then filed a counter case, alleging that R3 did not honour its side of the original 2016 agreement by failing to introduce Ripple to a large number of banking clients or to promote XRP for usage in these banking systems. As of February 2018, the case is unresolved.

Ripple supply and company reserves

When Ripple was founded, it created 100 billion XRP tokens of which 80 billion tokens were allocated to the company and 20 billion were given to the three founders. Here is an approximate breakdown of the distribution of those tokens:

  • The Ripple company received 80 billion XRP.
  • Chris Larsen received 9.5 billion.
    • In 2014, Larsen committed to put 7 billion XRP of this 9.0 billion into a charitable foundation.
  • Jed McCaleb received 9.5 billion. Upon leaving Ripple:
    • McCaleb retained 6.0 billion (subject to lock up agreement).
    • McCaleb’s children received 2.0 billion (subject to lock up agreement).
    • 1.5 billion was given to charity and other family members of McCaleb (not subject to lock up agreement).
  • Arthur Britto received 1.0 billion (subject to lock up agreement).

When McCaleb left Ripple, there were concerns he was, could or would dump his XRP into the market and crash the price. McCaleb and Ripple constructed the following agreement to prevent this by restricting the sale of XRP. The agreement was revised in 2016 after Ripple accused McCaleb of violating the initial terms.

2014 agreement
  • McCaleb’s sales are limited to $10,000 per week during the first year.
  • Sales are limited to $20,000 per week during the second, third, and fourth years.
  • Sales are limited to 750 million XRP per year for the fifth and sixth years.
  • Sales are limited to 1 billion XRP per year for the seventh year.
  • Sales are limited to 2 billion XRP per year after the seventh year.

(Source: http://archive.is/cuEoz)

As for the 80 billion XRP held by the Ripple company, the plan was to sell or give away this balance, use the funds to fund company operations, and to use it to seed global money-transfer gateways. As the Ripple wiki says:

XRP cannot be debased. When the Ripple network was created, 100 billion XRP was created. The founders gave 80 billion XRP to the Ripple Labs. Ripple Labs will develop the Ripple software, promote the Ripple payment system, give away XRP, and sell XRP.

From December 2014 to July 2015, the company disclosed on its website the amount of XRP it held, the amount in circulation, and indirectly (by mentioning a reserve) the amount spent on company operations. The company did not distinguish between what it sold and what it gave away for free. The disclosure for 30 June 2015 is shown below.

(Source: Ripple.com)

Some time after July 2015 the disclosure was modified, with the reserve balance no longer available. Since at least late 2017 Ripple disclosed three figures, the “XRP held by Ripple”, “XRP distributed” and “XRP to be placed in escrow”. As at 31 January 2018, the balances are as follows:

  • 7.0 billion XRP held by Ripple
  • 39.0 billion XRP distributed
  • 55.0 billion XRP placed in escrow

We have been unable to link or reconcile the old Ripple reserve figure with the new XRP held by Ripple figure, therefore we are unsure how much the company has spent on its own operations across the entire period. However, we have analysed the information disclosed in the old way prior to July 2015, 12 data points in total, in addition to forum posts from the company’s current chief cryptographer David Schwartz (regarded as one of the main architects of Ripple’s technology, who goes by the name JoelKatz online and is said to have had 1 billion XRP). The following charts present our findings related to the distribution or spend of XRP.

XRP holdings from 2013 to 2015 – billion. (Source: BitMEX Research, Ripple.com)


XRP distribution (sales to partners plus XRP given away) and XRP spent on company operations – billions. The crosses represent points where information was available. We are not aware of why the amount spent on company operations appears to decline towards the end of 2015. (Sources: Ripple.com, https://forum.ripple.com/viewtopic.php?f=1&t=3645, https://forum.ripple.com/viewtopic.php?f=1&t=3590)


XRP in circulation – billions. (Source: Ripple.com, https://forum.ripple.com/viewtopic.php?f=1&t=3645, https://forum.ripple.com/viewtopic.php?f=1&t=3590, Coinmarketcap/new Ripple disclosure)

The data shows that Ripple sold or distributed 12.5 billion XRP from January 2013 to July 2015. We have been unable to determine how many XRP were sold, at what price, or how many were given away. The company spent at least 4 billion XRP on company operations between March 2014 and July 2015 but there are no details of what this was spent on, as far as we can tell.


Dispute between the company founders

As we alluded above, McCaleb did not part with the company on the best of terms. In May 2014, early Ripple investor Jesse Powell described the situation:

Since Jed’s departure, the management of the company has taken a different direction. Sadly, the vision Jed and I had for the project in the early days has been lost. I’m no longer confident in the management nor the company’s ability to recover from the founders’ perplexing allocation to themselves of 20% of the XRP, which I had hoped until recently would be returned. Prior to Jed’s departure from Ripple, I had asked the founders to return their XRP to the company. Jed agreed but Chris [Larsen] declined — leaving a stalemate. This afternoon, I revisited the allocation discussion with the pair and again, where Jed was open, Chris was hostile.

Ripple responded to Powell with a claim that he was spreading false and defamatory information in violation of his obligations as a Ripple board member. The letter states:

In fact, as Chris has stated previously in discussions with you and Jed, he has been and remains willing to return most of his founders’ XRP to Ripple Labs.

Powell retorted that Larsen would return only a portion of his XRP to the company, and rather than giving it back, this would be a loan. Powell ends the letter by explaining how he sees the situation with respect to the 20 billion XRP granted to the founders and the formation of Ripple:

Jed and I got started with Ripple in September of 2011. I believe Chris joined sometime around August of 2012. Prior to Chris joining, the company had two investors. I’m not sure when Jed and Chris allocated themselves the XRP but they say it was before incorporation, which occurred in September of 2012. In my view, the two stole company assets when they took the XRP without approval of the early investors, and without sharing the allocation amongst the other shareholders. Whatever coin they allocated themselves prior to incorporation of Opencoin, I believe was abandoned. There had been several ledger resets between Sep 2012 and Dec 2012, and a new version of Ripple emerged, built by Opencoin, clearly with company resources. If Jed and Chris have continued to run the old software to preserve their Betacoin, I have no problem. Unfortunately, Jed and Chris again allocated themselves XRP in December of 2012. That XRP unquestionably was not gifted by Jed and Chris to the company, it did not exist prior to the company’s existence, and it was generated with company resources. That XRP has always belonged to the company and it was taken from the company by Jed and Chris. I’m asking them to return what they’ve stolen.

Powell continued to comment on the situation on the Ripple forum:

The board and investors have known about it for a long time. I’d been nudging them to return the XRP since I found out about it. Jed was always willing but Chris wasn’t, and Jed kept his share in case leverage was ever needed to more aggressively persuade Chris to return his portion. It wasn’t a regular topic of discussion and was just something I just imagined would work itself out when Chris got a grasp on the damage it was doing to Ripple’s image and adoption. If my goal had been to get my fair share, I probably would have been more proactive about it but I’d just assumed it would eventually be entirely returned to the company. I could have agreed to a small amount of XRP being paid out in lieu of cash compensation or instead of equity, but otherwise, we all should have bought our XRP at the market rate, like everyone else.

The company, through marketing VP Monica Long, then responded to the Powell’s continued public pressure with the following commitment:

Further, co-founder and CEO Chris Larsen has authorized the creation of a foundation to distribute his donation of 7 billion XRP to the underbanked and financially underserved. This plan has previously been in development but is now being accelerated and finalized independent of a formal agreement amongst all the original founders. He believes this is both the right thing to do and the best way to remove further distractions in pursuit of the broader vision of the company. Details of the foundation, its independent directors, and the giveaway will be forthcoming.

The above response appeared to divert the pressure on Ripple and Larsen that was building inside the Ripple community. The foundation that was set up is Ripple Works. We have reviewed the charity’s US tax filings for the fiscal years ended April 2015 and April 2016, which show the following donations of XRP:

Date Donor Amount (XRP)
November 2014 Chris Larsen 200 million
April 2015 Chris Larsen 500 million
July 2015 Chris Larsen 500 million
November 2016 Ripple Inc 1,000 million

As of April 2016, two years after the commitment, Larsen appears to have given at least 1.2 billion XRP out of the promised 7 billion XRP total to the foundation. We have not been able to obtain the filling for the year ended April 2017, as it may not be available yet.

The dispute and the Bitstamp Ripple freeze incident

In 2015, Ripple took advantage of the Ripple freeze feature instituted in August 2014. The Bitstamp gateway froze funds belonging to a family member of Jed McCaleb. Some consider this ironic: Ripple originally stated that the freeze feature was implemented to enable gateways to comply with orders from law enforcement yet the first actual usage of the feature appears to have been an order to comply with an instruction from the Ripple company itself, against one of the founders.

What appears to have happened is a family member of McCaleb sold 96 million XRP (perhaps part of the 2 billion XRP given to other family members and not part of the lock-up agreement) back to Ripple for around $1 million. After Ripple acquired the XRP for USD, Ripple appears to have asked Bitstamp to use the Ripple freeze feature to confiscate the $1 million Ripple had just used to buy the tokens. In 2015, Bitstamp took both Ripple and McCaleb to court, to determine the best course of action.

Court documents allege/reveal the following:

  • McCaleb had 5.5 billion XRP.
  • McCaleb’s two children held 2 billion XRP.
  • Another 1.5 billion XRP were held by charitable organizations and other family members.
  • In March 2015, Jacob Stephenson, a relative of McCaleb, offered to sell 96 million XRP to Ripple.
  • Ripple agreed to pay nearly $1 million to buy the 96 million XRP from Stephenson in a complicated transaction that “manipulated the market” to “improperly inflate the price per XRP of the transaction and mislead other purchasers”. As part of this, Ripple paid more than the cost and asked Stephenson to return an excess amount of $75,000.
  • Bitstamp’s chief legal officer was also an advisor to Ripple and as such there was a conflict of interest.

The dispute between McCaleb and Ripple continued until a final resolution in February 2016, when the company, implying that McCaleb had violated the 2014 XRP lock-up agreement, stated that a final settlement had been reached:

Jed exited Ripple back when it was OpenCoin in June 2013. He has played no role in the strategy or operations of Ripple since then. He has, however, held significant stakes of XRP and company shares. In August 2014, we shared the terms of a lock-up agreement that dictated timetables and limits within which Jed could sell XRP. The purpose of the agreement was to ensure distribution of his XRP in a way that would be constructive for the Ripple ecosystem. Since April 2015, Jed has been party to ongoing legal action related to alleged violation of the 2014 agreement.

McCaleb responded to this with his side of the story, indicating that he was also happy with the final agreement.

This week also sees the end of a longstanding issue. Stellar and I have finally reached a settlement with Ripple in the ongoing dispute between the parties. The settlement shows that Ripple’s claims were entirely baseless. Ripple has conceded in exchange for Stellar and I agreeing to settle the litigation.

Under the final agreement, McCaleb’s family member’s $1 million were unfrozen, Ripple agreed to pay all legal fees, and 2 billion XRP were freed for donation to charity. McCaleb would be free to sell his remaining XRP, perhaps over 5 billion XRP, consistent with the terms in the table below.

2014 agreement 2016 revised agreement
  • McCaleb’s sales are limited to $10,000 per week during the first year.
  • Sales are limited to $20,000 per week during the second, third, and fourth years.
  • Sales are limited to 750 million XRP per year for the fifth and sixth years.
  • Sales are limited to 1 billion XRP per year for the seventh year.
  • Sales are limited to 2 billion XRP per year after the seventh year.
  • McCaleb must donate 2 billion XRP to charity
  • McCaleb must retain title ownership of 5.3 billion XRP; however, Ripple will control the funds.
  • McCaleb and the charity will be able to collectively sell the following percentage of the average daily volume:
    • 0.5% in the first year,
    • 0.75% in years two and three,
    • 1.0% for the fourth year, and
    • 1.5% thereafter.

(Source: http://archive.is/cuEoz)

The Ripple consensus process

The consensus system

The Ripple technology appears to have gone through several iterations, but a core part of the marketing of Ripple is the consensus process. In 2014, Ripple used the image below to illustrate the consensus system, which seems to be an iterative process with servers making proposals and nodes only accepting these proposals if certain quorum conditions are met. An 80% threshold of the servers is considered a key level and once this threshold is crossed, a node regards the proposal as final. The image depicts some complexity in the process and the BitMEX Research team is unable to understand the detailed inner workings of the system or how it has any of the convergent properties necessary for consensus systems.

(Source: Ripple wiki)

In January 2018, the BitMEX Research team installed and ran a copy of Rippled for the purpose of this report. The node operated by downloading a list of five public keys from the server v1.ripple.com, as the screenshot below shows. All five keys are assigned to Ripple.com. The software indicates that four of the five keys are required to support a proposal in order for it to be accepted. Since the keys were all downloaded from the Ripple.com server, Ripple is essentially in complete control of moving the ledger forward, so one could say that the system is centralised. Indeed, our node indicates that the keys expire on 1 February 2018 (just a few days after the screenshot), implying the software will need to visit Ripple.com’s server again to download a new set of keys.

A screenshot of Rippled in operation. (Source: BitMEX Research)

Of course, there is nothing wrong with centralised systems; the overwhelming majority of electronic systems are centralised. Centralisation makes systems easier to construct, more efficient, faster, cheaper to run, more effective at stopping double spends and easier to integrate into other systems. However, some Ripple marketing, like the image below, contends that the Ripple system is distributed, which some may consider misleading.

(Source: Ripple.com)

In addition to the potentially misleading marketing, the construction involving the quorum process and 80% threshold may not be necessary and merely adds to the obfuscation, in our view. Defenders of Ripple could argue that the list of five public keys is customizable, as one could manually edit the configuration file and type in whatever keys one wants. Indeed, there is a list of such validators on the Ripple website. However, there is no evidence that many users of Ripple manually change this configuration file.

Even if users were to modify the configuration file, this may not significantly help. In this circumstance, there is no particular reason to assume that the system would converge on one ledger. For example, one user could connect to five validators and another user could connect to five different validators, with each node meeting the 80% thresholds, but for two conflicting ledgers. The 80% quorum threshold from a group of servers has no convergent or consensus properties, as far as we can tell. Therefore, we consider this consensus process as potentially unnecessary.

Validation of the ledger

Although the consensus process is centralised, one could argue that in Ripple user nodes can still validate transaction data from all participants. This model can be said to provide some assurance or utility, despite its computational inefficiency. Although moving the ledger forward is a centralised process, if the Ripple servers process an invalid transaction, user nodes may reject those blocks and the entire network would then be stuck. This threat could keep the Ripple server honest. However, this threat may not be all that different from the existing user pressure and legal structures which keep traditional banks honest.

Apparently, Ripple is missing 32,570 blocks from the start of the ledger and nodes are not able to obtain this data. This means that one may be unable to audit the whole chain and the full path of Ripple’s original 100 billion XRP since launch. This could be of concern to some, especially given Powell’s comments, which indicate that there may have been resets of the ledger in the early period. David Schwartz explained the significance of the missing blocks:

It doesn’t mean anything for the average Ripple user. In January of 2013, a bug in the Ripple server caused ledger headers to be lost. All data from all running Ripple servers was collected, but it was insufficient to construct the ledgers. The raw transactions still survive, mixed with other transactions and with no information about which transaction went in which ledger. Without the ledger headers, there’s no easy way to reconstruct the ledgers. You need to know the hash of ledger N-1 to build ledger N, which complicates things.


Much of this report has focused on disputes, primarily related to control over XRP, including accusations of theft. Perhaps such disputes are not particularly unique, especially given the rapid, unexpected growth in the value of the ecosystem. In fact, this story of the disputes might not be too dissimilar from that of some of the large tech giants mentioned in the introduction to this piece.

More significant than the disputes is the fact that the Ripple system appears for all practical purposes to be centralised and is therefore perhaps devoid of any interesting technical characteristics, such as censorship resistance, which coins like Bitcoin may have — although this does not mean that Ripple or XRP is doomed to failure. The company has significant financial capital and has proven somewhat effective at marketing and forming business partnerships, and perhaps this could mean the company succeeds at building adoption of the XRP token either among businesses or consumers. If so, the points that Bitcoin critics often raise may be even more pertinent and relevant in the case of XRP. These points include:

  • The lack of inflation is a naive economic policy.
  • The price of the token is too volatile and speculative.
  • Regulators will shut the system down if it becomes popular.
  • Perhaps most importantly, why not use the US dollar? Banks will build competing digital systems based on traditional currencies (if they don’t exist already).

The real mystery about Ripple is that, given the large market value of the system, why are all the Bitcoin critics so silent? Perhaps the answer to this question is just as applicable to some of Bitcoin’s proponents as it is to its critics. Most people seem to judge things based on what they perceive as the culture and character of those involved, rather than on the technical fundamentals.


Whilst many claims made in this note are cited, we do not guarantee accuracy. We welcome corrections.

The art of making softforks: Protection by policy rule

Abstract: In this article, following on from our piece on the history of consensus forks, guest writer Dr. Johnson Lau explains the distinction between policy rules and consensus forks. He explains why it may be safer to introduce new softforks when the proposed rule is already covered by policy rules (non-standard behaviour), as this may mitigate or reduce some of the risks normally associated with changing the consensus rules.

Source: gryb25

Softforks are the primary way to fix and introduce new Bitcoin consensus rules. The following  series of articles will describe how Bitcoin softforks are engineered.

Consensus rules and softforks

Consensus rules determine whether a transaction or a block is valid or not. Every user and miner on the Bitcoin network is expected to adhere to the same set of consensus rules, so they will all agree to a single ledger.

A softfork is an event when the majority of users and/or miners decide to adopt a stricter set of consensus rules, which makes some previously valid transactions/blocks invalid, but not the opposite. If the majority enforces the new rule set, any violating fork would (statistically) never catch up to the stricter fork in terms of total proof of work. The minority with the old rules set will always follow the longer and stricter fork, so everyone on the network would still agree to a single ledger.

Policy rules and consensus rules

While consensus rules are the only criteria for determining transaction validity, relaying or mining nodes may prefer some kinds of transactions over others. For example:

  • As spam control, transactions with very low fees or “sand outputs” (outputs with very low value) are rejected.
  • Some miners refused to include “on-chain casino” transactions, considering them spammy.
  • Transactions with an unknown version are rejected (currently only version 1 and 2 are “known”).
  • Transactions with exotic scripts (i.e., not P2PKH, P2SH, v0 segwit, or a few other cases) and unknown NOPx codes (currently only OP_NOP2 and OP_NOP3 are known) are rejected.
  • “Replace by fee” and “child pay for parent” are also policy rules, as they determine which transactions are preferred by miners.

By definition, policy rules MUST be at least as strict as consensus rules. Obviously, no miners would like to include invalid transactions in a block (which will lead to a loss of mining reward) or to relay them (which will get them banned by peers).

While policy rules could be stricter than consensus rules, it is important to note that policy rules do not determine the validity of transactions. Once a transaction is included in a valid block, all network nodes will accept it even if it violates some policy rules.

It is also important to note that policy rules are local, while consensus rules are universal. That means different network nodes might have different policy rules but they will still agree to the same blockchain ledger as long as they are running the same consensus rules.

Transactions that violate a policy rule are sometimes called “non-standard transactions”, distinguishing them from “invalid transactions”.

Policy rules and softforks

Ideally, all miners should have upgraded to the new, stricter rule sets on or before the activation of a softfork. Financially, they have a strong incentive to do this, as mining an invalid block (in terms of the new rules) would lead to significant monetary loss. However, in a decentralized system like Bitcoin, this is not guaranteed.

Although miners are expected to pay attention to any proposed rule changes and take timely action, miners who build invalid blockchain might lead to market disruption and monetary loss for ordinary users. Therefore, any well-planned softforks should bear this in mind and minimize the risks.

The trick is to make a softfork only if it is covered by existing, widely adopted policy rules. Miners with the policy rules who are unaware of the new consensus rules would refuse to include such transactions by default, so they would never include transactions that are invalid in terms of the new consensus rules. Some cases in Bitcoin history illustrate this.

A worker is adding a “Road Closed” sign to a route that is not being used due to an obstruction that has existed before the sign is placed. The new traffic rules only prevent behaviour that was already “non-standard” and disruption is therefore minimal.

Case Study Description
BIP65: Check lock-time verify OP_NOP1 to OP_NOP10 originally had no meaning in the Bitcoin script language. While they are counted as one operation (there is a limitation of 201 operations in a script), practically, they are skipped during transaction validation. However, a policy rule has been included in Bitcoin Core since version 0.10 to reject OP_NOPx by default. BIP65 is a softfork introduced in Bitcoin Core 0.12 to redefine OP_NOP2 as OP_CHECKLOCKTIMEVERIFY (OP_CLTV). OP_CLTV checks if the top stack value is greater than the transaction’s nLockTime field (along with a few more conditions). If any of the conditions are matched, the transaction is considered as invalid. Otherwise, OP_CLTV is skipped like OP_NOP2.

New nodes would always enforce the new consensus rules after softfork activation. Yet even before the softfork was activated, the original OP_NOP2 policy rule was replaced by the OP_CLTV rules (which is okay, since OP_CLTV rules are stricter than the original OP_NOP2 consensus rules).

Legacy mining nodes would not perform the nLockTime check. However, as long as they were running version 0.10 or above, the default OP_NOP2 policy rule would prevent them from including ANY transactions with OP_CLTV, valid or not. As a result, legacy mining nodes of 0.10 or above would never actively produce an invalid block with respect to the new OP_CLTV consensus rules.

BIP68: Relative lock-time using sequence numbers nSequence is a field in Bitcoin transactions, which was essentially unused. The idea of BIP68 was to use the nSequence field for the purpose of relative lock-time, which is a very important building block of advanced transactions such as payment channels and the Lightning NetworkHowever, the nSequence field has been ignored since the very first version of Bitcoin, and miners would accept any transaction with any nSequence value. There was no policy rule governing nSequence value, therefore a safe softfork could not be done as simply as OP_CLTV.

The trick was to use the transaction-version field (nVersion). Since version 0.7, non-version-1 transactions are rejected by a policy rule. To leverage this, BIP68 requires that the new rules for nSequence are enforced ONLY if the transaction version is 2 or above (or below 0, to be precise). Therefore, legacy mining nodes would not produce any BIP68-violating block, since they won’t include any non-version-1 transactions by default.

An attacker could not “turn off” BIP68 by simply changing the transaction version, since the version is covered by signature. This is also the only instance in which the transaction version is associated with consensus rules.

BIP141: Segregated witness Segregated witness (segwit) is a softfork to fix transaction malleability by redefining a certain script pattern. In BIP141, the pattern is an output script (or P2SH redeemscript) which starts with a single OP_x (x = 0 to 16), followed by a canonical data push between 2 and 40 bytes. However, this is not what it was originally proposed. In the first draft, the witness-program pattern was a single push between 2 and 41 bytes.

A policy has been implemented since v0.6 to reject transactions that spend exotic scripts (i.e. not P2PKH, P2SH, and a few more types). The first draft of the witness program was indeed non-standard in this regards.

The problem is with the witness program when wrapped in P2SH. Before v0.10, the policy rules would also reject any exotic P2SH scripts. This rule was greatly relaxed in v0.10, and the original witness-program design was not covered.

A few alternative proposals were considered:

  • A new transaction nVersion (like BIP68) does not work. If the new consensus rule is “segwit rules are enforced only if nVersion is larger than 2”, an attacker could steal all money stored in segwit outputs by changing the nVersion (since the nVersion is covered only by the segwit signature, which is not checked when nVersion is 2 or below).
  • An OP_NOPx might be used to label a witness program. However, this would make all witness programs 1 byte bigger, and also occupy the limited OP_NOPx space.

The final version made use of the so-called “clean stack” policy rule from BIP62. Although BIP62 is now withdrawn, its rules are still enforced as policy. “Clean stack” requires that script evaluation must end with one and only one stack item. The final witness-program design, however, leaves two item on the stack. This is valid by consensus but violates “clean stack” policy.

Failing example: BIP16 and pay-to-script hash (P2SH) BIP16 was the first planned softfork on Bitcoin. It was activated when 55% of hash power signalled readiness (compared with the 80% to 95% currently in use). Before P2SH was introduced, there was no policy rule for checking the form of spending output. As a result, a significant number of miners kept creating invalid blocks, occasionally long chains, months after softfork activation.
Failing example: Segregated witness on Litecoin Not long after the Bitcoin segwit implementation was finalized, Litecoin started to integrate the segwit code. However, while segwit was released in Bitcoin Core 0.13.1, the last Litecoin version at that time was 0.10.4, which did not include the “clean stack” rule. Litecoin developers tried to fix the problem by adding an extra consensus rule to segwit that required the block version to be at least 0x20000000, hoping that would force miners to upgrade. It turned out that all miners upgraded right before the activation (with the last large miner upgrading a few hours before), and no fork was created due to the lack of “clean stack” in the last release.

Should a large mining pool have failed to upgrade at the last minute, the extra-block version rule would have provided little or no protection. This will be discussed in a future article.

Policy protection is not a panacea

At this point, a reader might find that the policy-protection trick described above would only prevent un-upgraded miners from actively making the first invalid block after softfork activation. However, should such an invalid block be somehow created, un-upgraded miners would still accept it and extend such a blockchain if it had more proof of work. So this is a way to only reduce but not eliminate the chance of an accidental chain split at softfork activation. This issue is also particularly problematic if a significant number of miners are using different full-node implementations, which might not have the same policy rules.

Dr. Johnson Lau, Bitcoin Protocol Developer

CC BY-SA 4.0

The Lightning Network

Abstract: In this piece, we explain the motivation behind the creation of the Lightning Network and why its scaling characteristics are superior to what we have today, potentially resulting in a transformational improvement. We describe some of the basic technical building blocks that make Lightning possible. We then examine some of its limitations, including the downsides of inferior security compared to transacting on-chain and why this makes Lightning potentially unsuitable for larger-value payments.

Source: flickr.com

The motivation behind the Lightning Network

Blockchain based payment systems typically work in a “broadcast to everyone” mode, in that when one makes a payment, one needs to broadcast the transaction to all participants in the network.

Nodes in such a system must:

  • store the transaction indefinitely,
  • verify the transaction, and
  • relay the transaction.

Miners, meanwhile, are required to engage in an energy-intensive competitive process to determine if the transaction makes it into the ledger, just in case a conflicting transaction occurs.

There isn’t even special treatment for the recipient of the payment. For example, if one buys a coffee using Bitcoin, the transaction is broadcast to the entire Bitcoin network without prioritising propagation of the transaction data to the coffee shop or the coffee shop’s payment processor. Many consider this process to be inefficient. If the objective is to build a payment system used by millions of people across the globe, this method does not seem logical.

The old “broadcast to everyone” announcement method at sporting events, during Arsenal’s 3-3 draw at home to Sheffield Wednesday in May 2000. Prior to the widespread adoption of mobile phones, stadium announcers broadcast messages for individuals over the public-address system to all those in attendance. Mobile phones have made this process faster and more efficient, as messages can be sent directly to the intended recipient.

The Lightning Network represents an improvement in efficiency and uses a more logical payment network structure. Instead of broadcasting a transaction to everyone, the transaction can be sent more directly to the payment recipient. Only when parties to the transaction are dishonest, does one need to resort to the cumbersome process, which distributed censorship-resistant systems require to maintain consensus. In this way, one can achieve performance and efficiency almost equivalent to that of direct communication between the parties over the Internet, while retaining some of the security characteristics of Bitcoin’s blockchain.

However, building such a payment system in which all parties can always revert to the blockchain and reclaim their funds if there is a problem, is complex and has some significant risks and limitations.

Lightning’s basic technical building blocks

Unidirectional micropayment channel. Source: BitMEX Research

The above diagram depicts the traditional way to set up a basic unidirectional payment channel. Although setting up the channel involves broadcasting a transaction to everyone, once the channel is set up, multiple payments from Bob to Alice can occur by simply sending data from Bob to Alice, avoiding a broadcast to the entire network. The payment process can be repeated again and again until the funds in the channel, in this case 1 BTC, have been exhausted.

In theory, the above channel is secure for the following reasons:

  • If Bob tries to renege on his payment, all Alice needs to do is sign and broadcast to the network transaction P1, which Bob signed when he initially made the payment. As long as this gets confirmed before the one-week locktime in transaction B, Alice safety receives her 0.1 BTC regardless of what Bob does.
  • If Alice refuses to sign anything in order to frustrate Bob, all Bob needs to do is wait one week for transaction B to become valid, and he is then able to move the money from the channel to himself by broadcasting transaction B, which Alice has already signed.

This process is more secure if transaction A cannot be malleated by a third party (the TXID changing), otherwise Bob could have created transaction B only for it to become invalid as transaction A changes, thereby enabling Alice to hold the funds hostage indefinitely.

According to an e-mail that Satoshi sent to Bitcoin developer Mike Hearn, this basic structure was Satoshi’s idea:

One use of nLockTime is high frequency trades between a set of parties.  They can keep updating a tx by unanimous agreement.  The party giving money would be the first to sign the next version.  If one party stops agreeing to changes, then the last state will be recorded at nLockTime.  If desired, a default transaction can be prepared after each version so n-1 parties can push an unresponsive party out.  Intermediate transactions do not need to be broadcast.  Only the final outcome gets recorded by the network.  Just before nLockTime, the parties and a few witness nodes broadcast the highest sequence tx they saw.

Source: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2013-April/002417.html

How lightning actually works

This micropayment construction can be considered the core building block for the Lightning Network, which is essentially a network of these payment-channel-like constructions. Payments find a path along channels which are already directly connected to each other until they reach the final recipient.

The channel construction used in Lightning builds on this basic structure with more advanced and complex technologies. The above construction is unidirectional, while in order to be useful, payments need to be made in both directions. For example, one can think of making payment channels bidirectional by constructing two channels between Alice and Bob, each in the opposite direction.  More precisely, Lightning uses the Poon-Dryja channel construction methodology. This has lower liquidity requirements than simply setting up a network of unidirectional payment channels in opposite directions, which would require twice the amount of funds to be locked up inside the channel.  However, the Poon-Dryja channel construction has significant weaknesses compared to the other approach. Poon-Dryja channels require each party to sign a new transaction every time the channel is updated (a payment is made), while in contrast, in a unidirectional channel, only the sender is required to sign when the channel is updated.

The old locktime feature can be replaced with more advanced functions:

  • Check locktime verify (BIP65) can prove that the output cannot be spent until a certain date rather than ensuring a particular spend of the output is invalid until a certain date, which is what locktime does.
  • Relative locktime (BIP68) can replace a specific end date with a date relative to the corresponding output. This can allow payment channels to remain open for indefinite periods, with a closure transaction triggering a time window during which the other party has a finite period of time (e.g., two weeks) to broadcast their reclaim transaction and recover the funds.
  • Hashed timelock contracts (HTLC) can require the receiver of a payment to provide a string that hashes to a certain value by a certain date or returns the funds to the payer. This same hash can be used to trigger other payments in the channel network, enabling payments to be made across a chain of channels.

The resulting Lightning Network and its advantages

The Lightning Network should then, in theory, allow all participants in the network to make near instant and cheap transactions in all directions by finding a path among the nodes. This therefore avoids broadcasts to the Bitcoin network, as long as there are no problems, and results in a scalable network. The architecture even allows microtransactions and improves the privacy of payments.

Channels can stay open indefinitely due to the relative-locktime feature and there should be no counterparty risk; if anyone tries to steal funds through a hostile channel closure, the other participants to the transaction will have a significant time window in which to issue their own redemption transaction and get their money back.

Network functionality and user experience

A big unknown is how people and businesses will actually use the network, and commentators appear to have different visions. Some see the Lightning Network as eventually being ubiquitous for small payments, with complexities handled in an automated way. Others more sceptical of Lightning, typically envision the various components of the network requiring more of a manual construction when the system is used and a poor user experience plagued by unexpected channel closures and periods of Lightning Network downtime.

Sceptical view of Lightning Ambitious view of Lightning
Channel setup In order to set up a Lightning channel, a user must manually create a new expensive on-chain transaction. Setting up a Lightning channel will be a seamless process built into existing wallets and systems.  When receiving a payment or purchasing Bitcoin, the funds need to go somewhere. Funds could immediately go into a Lightning channel as they are received and therefore setting up the channel requires no additional steps or costs.
Channel closure Once the payment is complete, one needs to close the channel, with a manually created expensive on-chain transaction. There may be no need to close the channel and users can keep their wallet funds in channels indefinitely or for long periods of time.
Network routing Routing is likely to be a significant problem, since finding a short path between parties is a difficult problem to solve algorithmically. If no route if found, the user and merchant will have to engage in the cumbersome process of selecting an on-chain transaction by manually changing the payment process.

1. The existing P2P network already requires a network topology and the relaying of messages, with nodes typically having eight connections.  The Lightning Network topology is simply an extension of that.

2. Routing is not a significant problem, since even in massive networks the average number of steps in a path between users is small.

3. Even if there is a problem with routing, a payment could simply be made on-chain without the user even noticing the difference.

4. A small number of large channel operators can prevent routing problems.

Centralisation of payment channels The network will centralise around a few large hubs as this is the most efficient model. This centralisation increases the risk of  systemic channel failure, which is when a few large channels fail, resulting in a simultaneous mass exodus from payment channels and on-chain congestion, ensuring some are unable to exit the channels before expiry.

There are economic incentives acting against centralisation, anyone can set up a node as there are low barriers of entry.  In addition to this there is an incentive to undercut other nodes by charging lower fees.

Even if the network does centralise around a few large hubs, the Lightning Network still provides a useful and interesting system. Bitcoin already has a few large entities such as Coinbase that take custody of a large amount of funds. Under Lightning, the entities do not have custody of funds and merely act to relay data used for payments.

Liquidity Payment channels will have insufficient liquidity and therefore the scope to make payments will be limited. Payments of any reasonable size can almost instantly drain the liquidity of an entire channel, such that Lightning payments will need to be suspended. Users will be incentivised to run Lightning nodes and provide liquidity in order to receive fees and the network will be used for small payments, far smaller in value than the maximum channel capacity, ensuring sufficient liquidity.
Requirement to be online when receiving a payment With an on-chain transaction, all a sender needs is a payment address to make a payment, and the recipient does not need to be online. In contrast to this, as explained above, in Lightning a recipient will need to sign a reclaim transaction before receiving a payment.  This is a significant limitation and means recipients are required to keep their private keys exposed in a hot wallet. This makes Lightning impractical in many scenarios, such as making high value payments, at ATMs, at in store PoS systems or paying those with limited internet connectivity. Although a recipient is required to be online to receive a payment, this does not result in significantly different dynamics to most on-chain payments, since if the recipient is not online, they don’t know about or cannot verify the payment anyway.  It is also not necessary that the user or device directly receiving the payment needs to store the private keys. For example an in store PoS terminal or crypto ATM machine could receive the signed redemption transaction over the internet from the firm’s HQ prior to receiving payments, communication that is necessary when making payments anyway.
Potential requirement to monitor the channel Lightning Network participants may be required to monitor payment channels and then take action by a certain deadline in order to safeguard their funds. For example, a hostile reclaim transaction could trigger the start of a period in which the other party must also issue a reclaim transaction to protect their funds, before a certain deadline. This is a significant burden on users. Channels do not need to be monitored at all times, as this depends on the window provided by the relative locktime. Channel monitoring services (watchtowers) could mitigate this risk by monitoring channels on behalf of users: these services could either warn users in the event of a hostile reclaim transaction or could issue reclaim transactions themselves, if they were pre-signed and supplied beforehand by the users.

In reality, the truth may lie somewhere between these two visions, with the network potentially moving to the more ambitious vision over time. What this disagreement appears to come down to is that lightning sceptics see it as a complex, incomplete and impractical payment system based on the channel construction system alone.  Proponents see Lightning more as a scalable building block for a 2nd layer on top of Bitcoin’s blockchain, which will eventually be supplemented by wallets, payment protocol systems and channel servicing companies, resulting in a simple and seamless user experience. Ultimately wallets may be able to communicate with each other and then automatically dynamically decide which payment methodology is best, on-chain or the most practical method via Lightning, without the user even knowing or caring.

The increased security risks of Lightning

  • Requirement to be online when receiving a payment: As explained above, before receiving a payment, the recipient needs to sign a reclaim transaction so that the sender knows they can reclaim their funds in the event of hostile channel closure or a refusal to sign. Therefore, to receive money requires a hot wallet, meaning that private keys are potentially exposed if a security incident occurs.
  • Requirement to monitor the channel: Lightning Network participants or watchtowers may be required to actively monitor the payment channels. This could place a burden on users or watchtowers and potentially reduces the security of funds inside a channel relative to Bitcoin stored on-chain. There is a risk of missing a reclaim transaction deadline, either due to a failure to appropriately monitor the channel or perhaps because of on-chain network congestion.
  • Miners could censor channel closing transactions: 51% of the hashrate may have the ability to steal funds from Lightning users by censoring a channel closure transaction, in which the miner is the other party. Although the potential consequences of this type of attack are already devastating without Lightning, the Lightning Network potentially offers hostile miners a slightly larger attack surface.

While each of these three factors alone may not be that significant, the need to potentially expose one’s private keys to the Internet when receiving payments, the risk of a hostile channel closure, and the risk of miners censoring channel redemption transactions, combined, results in significantly inferior security, in our view — although all these risks can be managed to some extent.

There is a risk that lazy or poorly informed users keep too much money in a channel and funds are lost or stolen due to one of these failure scenarios.  There is also the risk that price volatility results in users keeping more funds in payment channels than they would otherwise have intended.


In our view, the Lightning Network does appear to potentially offer significant and transformational improvements with respect to scalability. Therefore transaction speeds and transaction fee rates should dramatically improve, without impacting the underlying security of the core protocol. Crucially, however, the inferior security properties related to Lightning payments, may make the Lightning Network unsuitable for larger payments (or at least it may be irresponsible to use it for larger payments). Speculation and investment flows, which require these larger payments, currently appear to be the major driving force in the cryptocurrency space, with the volume of small retail payments being relatively small in comparison. Because of that, Lightning may not be as big of a game changer as some imagine, at least in the medium term. While enthusiasts appear likely to adopt this technology quickly, widespread adoption may take considerable time.

Mining Incentives – Part 3 – Short-Term vs. Long-Term

Abstract: In this third piece on crypto-mining incentives, we look at the different time periods miners may choose to maximize profits; short-term or long-term.  We draw analogies with related concepts in “traditional” mining, such as “high-grading”.  In corporate finance circles there are rumours of potential IPOs for crypto-miners, which could mean management focus shifts to the short term, as they may unfortunately need to justify quarterly earnings to investment analysts. We then look at the implications of this on potential network issues, such as Replace By Fee (RBF), ASICBOOST and the blocksize limit.  Whether one likes it or not, we think full RBF is coming.


Bitmain mining farm in Inner Mongolia – Photograph & Satellite image – Bitcoin mining is no longer for hobbyists


Source: Google Maps satellite image



Back in September 2017 we wrote two pieces on mining incentives. Part 1 focused on the mining cost curve and compared it to the dynamics of the cost curve in “traditional mining”, while part 2 looked at circumstances in the energy industry which could result in attractive opportunities for crypto-miners, concluding that failed or otherwise uneconomic energy projects may be best suited for Bitcoin mining.  In November 2017 we wrote about miners chasing short term profits in the Litecoin vs Dogecoin “hashrate wars” of 2014 and how this was repeated again with Bitcoin Cash, as the hashrate oscillated between coins, as miners attempted to maximize short-term profits, rather than make decisions based on ideological support for their favored coin.

In this piece we look at whether miners will focus on short-term profit maximization (perhaps even next block profit maximization) or alternatively if miners may focus on promoting the long-term viability of the system, by enacting policies designed to improve the end user experience, thereby potentially increasing long term profits.  We conclude that the level of competition in the industry, as well as the level of profitability, can alter the focus between short-term and long-term profit maximization decisions. Higher levels of competition and lower profit margins may result in a more short-term outlook.  We then go on to look at implications each strategy could have on various issues facing Bitcoin, such as replace by fee transactions, ASICBOOST or the blocksize limit policy.

We believe that mining is becoming less ideological and more commercial. At the same time the intensity of competition may increase in the coming months and years.  Therefore we predict full RBF will become prevalent in Bitcoin mining, as miners seek to maximize short-term profits.


Long term vs short run

It is widely accepted that most businesses want to maximize profits and Bitcoin mining is likely to be no exception to this.  In the past perhaps some miners were hobbyists or idealists, but this era now appears to have ended and now profits are seen as a main driver as the industry grows and becomes more commercialized.  However, profit maximization can be a more complex concept than one may think. Strictly speaking, investors should select projects which maximize discounted returns, and how to value the difference between profits today and profits tomorrow – the discount rate – is often a challenging metric to evaluate.


Analogy with traditional mining – High-grading

In “traditional mining”, high-grading is the practice of mining a higher grade of ore in a way that reduces the overall return of the mine, by wasting or destroying lower grade ore.  This is often seen as a destructive process, which reduces the value of the ore body, by making some ore inaccessible or literally destroying it to access higher grade ore. Mining management teams may engage in this process due to short-term pressure, for example to boost profit margins to satisfy short-term shareholders, to generate cash flow to satisfy debt holders, or boost their own performance-linked bonuses.  Management teams might then conceal the  conduct of the activity from the public or from investors.

High-grading often occurs during prolonged periods of price weakness of the relevant commodity, when profit margins are low, debt levels are high and there is considerable pressure on management teams.


The question is, are the companies going to re-cut their business long-term at a lower gold price, or are they going to re-cut their short-term business hoping they’ll be rescued in the long term by the gold price? That second one is called high-grading and it’s a disaster.

Source: Randgold Chief Executive Mark Bristow


The below diagram illustrates what a high-grading open pit mining plan may look like.  The initial plan for a larger mine captures more of the ore.  However, the alternative plan, shown below, increases the grade of the ore mined, but permanently destroys or removes access to some high grade ore, potentially against the long term interest of mine owners.


Source: Exploration Alliance


Revising a mining plan due to changes in discount rates, costs or commodity prices can of course be entirely legitimate in some circumstances, however high-grading has negative connotations and is normally associated with reducing the value of assets in an inappropriate manner.

Although there is no direct link between high-grading and crypto-mining, the concept demonstrates that when mining teams are under pressure, they can make some short-term decisions which can destroy long-term shareholder value. This is particularly relevant in the listed space, where shareholders may have less control, less information or more of a short-term focus.


Mining profitability

Whether miners make these “destructive” short-term focused decisions or not often depends on the level of profitability, which can be determined by the price of the underlying commodity. If the price of the commodity or crypto asset falls, such that a miner is not profitable, they may be faced with three options:


  • Operate at a loss – Perhaps making a contribution to fixed costs
  • Suspend operations  – In legacy mining this could reduce the supply of the commodity increasing the price. On the other hand, in crypto-mining this could lower the difficulty, increasing profit margins for the remaining miners
  • Modify mining policies – In legacy mining this could be a modification to the mining plan – for example, high-grading.  In the case of crypto, it could be engaging in full RBF, overt ASICBOOST or, in the event of an unlimited blocksize limit, clearing the memory pool to scoop up all the fees, despite the negative impact this could have on pricing in the transaction fee market, destroying industry prospects.

In general lower profitability can increase the pressure on management teams, such that they make more short-term decisions, for example to pay down debt if they are under pressure from banks or to return to profitability if they are under pressure form shareholders.  Higher margin companies may have more freedom to focus on the long term and may be able to invest for the future.


Industry concentration

In addition to profitability, another factor to consider in crypto-mining is the level of concentration in the industry.


Mining pool concentration over the last 6 months

Source: BitMEX Research, Blockchain.info


The above chart illustrates the level of concentration among mining pools, however one could also analyse the level of concentration in the industry by looking at chip production or the control of mining farms.  With respect to chip production, we estimate that Bitmain may have a 75% market share in Bitcoin.

If a miner has a large market share, their policies may have a significant impact on Bitcoin, which could impact the value of the system.  In contrast, the policies of a small miner with a low market share may not have much impact on the system as a whole.  A tragedy of the commons type situation could therefore occur, where policies which are best for the system as a whole, are not what is best for each small individual miner. For instance if a small miner with a 1% market share can engage in action which increases profits, but would damage the term prospects of the system if all miners engaged in the practice, why not conduct the activity, since 1% alone will not make much difference.

In addition to this the level of competitive intensity may also matter.  If miners are ruthlessly competing against each other for market share, they may be more focused on doing whatever it takes to improve profit margins to win business.


Replace by fee (RBF)

Replace by fee is a system that enables the replacement of a transaction in a miner’s memory pool with a different transaction that spends some or all of the same inputs, due to higher transaction fees.  A variant of this feature was first added by Satoshi, before Satoshi later removed it.  Bitcoin Core then added in an opt-in version of the technology, where users must specify that the transaction can be replaced when making the transaction.

RBF has always been controversial, both the full version and the opt-in version, with detractors claiming it reduces the usability of Bitcoin by undermining zero confirmation transactions. Supporters of RBF claim, among other things, that miners will eventually adopt full RBF anyway, as it boosts short-term profits by selecting transactions with larger fees, even though it may harm long term profitability by reducing the utility of the system, which could lower the Bitcoin price. Again, its sometimes seen as a tragedy of the commons type problem. Opponents of RBF may counter this by saying miners have more of a long term focus, and therefore RBF advocates are solving a theoretical game theory type problem which may not apply.

One can thing of the type of industry characteristics, where this short-term profit driven motive and therefore full RBF, become more or less likely:


Short-term profit – full RBF more likely Long-term profit –  Full RBF less likely
A period of falling Bitcoin prices A period of rising Bitcoin prices
Lower profit margins Higher profit margins
Lower levels of industry concentration Higher levels of industry concentration
More intense competition and a rivalry between miners A less intense competitive environment and collaboration between miners
Publicly owned mining companies Privately owned mining companies
Profit driven miners Ideologically driven miners


An unlimited blocksize limit

As anyone following Bitcoin knows, the “blocksize debate” is a complex issue which can be looked at form many angles.  One such angle is that of the interrelationship between the fee market and mining incentivization.  Supporters of larger blocks sometimes argue that a fee market would still work with an unlimited blocksize, while “smaller blockers” often dispute this point.

An element of this argument is related to whether miners focus on the long term or the short term, just like for RBF above. Supporters of an economic blocksize limit claim that we need an economically relevant blocksize limit, by claiming that without a limit miners may focus on maximizing short-term profits and scoop up all the fees, resulting in low fees and insufficient mining incentives.  “Larger blockers” then counter this by claiming miners will have more of a long-term focus and would not take such action, as it would damage the long term viability of the system, and therefore their businesses.


The history of the “death spiral” argument

In some ways, this short-term vs. long-term incentive discussion, or the “death spiral” argument, goes right to the genesis of the blocksize debate, back in in April 2011.


The death spiral argument assumes that I would include all transactions no matter how low their fee/priority, because it costs me nothing to do so and why would I not take the free money? Yet real life is full of companies that could do this but don’t, because they understand it would undermine their own business.

Source: Mike Hearn (April 2011)  – Bitcointalk – One day earlier Mr Hearn thought that “The death spiral failure mode seems plausible” but then changed his mind after thinking about the issue further.


Although ironically, the narrative from some of the “larger blockers” has somewhat shifted in recent years, to a “pro mining” type philosophy of chasing short term profits.  Perhaps this is because ironically a large miner, Bitmain, has been one of the most prominent advocates of larger blocks. Most “larger blockers” appear have shifted the narrative on to some other valid points, although, as we explained above, this short term vs. long term line of thought can be considered as the genesis of the blocksize debate and part of the initial reason for the division in the community.

In our view, there is no right or wrong answer to these questions.  Whether miners have a short-term focus or long-term focus depends on many factors, including profitability and market share, as we explained above.  In our view the industry may go through cycles, where the industry shifts between the long-term and short-term focus depending on conditions in the industry.  This phenomenon is visible in traditional mining, driven by commodity price cycles impacting industry conditions.


Changing times – A short-term profit focus will be king

The Bitcoin community is rapidly changing, the transformation from a cohesive group of people with a shared vision working together to build a revolutionary technology, to a much larger community made up of competing profit-driven factions, is almost complete.  It may have seemed unrealistic a few years ago to assume miners would be primarily driven by short-term profit maximization, however this is increasingly accepted as the norm now, certainly after the hashrate swings caused by Bitcoin Cash’s EDA.

Mining is a business: TSMC has reported that one crypto mining business may be spending US$1.5bn per annum on chips, and growing. In some corporate finance circles, rumours are circulating that large mining pools or chip producers could conduct an IPO shortly, something almost unimaginable a few years ago. This could put management of the mining pool in the unfortunate position of needing to justify operating profit margins to investment analysts and shareholders, each quarter.  At the same time, many expect the mining industry to become more competitive this year, with new companies expected to launch competitive products.

In this new world, RBF type behavior and the fee market “death spiral failure mode”, seem more and more inevitable.  Perhaps early fee market and RBF advocates were too obsessed with unrealistic and complex game theory, and maybe they were too early, when a better tactical decision could have been to focus on the user experience before adopting RBF and full blocks.  Although now Bitcoin has changed, short-term profit maximization is the new mantra.

In the coming years, we predict that many miners will engage in full RBF and even overt ASICBOOST (which can also boost profits), as they do all they can to maximize short-term profits.  Whether one likes it or not, in our view, it’s coming…

A Complete History of Bitcoin’s Consensus Forks

Abstract: In this piece we list 19 Bitcoin consensus rule changes (or 18 as an accidental one “failed”), which represents what we believe to be almost every significant such event in Bitcoin’s history.  At least three of these incidents resulted in an identifiable chainsplit, lasting approximately 51, 24 and 6 blocks, in 2010, 2013 and 2015, respectively.


Source: gryb25



Term Definition
 Chainsplit A split in the blockchain, resulting in two separate chains, with a common ancestor.  This can be caused by either a hardfork, a softfork or neither.
 Consensus rule changes

A loosening of the consensus rules on block validity, such that some blocks previously considered as invalid are now considered valid.

Existing nodes are required to upgrade to follow the new hardforked chain.


A tightening of the consensus rules on block validity, such that some blocks previously considered as valid are now considered invalid.

Existing nodes do not necessarily need to upgrade to follow the new softforked chain.

Note: These terms are believed to have originated in April 2012 and formalized in BIP99 and BIP123


List of Bitcoin consensus forks

Date Activation Block Number BIP Number or Software Version Description Type Outcome
28 July 2010 n/a1 0.3.5 OP_RETURN disabled.  Fixing a critical bug which enabled anyone to spend any Bitcoin Softfork No evidence of any issues during this upgrade
31 July 2010 n/a1 0.3.6 OP_VER and OP_VERIF disabled3 Softfork Some users had trouble upgrading and it was recommended that nodes should be shutdown if they could not be upgraded2
The addition of the OP_NOP functions, although perhaps there was no usage of OP_NOP prior to this point Hardfork
01 Aug 2010  n/a1 0.3.7 Separation of the evaluation of the scriptSig and scriptPubKey.  Fixing a critical bug which enabled anyone to spend any Bitcoin Potentially a non-deterministic hardfork No evidence of any issues during this upgrade
15 Aug 2010 74,638 0.3.10 Output value overflow bug fix following a 184.5 billion Bitcoin spend incident.  The 0.5BTC which was the input to the transaction remains unspent to this day. Softfork A chainsplit occurred.  Around 5 hours after the incident, a fix was released, client 0.3.10. It is believed that 51 blocks were generated on the “bad chain” before the “good” chain re-took the PoW lead
Disabling OP_CAT, which removed a DoS vector, along with the disabling of 14 other functions Softfork
07 Sept 2010 n/a1 0.3.12 Adding the 20,000 signature operation limit, in an incorrect way.  This incorrect limit still exists today. Softfork No evidence of any issues during this upgrade
12 Sept 2010 79,400 n/a

Adding the 1MB blocksize limit.

The “MAX_BLOCK_SIZE = 1000000” commit occurred on 15 July 2010, which was released in the 0.3.1 rc1 version of the software on 19 July 2010.  The commit enforcing the 1MB rule occurred on 7 September 2010, activating at block 79,400.  On 20 September 2010, Satoshi removed this activation logic, but kept the 1MB limit.

Softfork No evidence of any issues during this upgrade
15 March 2012 171,193 BIP30 Disallow transactions with the same TXID, unless the older one was fully spent. In September 2012 the rule was applied to all blocks, apart 91,842 and 91,880, which violate the rule Softfork This was a flag day softfork, there is no evidence of any issues
1 April 2012 173,805 BIP16 Pay to Script Hash (P2SH) – This allows transactions to be sent to a script hash (address starting with 3) instead of a public key hash (addresses starting with 1) Softfork 55% activation threshold, over blocks in the 7 days prior to 1 February 2012. Miners did not upgrade fast enough, so the evaluation point was delayed until 15 March.  Users running 0.6.0rc1 who did not upgrade for the delay, activated the softfork early and got stuck on block 170,060 when an invalid transaction according to their nodes was mined.  After activation problems were then caused by the remaining 45% of miners producing invalid blocks for several months after the softfork
24 Mar 2013  227,835 BIP34 Requires the coinbase transaction to include the block height Softfork 95% activation threshold. A successful rollout occurred
11 Mar 2013 225,430 0.8.0 This was an unplanned hardfork caused by the migration from Berkeley DB to LevelDB, which accidentally removed an unknown 10,000 BDB database lock limit.  This caused a chainsplit which occurred on 11 March 2013, although the software which caused the error was released 20 days earlier on 20 February 2013. The change was reverted as the Bitcoin economy and miners switched back to 0.7.2 rules No change in the consensus rules occurred A chainsplit of at least 24 blocks occurred, with the 0.8.0 chain having a maximum lead of 13 blocks. A successful double spend also occurred. The original rules chain eventually re-took the PoW lead
18 Mar 2013 n/a1 0.8.1 This was a temporary softfork, introducing a new rule requiring that no more than 4,500 TXIDs are referenced by inputs in a block, this rule is stricter  than the 10,000 BDB lock limit.  The rule expired on 15 May 2013, a flag day hardfork. Softfork There is no evidence of any issues
15 May 2013 or 16 Aug 2013  252,451 or earlier BIP50 In August 2013 a block may have been produced which violated the original 10,000 BDB lock limit rule, which was relaxed on 15 May 2013. Hardfork There is no evidence of any issues
04 July 2015  363,731 BIP66 Strict DER Signature – This upgrade means Bitcoin is no longer dependent on OpenSSL’s signature parsing Softfork 95% threshold over a 1,000 block period. A chainsplit occurred, lasting 6 blocks, as some miners signaled support for BIP66 but had not upgraded and were SPY mining.  The new softfork rules chain eventually took the lead.
14 Dec 2015  388,380 BIP65 Check Lock Time Verify – This enables funds to be locked until a specific time in the future.  This is Bitcoin’s first new function Softfork Successful rollout using a 95% threshold
04 July 2016  419,328 BIP68

Relative lock time

Remove the incentive to use a future timestamp to grab transaction
Median past time

Softfork Successful rollout using 95% versionbits signaling
23 July 2017   477,800 BIP91 This temporary softfork makes signaling for the SegWit upgrade mandatory Softfork Softfork successfully activated with an 80% miner threshold over a 336 block period, although only a tiny minority of users enforced BIP91 rules, which have since expired.  Therefore the risk of a chainsplit was elevated in this period.
01 Aug 2017  478,479 BIP148 This temporary softfork makes signaling for the SegWit upgrade mandatory for a two week period following 1 August 2017 Softfork Flag day softfork appeared to succeed with no issues, although only a minority of users enforced BIP148 rules, which have since expired. Therefore the risk of a chainsplit was elevated in this period.
24 Aug 2017  481,824 BIP141
The Segregated Witness upgrade Softfork Rollout using 95% versionbits signaling
The year 2262  13,440,000 BIP42 Fixed a 21 million coin supply cap bug.  The software was upgraded in April 2014 to fix this bug, however the new rule does not apply until the 23rd century. Softfork The softfork is not applicable yet

Sources: BitMEX Research, Github, Bitcoin Blockchain


  1. With the exception of the 1MB blocksize limit, prior to the 2012 BIP16 softfork, there was no activation methodology, therefore if the fork occurred smoothly without a chainsplit, there is not necessarily a specific block height or date on which the consensus fork occurred.
  2. “If you can’t upgrade to 0.3.6 right away, it’s best to shut down your Bitcoin node until you do” – Satoshi Nakamoto (Source)
  3. Prior to the removal of OP_VER, each software upgrade could potentially be considered as a non-deterministic hardfork and these have been excluded from this list.  Although if the definition of hardforks include this, then its a somewhat pedantic definition.
  4. There are no consistent definitions used in the above table, because for example, a different definition of the date on which the fork occurred may be more relevant in each incident, depending on the circumstances.
  5. Others have also mentioned that changes to the P2P protocol can also be considered hardforks, if they make previous software releases unusable since they can no longer connect to the network.  However, strictly speaking these do not relax the rules on block validity, and one could sync old nodes by setting up a relay of intermediary versions of the software.  These changes are excluded from the above list.
  6. Some consider BIP90 as a hardfork, however since it only relaxed rules related to softfork activations which happened in the past, it does not share many of the characteristics or risks normally related to consensus forks.  Using the same logic, the block checkpoint scheme can also be considered softforks.
  7. In July 2010 the chain selection rule was altered to shift to most accumulated work from the number of blocks. Technically this is not a change to block validity rules, however this change does share some of the risks associated with consensus rule changes.


Was the 2013 incident a hardfork?

In our view, on balance, the increase in the BDB lock limit, a few months after the 11 March 2013 chainfork, was a hardfork.  The rule in question was a 10,000 BDB lock limit, which was increased. The rule was relaxed on 15 May 2013 in the sofware version 0.8.1, which was released on 18 March 2013.  A block exceeding this limit may finally have been produced on 16 August 2013.  Therefore the date of the hardfork could either be 15 May 2013 or 16 August 2013, depending on how you define it.

Although some have argued that this may not have been a hardfork, for a variety of reasons, including that this rule was “quasi-non-deterministic” or that one could manually change the BDB config settings.  Indeed, due to the non-deterministic nature of the lock limit, perhaps it is theoretically possible one could have a local system setup, such that the old BDB lock limit has never been breached.  Therefore, one could declare that there has “never been a hardfork” in Bitcoin, due to a very strict definition, requiring a hardfork to be deterministic or perhaps even directly related to Bitcoin data such as transactions or the block header.

When discussing this incident, Bitcoin developer Gregory Maxwell said the following:

Sort of a mixed bag there, you can actually take a pre BIP-50 node and fully sync the blockchain, I last did this with 0.3.24 a few months ago. It just will not reliably handle reorgs involving large blocks unless you change the BDB config too. So it’s debatable if this is a hard fork either, since it’s quasi-non-deterministic. There were prior bugs fixed where older versions would get stuck and stop syncing the chain before that too… So I think by a really strong definition of creating a blockchain which violates the rules mandated by prior versions we have never had a hardfork.

Source: https://bitcointalk.org/index.php?topic=702755.msg8116032#msg8116032


Chainsplit incident of July 2015

In the above list of consensus rules changes, there are three incidents which caused identifiable chainsplits.  The most recent of there occurred on 4 July 2015, during the BIP66 softfork upgrade.

Immediately after the activation of BIP66 there was a 6 block orphan chain created because a miner produced an invalid block that was not recognised as invalid by some other mining pools, because they were not validating new blocks.

In this case some miners were signaling support for BIP66 soft fork but hadn’t actually upgraded their nodes to validate, one could say miners were “false flagging”. If the miners had been validating blocks, they would have discovered the block was invalid and rejected it, however some miners built on top of the invalid block and a chainsplit occurred.

A diagram illustrating these 6 blocks and the chainfork is displayed below.


Graphical illustration of July 2015 chainsplit

Source: Blockchain.info (http://archive.is/WqGRphttp://archive.is/LHlF7)



Whilst many claims made in this piece are cited, we do not guarantee accuracy.  We may have made errors or accidentally omitted consensus rule changes from the list.  We welcome corrections.



After the publication of this piece, an alternative list of consensus versions was published on the Bitcoin Wiki.

Bitcoin Gold (BTG) – Investment flow data

Abstract: A few weeks ago, we published a piece on Bitcoin Cash and how one can analyse transaction data on the two blockchains involved in the split, to try to draw conclusions about the potential investment flows between the two chains. In this piece we provide a similar analysis, with respect to Bitcoin Gold (BTG).


Bitcoin Gold overview

Bitcoin Gold (BTG) is a Bitcoin chainsplit token, similar to Bitcoin Cash. Anyone who held Bitcoin on block 491,406, (which occurred on 24th October 2017) was allocated an identical amount of Bitcoin Gold. Some exchanges allowed customers to trade their Bitcoin Gold from this date, based on customer balances at the time of the fork. However, the Bitcoin Gold blockchain itself, did not appear to become usable until 14 November 2017, 21 days after the snapshot point.

The aim of Bitcoin Gold appears to be to improve mining centralization, by switching the hashing algorithm to Equihash from SHA256, which is currently more GPU-friendly than the ASIC-dominated SHA256.


Allocation of Bitcoin Gold to the coin founders

Although the Bitcoin Gold project team does not always appear to want to make this fact well-known, 100,000 coins were created and then allocated to the Bitcoin Gold team members. This consists of the block reward for 8,000 blocks, which with a block reward of 12.5 BTG, amounts to 100,000 coins.

Based on the current spot price of Bitcoin Gold of US$450 per coin, this balance is worth approximately US$45 million. In the eyes of many, this seemingly unnecessary allocation is likely to damage the integrity of Bitcoin Gold. Bitcoin Cash, for example, did not have such an allocation. One could argue that Bitcoin Cash’s initial difficulty adjustment mechanism also allowed an unusually large number of coins to be created in the initial period following the fork, although this seems somewhat fairer than what Bitcoin Gold did, as anyone could have mined the Bitcoin Cash tokens and they were not directly allocated.


Total coins spent

As at 20th December 2017, 2.61 million Bitcoin Gold tokens have been spent at least once. This compares to 4.7 million and 2.4 million Bitcoin spent, since the snapshot point and the point at which Bitcoin Gold transactions became possible, respectively. This also compares to 4.1 million Bitcoin Cash, which was spent after an equivalent number of days following the Bitcoin Cash fork point.

The 2.61 million Bitcoin Gold which has been spent represents c15.8% of all the Bitcoin Gold. In our view, this is likely to be related to the level of divestment from Bitcoin Gold, mainly because this 2.61 million coin figure is higher than a comparable first time spend in Bitcoin over the same period.


Figure 1 – Bitcoin Gold (BTG) vs Bitcoin (BTC) – Number of coins spent at least once since the chain split compared to the BTG price – million

Source: BitMEX research, Bitcoin blockchain, Bitcoin Gold blockchain, Bitfinex (Price data)


Daily Bitcoin Cash spend for the first time

The average daily spend for the first time on Bitcoin Gold is falling slightly, compared to the initial period after the launch. In the last 10 days the average daily spend for the first time was 44,000, compared to around 110,000 in the first 10 days.


Figure 2 – Bitcoin Gold coins spent for the first time since the split (daily millions) compared to the BTG price

Source: BitMEX research, Bitcoin Gold blockchain, Bitfinex (Price data)


Security Incident

For a 4.5 day period, from 21 November 2017 to 25 November 2017, the official Bitcoin Gold Github repository may have been hacked, and the official website pointed to a malicious wallet. According to an announcement from the Bitcoin Gold team, the malicious wallet allowed the malicious entity to access funds sent to new Bitcoin Gold addresses provided by the wallet, and therefore Bitcoin was not affected, as existing private keys were not compromised. It is not clear exactly what happened, but the Bitcoin Gold team claims that at least 80 BTG were stolen. Given the severity of this incident, the impact could have been far worse, in our view.

This illustrates why it’s important to handle these new fork tokens with caution. In particular, we would strongly advise you not to import your Bitcoin private key into these new fork token wallets, without first spending the Bitcoin to a new output with a different private key associated with it, after the token snapshot point, so that your Bitcoin is not at risk.


Public Companies With Exposure To The Crypto Space

Abstract:  The price of crypto related assets like Bitcoin have skyrocketed in recent months and many speculative investors understandably appear to want upside exposure to the space, however the risk of a downwards correction is high, in our view.  In this piece we look at a potentially lower risk method of obtaining some upside, by presenting a selection of listed equities which have some exposure, but also businesses in other areas.



The price of Bitcoin is up over 1,600% YTD, while many alternative coins such as Ethereum and Litecoin have appreciated in value to an even greater extent.  Therefore, in our view, there is significant downside price risk.  For example, perhaps there could be another four year cycle of weak prices, driven by the Bitcoin halving schedule.  Existing investors in the space may wish to take some profits but still retain some upside exposure and potential new investors into the space, may wish to obtain some upside exposure, while mitigating some of the downside risks.

For your consideration, we present a list of public companies, with some business segments driven by crypto-related areas, which may benefit from further crypto price appreciation, but which also have other businesses which could mitigate the downside risks.  Before investing in any of the names discussed, you should obviously do more research on your own: the information below is intended as an initial introduction to the companies.


List of public companies with potential exposure to crypto

Stock Website Comment


http://www.tsmc.com Potentially a solid investment opportunity, with a strong high margin business and good crypto upside linked to the core business
http://www.alchip.com More work may be required to determine the significance of the crypto-related business


https://www.gmofh.com Could be an interesting investment, although the crypto exchange is new and therefore currently small in scale


http://www.globalunichip.com Strong ASIC design business, however the stock is expensive


https://www.gmo.jp Possible lack of focus on one crypto area


https://www.overstock.com Possible lack of focus on one crypto area


https://squareup.com Not clear if this business model has strong earnings power


https://www.ig.com Crytpo trading may just cannibalize the existing clients


https://www.plus500.com Crytpo trading may just cannibalize the existing clients
http://www.garage.co.jp The link to crypto is weak


http://premiumwater-hd.co.jp The link to crypto is weak and its not clear how shareholders may benefit from an ICO


http://www.cmegroup.com Crypto business may not be significant


http://www.cboe.com Crypto business may not be significant


http://www.sbigroup.co.jp A link to the “fake Satoshi”  may be worrisome


A slightly more detailed look into the companies



Investment idea

  • Investing in TSMC is likely to be a good way of obtaining some moderate upside exposure to crypto, while significantly mitigating or eliminating the downside risk, in our view.



  • This Taiwanese company is the world’s largest semiconductor foundry. TSMC is a pure play, focusing entirely on integrated circuit fabrication.
  • According to the most recent quarterly earnings call, the crypto mining related business is $375 million per quarter, this represents 5.1% of group sales. However, with crypto prices continuing to appreciate, it is likely that this business segment is growing very fast.


Investment case

  • TSMC has extremely high profit margins, with an EBITDA margin of c66% expected in 2017. In our view the company is likely to be able to achieve similar margins in the crypto business.
  • With current crypto prices, miners and ASIC designers are likely to be trying to make very large orders with TSMC, which could mean significant sales growth next year. If the crypto prices increases significantly, orders in 2018 could be very strong.  Therefore, if one is  convinced 2018 is going to be a big year for crypto, TSMC could be a relatively less risky way of obtaining such exposure.
  • Crypto mining is a challenging and competitive business, therefore much of the profit could end up at the company supplying the key equipment. TSMC is well-positioned to benefit regardless of which mining company becomes dominant. As Mark Twain once said:


During the gold rush its a good time to be in the pick and shovel business


  • TSMC also pays a healthy dividend, yielding c3.1%. The company has never cut its dividend and therefore this should support the share price if the market weakens.
  • TSMC is very focused on the core business, as a semiconductor foundry, and will not be distracted by investing in other blockchain related areas like ICOs or Ripple.  In our view, companies with focus tend to perform better over the long term.


Investment risks

  • TSMC are believed to currently have only one crypto mining client, Bitmain, therefore there is significant customer concentration risk.
  • The company has high exposure to Apple (APPL US) and the iPhone.


Valuation Metrics

Source: Bloomberg, BitMEX Research



Investment conclusion

  • Alchip may merit further investigation, to establish the significance of the crypto business.



  • Alchip is a Taiwanese ASIC design and manufacturing company, of smaller scale than GUC (mentioned below).
  • We do not know how significant crypto mining is for this company, however, in a recent company presentation a page explained some of the Bitcoin mining related products and in 2015 the company completed the first mining 16nm tap out for the now defunct KNC miner.


Investment case

  • This name is less well known and therefore the upside from strong crypto growth in 2018 could be significant.


Investment risks

  • The scale of the Bitcoin business is not known.
  • The earnings track record is unreliable, with the company making loses in 2016.
  • The order outlook is said to have poor visibility relative to some other companies.
  • The stock is up 171% YTD, indicating the crypto exposure may already be reflected in the valuation.


Valuation Metrics

Source: Bloomberg, BitMEX Research


GMO Financial Holdings

Investment conclusion

  • GMO Coin may become a successful crypto exchange in Japan due to the company’s existing infrastructure and expertise.  Therefore GMO Financial could represent an interesting investment opportunity.



  • GMO Financial are a listed subsidiary of GMO Internet, with GMO Internet owing 80.8% of GMO Financial.  Therefore the shares are not very liquid.
  • This business includes a retail FX platform, as well as the new GMO Coin exchange, which is 58% owned by GMO Financial.
  • The crypto mining business and ICO will not occur within this subsidiary, but will occur at group level inside GMO Internet.


Investment case

  • GMO Financial offers more direct exposure to the crypto exchange business than the parent.  The exchange business is reasonably new and therefore has considerable growth potential.
  • The FX trading platform business is the largest retail platform in Japan, therefore GMO Financial may already have the infrastructure and expertise to build a successful crypto exchange.
  • The exchange plans to offer a leveraged product shortly.


Investment risks

  • We have not been able to identify any trading volume data at GMO Coin, therefore the market share is likely to be low.  However, a recent company presentation indicates that growth is strong.
  • The company does publish monthly volume data for the non GMO Coin exchange businesses.


Valuation Metrics

Source: Bloomberg, BitMEX Research


Global Unichip

Investment conclusion

  • Valuation ratios appear reasonably expensive and the stock price may already reflect the benefits of crypto.



  • Global Unichip (GUC) is a Taiwanese fabless ASIC design company. TSMC holds c34% of the shares in GUC and the chairman of GUC also has a role at TSMC China.  However, TSMC’s technology library is open to other competing fabless companies.
  • Crypto mining related sales are believed to account for around 20% of GUC sales, in 2017, and this is likely to grow significantly in 2018, in our view.


Investment case

  • At 20%, the crypto business is a significant part of sales, and the mining business could become more competitive in 2018, therefore ASIC design could be key. Therefore if crypto prices increase in 2018, GUC is likely to perform very well.


Investment risks

  • The stock price is already following crypto markets, to some extent, with the shares up c304% in USD this year. Therefore, in our view, there is significant downside risk if crypto markets collapse, but this is still less risky than actually holding crypto tokens.
  • The stock is expensive on a forward EV/EBITDA of 34.7x.
  • GUC is also reliant on machine learning/AI related areas for growth, as well as crypto.


Valuation Metrics

Source: Bloomberg, BitMEX Research


GMO Internet

Investment conclusion

  • GMO Internet appears to lack focus in their crypto endeavors, therefore GMO Financial may represent be a better investment opportunity.



  • GMO Internet is a group of Japanese internet infrastructure and digital payment related companies.  The main business lines of the company are online credit card transaction processing, domain name related service and SSL certificates.
  • In October 2017 the company announced the launch of a Bitcoin mining business and potentially a related ICO.
  • The company also has a subsidiary called GMO Coin, a crypto exchange.


Investment case

  • GMO offers broad exposure to different areas in crypto, ICOs, mining and the operation of exchanges.
  • The core business of SSL certificates is enjoying strong growth, with sales up c90% in 2017.


Investment risks

  • The company is entering what are already competitive fields and GMO appear to lack focus, by trying many different areas at the same time.  Therefore they may not succeed in all the areas.
  • GMO plans to launch a 7nm mining chip next year, which may be ambitious, especially when Bitmain is likely to be a strong competitor and it’s not clear who GMO’s mining chip manufacturing partners are.
  • The effective ownership of the exchange business (GMO Coin) is low, at only 46%.


Valuation Metrics

Source: Bloomberg, BitMEX Research



Investment conclusion

  • The company may lack focus in the crypto space and the stock may already be rallying as a result of the crypto exposure.



  • Overstock is an American e-commerce company, focusing on furniture and bedding.
  • For several years, the CEO and founder of the company, Mr. Patrick Bryan has been an enthusiastic supporter of Bitcoin.  This may originate from the CEO’s anti Wall-street stance, after several prominent investment banks and hedge funds were accused of targeting Overstock with a naked short selling campaign in 2005.  Mr. Bryan was eventually mostly vindicated after winning a payout in a settlement related to the issue.
  • Overstock first accepted Bitcoin payments in 2014 and became involved in several projects, including the Counterparty platform in 2014 and then the t0 system, which first launched Overstock stock as an instrument on the platform in 2016 and is currently building a distributed ledger system.


Investment case

  • Overstock offers broad exposure to the space.


Investment risks

  • Like many of the companies mentioned above, Overstock seems to lack focus and is experimenting with various crypto related ideas.
  • The shares are up 214% YTD, partly as a result of the crypto theme.


Valuation Metrics

Source: Bloomberg, BitMEX Research




Investment conclusion

  • The crypto story may already be well understood by the investment community and there may be considerable downside risk due to the valuation rating.



  • Square is a US-based digital payment solutions company.
  • Square recently announced the launch of a new product to enable users to buy and sell Bitcoin on a mobile application.


Investment case

  • The new Bitcoin application has received positive feedback since the launch, as it is regarded as easy to use.


Investment risks

  • The stock is very expensive based on traditional valuation metrics.
  • The Bitcoin application does not offer the ability to users to send payments on the Bitcoin network itself.
  • It is not clear if the buy/sell Bitcoin inside a mobile application business model is profitable.


Valuation Metrics

Source: Bloomberg, BitMEX Research


IG Group

Investment conclusion

  • A strong crypto business may cannibalize earnings from other areas, therefore the crypto related upside may be limited.



  • IG Group is a UK based CFD and spread betting platform company.
  • Due to the high volatility, crypto-related trading products are offered and are likely to be contributing to earnings, as the volatility of other products is lower.


Investment case

  • IG is one of the largest and strongest CFD companies in the retail space.


Investment risks

  • One of the big challenges for the company is the regulatory environment in the UK and Europe.   The retail leveraged trading industry is under close scrutiny by regulators.
  • While the crypto business may perform well, its not clear if this will result in new clients or whether IG’s existing clients will merely enjoy trading and will switch to whichever product offers volatility.


Valuation Metrics

Source: Bloomberg, BitMEX Research


PLUS 500

Investment conclusion

  • As for IG, stronger crypto sales may cannibalize earnings from other areas.



  • Plus 500 is a UK-based online retail trading platform.


Investment case

  • Plus 500’s technology platform enables it to roll out new instruments faster than many of its peers, ensuring it may be able to capitalize on new trends faster in the volatile crypto space.
  • Plus 500 trades at a discount to IG, due to IG’s stronger reputation and longer track record.  However, customer retention at Plus 500 is improving and there is increased focus on loyal higher value customers, rather than speculative clients who may lose all their money and leave.


Investment risks

  • Regulation and possible stricter rules related to CFDs are a major risk, just like for IG.


Valuation Metrics

Source: Bloomberg, BitMEX Research


Digital Garage

Investment conclusion

  • One could consider a pair trade, long Digital Garage & short Kakaku.com, although the link to a real crypto business seems insignificant and unlikely.



  • Digital Garage is a Japanese technology investment fund, with the primary asset being a price comparison website Kakaku (2371 JP).
  • Digital Garage also has an investment in the blockchain infrastructure company Blockstream.
  • In theory one could go long Digital Garage and short Kakaku to increase exposure to Blockstream.


Investment case

  • Blockstream has rolled out a satellite product, broadcasting Bitcoin blcoks all over the world.


Investment risks

  • Blockstream’s business model appears unclear.  The company seems focused on technology and infrastructure rather than commercialization and therefore it may not be able to generate earnings.
  • The link to Blockstream is very limited.


Valuation Metrics

Source: Bloomberg, BitMEX Research


Premium Water Holdings

Investment conclusion

  • The link to the crypto space may be too weak.



  • Premium Water is a high growth mineral water delivery company in Japan, delivering water to the home and office market.
  • According to page 10 of the COMSA Whitepaper the company will conduct an ICO, perhaps to raise funds to invest in business expansion.  COMSA is a Japanese centralized ICO solutions company which recently conducted token sale themselves.


Investment case

  • It is possible that the company could raise a significant amount of funds in an ICO and there is a chance existing shareholders may benefit from this in some way.


Investment risks

  • It is not clear how existing shareholders will directly benefit from the ICO, if at all.


Valuation Metrics

Source: Bloomberg, BitMEX Research


CME Group

Investment conclusion

  • Crypto not likely to be a significant earnings driver.



  • CME Group operates an institutional derivatives exchange, dealing with futures contracts and options.  The instruments are related to interest rates, stock indexes, FX and commodities.
  • The company recently announced the launch of Bitcoin futures contracts.


Investment case

  • Financial speculation appears to be one of the main activities Bitcoin is used for and the launch of a Bitcoin product could therefore lead to significant volume growth for the CME.


Investment risks

  • The Bitcoin product is new and it is not clear whether there will be significant demand, in relation to the CME’s other products.
  • On a forward EV/EBITDA of 21.0x, the stock is already reasonably expensive.


Valuation Metrics

Source: Bloomberg, BitMEX Research



Investment conclusion

  • Crypto not likely to be a significant earnings driver.



  • CBOE operates an institutional financial options trading platform.  The main instruments are related to FX and stock indexes.
  • The company recently announced the launch of Bitcoin futures contracts.


Investment case

  • As for the CME, financial speculation appears to be one of the main activities Bitcoin is used for and the launch of a Bitcoin product could therefore lead to significant volume growth for CBOE.


Investment risks

  • The Bitcoin product is new and it is not clear whether there will be significant demand, in relation to CBOE’s other products.
  • On a forward EV/EBITDA of 24.4x, the stock is already reasonably expensive.


Valuation Metrics

Source: Bloomberg, BitMEX Research


SBI Holdings

Investment conclusion

  • A partnership with the “fake Satoshi” is a significant concern, therefore we do not recommend investing in SBI.



  • SBI Holdings is a Japanese financial company, with the main business being the domestic online stock trading platform. SBI can be considered a peer to GMO.
  • SBI holdings appears enthusiastic about the crypto space.  The company has a crypto fund, with investments in Ripple, R3, Orb, Coinplug, Wirex, Veem and bitFlyer. (Source)
  • SBI plans to make further investments, including into Bitcoin mining. SBI also has a blockchain consulting business, including advising on ICOs.


Investment case

  • SBI Holdings offers broad exposure to many areas in the space.


Investment risks

  • SBI recently announced a strategic partnership with nChain, the company run by Mr. Craig Wright, also known inside the Bitcoin community as the “Fake Satoshi”. This may indicate that SBI has limited knowledge about the crypto space or that the company may be wasting shareholder funds, by partnering with Mr Wright.
  • SBI also appears to lack focus in its blockchain strategy.


Valuation Metrics

Source: Bloomberg, BitMEX Research


Other listed crypto related names

Ticker Name Market Cap (US$ m) 2017 YTD Return (US$) Description Blockchain pure play
4751 JP Cyberagent 4,814 50.0% Operates a media website, Ameba and provides an advertising agency, foreign exchange trading website and PC and mobile content. Potentially preparing for its own cryptocurrency exchange No
3774 JP Internet Initiative Japan 841 16.2% Provides Internet connection services for businesses. Preparing Bitcoin services No
6172 JP Metaps 365 (24.6%) Develops  advertising applications platforms for smart phones. Potentially preparing for its own cryptocurrency exchange No
3825 JP Remixpoint 322 359.9% An electricity retail business, energy saving consulting and used car sales business.  BITPoint Exchange business No
2315 JP Caica  231 (7.7%) Provides information systems solution services for financial & telecommunication industries.  Issues a cryptocurrency “Caica” No
3696 JP Ceres   216 34.8% Provides internet marketing services.  Operates Coin Tip service No
3853 JP Infoteria 177 47.6% Provides software development based on XML.  Issues a cryptocurrency “Zen” No
8732 JP Money Partners    133 (18.0%) Provides foreign exchange transactions.  Alliance with the Kraken exchange No
3807 JP Fisco  125 22.4% Provides financial information.  Exchange and deal with Monacoin No
8704 JP Traders Holdings   120 (8.7%) Provides financial services through Internet and call centers.  Quoinex Exchange business No
3121 JP MBK  102 36.7% Provides loans and investments services for firms and real estates in Japan and China. Invested in BTCBOX exchange No
3808 JP Okwave   43 36.6% Q&A community web site OKWave. Potentially preparing for its own cryptocurrency exchange No
2377 TT Micro Star 2,058 5.6% Manufactures and markets motherboards and video graphic accelerate (VGA) cards No
2376 TT Gigabyte Tech 1,102 28.8% Manufactures and markets computer motherboards No
3515 TT AsRock 296 100.6% Develops, designs and retails motherboards No
2399 TT BioStar Micro 84 70.5% Manufactures and markets computer motherboards and interface cards No
6150 TT TUL Corp 68 312.3% Develops, manufactures, and markets video graphic accelerate (VGA) cards, multimedia products and interface cards No
United States
NVDA US NVIDIA 116,085 80.2% Designs, develops, and markets graphics processors and related software No
AMD US AMD 9,928 (9.3%) Manufactures semiconductor products No
GBTC US Bitcoin Investment Trust 5,139 2,383.0% Trust invested exclusively in bitcoin Yes
RIOT US Riot Blockchain 275 732.7% Buys cryptocurrency and blockchain businesses, as well as supporting blockchain technology companies Yes
SSC US Seven Starts Cloud Group 262 241.5% Provides artificial-intelligent, blockchain and fintech-powered, digital finance solutions No
MGTI US MGT Capital  204 475.3% Operates a portfolio of cyber security technologies Yes
DPW US Digital Power 103 686.4% Designs, develops, manufactures and markets switching power supplies for sale to manufacturers of computers and other electronic equipment No
HIVE CN Hive Blockchain 636 n/a Operates as a cryptocurrency mining firm Yes
BTL CN BTL Group 197 991.7% Develops blockchain technologies Yes
CODE CN 360 Blockchain 33 600.0% Invests in blockchain based technology Yes
DCC AU Digitalx 106 495.7% ICO advisory and blockchain consulting services Yes

Source: Bloomberg, BitMEX Research


Disclaimer:  This piece does not constitute investment advice.  You should do your own research before deciding to make any investments.

Bitcoin Cash (BCH): Investment flow data (update)

Abstract: In early September 2017, we published a piece on Bitcoin Cash  (also known as BCash) and how one can analyse transaction data on the two blockchains involved in the split, to try to draw conclusions about the potential investment flows between the two chains.  In this piece we update the analysis, with another three months worth of data.


Total coins spent

Bitcoin had an initial lead with respect to total coins spent at least once since the fork, when compared with Bitcoin Cash.  However, Bitcoin Cash caught up in early September.  Since then both coins have been approximately neck and neck.  As at 29th November 2017, 6.5 million and 6.3 million Bitcoin and Bitcoin Cash coins have been spent at least once since the fork, respectively.


Figure 1 – Bitcoin Cash (BCH) vs Bitcoin (BTC) – Number of coins spent at least once since the chain split

Source: BitMEX research, Bitcoin blockchain, Bitcoin Cash blockchain, Bittrex (Price data)


Daily Bitcoin Cash Spend for the first time

Although there have been several spikes, normally after a rally in the Bitcoin Cash price, the number of Bitcoin Cash coins spent each day (for the first time since the fork) continues its decline.  In the last five days, the average daily first time spend has been just c19,000 per day, compared to lows of around 50,000 in August.


Figure 2 – Bitcoin Cash coins spent for the first time since the split (daily)

Source: BitMEX research, Bitcoin Cash blockchain, Bittrex (Price data)


Transaction Volume

With respect to transaction volume, a more normal metric compared to our somewhat convoluted first time spend since the fork metric, there is not much change in the relative transaction volumes of the two chains.  The total cumulative Bitcoin Cash transaction volume is 5.5% of Bitcoin, since the fork.  Although this figure is increasing slightly, averaging at 6.0% in the last 10 days, compared to the overall total figure of 5.5%.


Figure 3 – Daily transaction volume (Number of transactions)

Source: BitMEX research, Bitcoin blockchain, Bitcoin Cash blockchain, Bittrex (Price data)


Proportion of Bitcoin Cash coins spent

In the first four months of Bitcoin Cash, 38.5% of all coins that existed at the time of the fork, have been spent at least once on the Bitcoin Cash chain.  In our view, this is a remarkably high figure, considering many millions of coins are lightly to have been lost forever years ago.


Figure 4 – Bitcoin Cash (BCH) – Proportion of spent vs unspent coins since the chain split

Source: BitMEX research, Bitcoin Cash blockchain



In our view, the above data shows that after just four months, there may have been considerable investment flows between the two coins.  Therefore, many supporters of each coin may have already made their respective investment/divestment decisions, and the future of each coin may now be determined more on merit or utility, rather than the opinion of the holders at the time of the fork.

We would like to remind readers that there are many weaknesses with resepect to this analysis, the main one being that a spend on the Bitcoin Cash chain does not necessarily relate to a divestment.


Bitcoin’s Unique Value Proposition

Abstract: In this piece we examine the question of “What is Bitcoin for?”  We conclude that neither low cost payments, censorship resistance nor digital payments, are particularly compelling on their own. However, when combining both censorship resistant money, with the ability to use money electronically, we have a potentially interesting and somewhat unique set of characteristics.



There has been a significant amount of debate and discussion in the Bitcoin ecosystem, about what Bitcoin is for.  Should Bitcoin be a form of “digital gold”, where a robust rule-set and a resilient network are the priority, or should Bitcoin primarily be considered as a payment system, where low transaction fees are the focus?

Of course most people would like Bitcoin to excel in both of these areas and in the long term,  Bitcoin may be able to do so.  However, the blocksize debate opened up a schism in the community, about which area should be the priority, in the short to medium run.

In this piece we look at three key characteristics of money and payment systems:

  1. Low transaction fees,
  2. Censorship resistance, and
  3. The ability to transact electronically.

We then look at various choices one could make when deciding which type of money to use and the set of characteristics that each choice provides.  We look at where Bitcoin should position itself, such that it may be able to provide a unique option.


1. Low transaction fees

Low transaction fees and usability have clearly been a key selling point of Bitcoin to many people.  Bitcoin has had lower transaction fees than many online international banking transfer systems and Western Union for example. A simple user experience is key to adoption, and there is a fear that if user adoption is too slow, Bitcoin may lose out to alternative payments solutions, either traditional centralized type systems or alternative distributed proof of work based tokens such as Ethereum.

However, although Bitcoin is cheaper and perhaps easier to use than some centralized alternatives, in many cases centralized alternatives are faster and cheaper than Bitcoin.  For example in many Western European countries, retail domestic interbank transfers are both free and instant.  In China, Alibaba (BABA US) and Tencent (700 HK) are offering fast, simple and cheap payment solutions.  Tencent is said to be able to handle 200,000 transactions per second, far in excess of what Bitcoin can achieve.  Some may see these offerings as a risk for Bitcoin, while others see this as a battle Bitcoin was always going to lose anyway.  Although currently fast and free payments are not available to everyone in the world, therefore Bitcoin can fill a useful niche.  However, if instant and free payments can eventually be provided by traditional payment solution providers, is it really sustainable to build Bitcoin based on the assumption that they won’t ever provide such an offering?


A shop window displaying various electronic payment options, including Alipay, WeChat Pay and Apple Pay


2. Permissionless & censorship resistant money

Other members of the Bitcoin community prioritize other features, ahead of low fees.  This is often characterized as “censorship resistance”, but may actually refer to a range of related properties.  The main aspects of these features are the following:

  • The ability to use the system without seeking permission,
  • The inability of the government or the authorities to block payments,
  • The inability of the authorities to reverse payments, and,
  • Resistance against the entire system being shut down.

However, just like the low transaction fee use case mentioned above, these characteristics are also non unique.  Physical cash (notes and coins) also have these features, again making Bitcoin seemingly useless.  Physical cash not only has these features, it has them to a far greater extent than Bitcoin.  Cash also has additional features which Bitcoin cannot offer, such as the ability to use cash when communication networks are unavailable or without a device such as a smartphone.

It should be mentioned that Bitcoin may have one interesting feature here that physical cash does not have, the censorship resistance of the rules of the monetary system as a whole.  In Bitcoin, end users may have the ability to enforce all the rules of the system, which cannot be said for physical cash.  This ensures some interesting properties such as the 21 million supply cap or preventing other inflationary type policies, not available as an option for physical cash.  In this respect Bitcoin can be said to be most like “digital gold”, in regards to its monetary characteristics.


The use cases of censorship resistant money

These censorship resistant type features are sometimes associated with illegal activity, the so called black market or grey market.  Although there are of course many legitimate use cases of this feature, for example a lack of trust with respect to your partner in the transaction or the high costs associated with enforcing payments, due to dealing in multiple jurisdictions.

Black market areas could include things like, tax evasion, money laundering, illegal drug dealing, sex related services, the sale of illegal weapons, bribery and organized crime.  Grey market areas could be considered as legal goods and services, sold in an unauthorized way.  Grey market type transactions could be said to include:


  • Remittance to or from a country imposing some form of capital controls,
  • An individual subject to political oppression restricting the use of their funds,
  • Purchasing products or services from a lower price or alternative region without the consent of the regulator, manufacturer or service provider, for example pharmaceuticals, consumer electronics or media subscription services,
  • Donations to a politically sensitive cause,
  • The sale of cars without proper registration,
  • The unauthorized sale of copyrighted material such as textbooks,
  • Computer software or digital content sold without the correct license,
  • Unauthorized transactions in stocks and shares in the OTC market,
  • Participation in online gambling or poker without meeting regulatory requirements,
  • Sporting event tickets sold in violation of the terms printed on the ticket,
  • The sale of airline loyalty points in the secondary market,
  • A young teenager using online e-commerce systems or in store mobile payment technologies, without being old enough to have the necessary banking relationships,
  • A female using online e-commerce systems, in a cultural environment where its socially unacceptable for females to have banking relationships,
  • Payments for basic services such as babysitting, without registration for sales tax or employment,
  • Payments to a babysitter who has inappropriate immigration status, or,
  • Payments from intelligence services to informants.


These examples may make this use case somewhat controversial and many may think there could be limited upside due to a lack of demand for these goods and services.  However, in our view there is significant demand for this type of use case, indeed some people estimate these types of activities account for the majority of global economic activity, depending on how its measured.

Additionally, as we explained above, Bitcoin offers nothing new here, physical cash already has the features which make it ideal for these scenarios and actually has superior qualities to Bitcoin in relation to censorship resistance.  One key cultural difference is that physical cash is already deeply embedded in society, while Bitcoin is relatively new, making it potentially more controversial.

HSBC UK credit card eligibility criteria – requiring users to be over 18 years old

Note: Credit card systems are typically used as the base layer for mobile payment technologies, which are therefore often inaccessible to those under 18 years of age, unlike cash which is permissionless.


3. Electronic payments

In our view, as we enter the digital age, one characteristic of money trumps all of them.  The ability to use money electronically, such that it can be used over the internet or on a mobile device.  The internet and electronic communication systems are becoming increasingly integral parts of our culture and therefore the ability to use money electrically is an incredibly powerful feature, becoming increasingly important.

However, Bitcoin certainly does not provide anything new in this area either.  When using traditional currencies like the US dollar, internet based payment systems, controlled by computer interfaces have been around for years.  Recently, the options available in this area are improving rapidly, with mobile payment systems gaining significant traction.


Evaluating the combinations of these three characteristics

After reading the above, one may conclude that Bitcoin has no unique characteristics whatsoever.  This is true to some extent, however the key value proposition of Bitcoin, is a unique combination of the above characteristics, namely to have both censorship resistance and an electronic transaction system.  This subtlety can make the value proposition of Bitcoin difficult to understand, resulting in significant amounts of scepticism, when one first comes across the subject.

The below table aims to illustrative the three key features discussed in this note.  Two alternative strategies for Bitcoin are outlined below, one prioritizing low transaction fees and the other prioritizing censorship resistance.  The analysis is an oversimplification, assuming a binary choice between one or the other, when the reality is far more nuanced, however it still illustrates a point.

When choosing to prioritize low fees, the boxes ticked in the below table are identical to those ticked for traditional electronic payment systems, which can already provide both low fees and electronic payments.  However, by focusing on censorship resistance, a unique set of boxes is ticked, ensuring Bitcoin provides a unique set of features that cannot be offered by any of the competing systems.  No other monetary or payment system is able to offer both censorship resistance and electronic payments.  Therefore, in our view, however vital low transaction fees are, if we are faced with a decision, the smart choice may be to prioritize the strategy that provides the most unique combination of characteristics.  This could mean choosing censorship resistance, rather than focusing on what appears to be the most immediately useful requirement.


Ability to offer low transaction fees Ability to offer censorship resistant type features Ability to transact electronically
Physical cash
Bank deposit/traditional electronic payment systems
Bitcoin (Priority: Low fees)
Bitcoin (Priority: Censorship resistance)


Of course Bitcoin still needs to balance the need for both low fees and censorship resistance, and hopefully can achieve both, perhaps with new technology. Therefore, in the medium or longer term, perhaps all three boxes in the above table can be ticked.



We conclude that the “point” of Bitcoin is to provide characteristics traditionally only available when using physical cash, but in an electronic form, suitable for the digital age.  An “electronic cash system“.  Therefore its a false dichotomy to believe we are facing a choice between “digital gold” and a cash type system.  Bitcoin can be considered as a hybrid option, between digital gold, physical cash and traditional electronic payment systems.


Revisiting The DAO

Abstract: In this piece we revisit “The DAO” and the events following its failure.  We analyse what happened to the various buckets of funds inside The DAO, on both sides of the chainsplit which it caused.  We identify US$140 million of unclaimed funds still inside what is left of The DAO.


Key points

  • The DAO hacker appears to control tokens worth approximately US$60 million.
  • There are currently around US$140 million of unclaimed funds still inside The DAO withdrawal contracts.
  • In June 2017, the US Dollar value of funds unclaimed inside The DAO was higher than the value of the amount initially raised in May 2016.
  • A deadline is approaching, 10 January 2018, after which some of the funds, around US$26 million, may no longer be available to be claimed.


The DAO marketing material from May 2016

Source: DaoHub




In the early summer of 2016, one project generated a substantial amount of excitement and buzz in the crypto space, “The DAO”. DAO stands for Decentralized Autonomous Organization, and to the confusion of many, “The DAO” consumed that entire moniker for itself. The DAO was to be an autonomous investment fund, investing in projects determined by the token holders.  The fund was to be governed by a “code is law” philosophy, as opposed to the centralized top down control mechanisms in traditional investment funds, where key individuals matter.  

Many believed this novel approach would lead to superior investment returns.  Although it is a unique and potentially interesting approach, in our view, expecting strong investment returns at this point may be somewhat naive.

The fund raised Ethereum tokens worth approximately US$150 million at the time, around 14% of all the ether in existence, with investors presumably expecting spectacular returns.  The downside risk was expected to be minimal or zero, since one was supposed to be able to withdraw one’s Ethereum from The DAO, whenever one wished. In reality, doing so was a complex and error-prone process.



Problems with The DAO

As it turns out, The DAO was fundamentally flawed on several levels, as many in the Ethereum Foundation pointed out before the exploit was discovered.  For instance:


  • Economic Incentives – The incentive model of the project was poorly thought out.  For example there was little incentive to vote “no” on investment proposals, since “no” voters became invested in approved projects. Those that did not vote did not become exposed to the project. Additionally, there was no stated enforcement mechanism for successful projects to contribute profits back into The DAO.
  • Token viability – When projects were created, it would have end up creating new classes of DAO tokens, such that each class was entitled to different risks and rewards.  This would mean the tokens would not be fungible, an issue poorly understood by exchanges and the community.
  • Buggy code – The code did not always implement what was described or intended.  The smart contract code did not appear to be reviewed adequately. The coders did not appear to fully grasp its language, Solidity, nor some of the states the contract could reach.


A few weeks after the conclusion of the token sale, a “hacker” managed to find an exploit in the code, enabling them to potentially access The DAO’s funds, by draining the main pool of funds into a child DAO in which the hacker potentially had significant control.  This then led to an Ethereum hardfork, to attempt to prevent the hacker from accessing the funds and to return the funds to the initial investors. Since some in the Ethereum community were unhappy about this, it lead to the chain split between ETH and ETC.


In this piece we will:

  • Describe the relationships between the main actors involved in The DAO,
  • Revisit the key events surrounding Ethereum’s DAO hardfork,
  • Explore the movement of ETH and ETC funds inside The DAO, and
  • Speculate on what will happen to the unclaimed funds.



The main groups and individuals related to The DAO


Network map of the main groups and the individuals involved in The DAO

Sources: BitMEX Research, Full sources provided in the table below
Notes: There are other Ethereum foundation members with no association to The DAO, which are excluded from the above mapping.  Blue circles represent individuals; while yellow circles represent organisations.


List of the major parties involved in The DAO

Name Description People involved
DAOHub.org A DAO community website promoting The DAO, hosted by DAO.Link Felix Albert , Auryn Macmillan, Boyan Balinov, Arno Gaboury, Michal Brazewicz ,  Taylor Van Orden , Des Donnelly, Daniel McClure (Source)
Slock.it Slock.it wrote the code for The DAO and the company was hoping to develop smart locks.  Slock.it was expected to be financed by The DAO Stephan Tual, Lefteris Karapetsas, Griff Green, Christoph Jentzsch, his brother Simon Jentzsch, Gavin Wood and Christian Reitwießner (Source)
The “Hacker” The exploiter of The DAO Anonymous
DAO Token Holders (DTH)

Individuals from the general public who contributed to The DAO crowdsale or purchased DAO tokens on the open market

22,873 account holders (Source)
The DAO Curators 3rd party “arbitrators” separate from Slock.it to manage disputes or emergency situations arising from The DAO Taylor Gerring, Viktor Tron, Christian Reitwießner, Gustav Simonsson, Fabian Vogelsteller, Aeron Buchanan, Martin Becze, Vitalik Buterin, Alex Van de Sande, Vlad Zamfir and Gavin Wood (Source)
Note: Gavin Wood resigned as a DAO Curator prior to the exploit
Bity A Swiss based cryptocurrency exchange in partnership with Slock.it.  The exchange publishes WHG announcements (Source) Alexis Roussel (Source)
DAO.Link A Swiss registered joint venture company between Slock.it and Bity, which hosts the DAOHub website (The website promoting The DAO, pictured above) Stephan Tual, Simon Jentzsch, Alexis Roussel (Source)
Robin Hood Group (RHG) The original “white hat” group, which secured the majority of The DAO funds pre-fork

Publicly: Alex Van de Sande, Griff Green, Lefteris Karapetsas
Stephan Tual claims: “individuals from the eth foundation, devs, security experts, ethcore, slock, etc” (Source)

Whitehat Group (WHG) The organisation which took ownership of ETC from the RHG.  The WHG has close ties to Bity Only publicly known members are Jordi Baylina and Griff Green (Source)
The Ethereum Foundation Non profit foundation behind the creation of Ethereum Many individuals including some of the founders of Ethereum (Source)



The DAO timeline

In order to fully understand and account for the proper ownership of the funds, we must revisit the provenance of The DAO funds before, during and after the hardfork.


Date Event Movement of Funds
30 April 2016 The DAO crowdsale is launched (Source: Slock.it)
25 May 2016 The DAO crowdsale concludes c11.5 million pre-fork ETH raised
17 June 2016 The DAO is drained into a Child DAO by the hacker
(Source: New York Times)
c3.6 million pre-fork ETH drained to Hacker’s Child DAO


A “Child DAO” can be “split” from the main DAO as part of the The DAO’s governance process, similar to a spin-off company.

The splitting process was exploited by the hacker using a recursive call exploit, which drained more funds from the parent DAO than intended. The owner of a newly formed Child DAOs cannot withdraw those funds immediately; they have to wait for a voting period to end before securing those funds and being able to freely transfer them.

This voting period gave the Ethereum community a window of opportunity to attempt to reclaim the funds by attempting to exploit the hacker’s Child DAO using the same vulnerability. This, however, may have resulted in perpetual splitting and a “DAO War”, whereby the funds would be stuck in limbo forever as long as neither the hacker nor RHG gave up. This process could be easily scripted so would not take much effort on either side.

One way to solve this would be the implementation of a softfork to censor the hacker’s transactions, preventing him/her from participating in this war and quickly allowing the funds to be recovered.


Date Event Movement of Funds
21 June 2016
RHG begin “DAO Wars” and are able to to recover a majority of the funds
(Source: Reddit)
c8.1 million pre-fork ETH Drained into the RHG’s Child DAOs using the same vulnerability
24 June 2016
“DAO Wars” softfork proposed to secure attacker’s c3.6 million pre-fork ETH
(Source: Ethereum Foundation)
Would have censored transactions to prevent hacker from accessing their Child DAO
28 June 2016
Critical flaw in “DAO Wars” softfork discovered and it is abandoned
(Source: Hacking Distributed)


At this point, the RHG have managed to secure around 70% of the funds by exploiting other Child DAOs, but in order to guarantee the ability to reclaim the remaining c30% (around 3.6 million pre-fork ETH), a hardfork is the only possibility.  Moreover, the softfork proposal was found to have critical security vulnerabilities and was quickly scrapped.


Date Event Movement of Funds
20 July 2016
Hardfork is implemented, effectively undoing the effects of The DAO hack and making DTH whole on the forked ETH chain. Implemented via two withdrawal contracts.
(Source: Ethereum FoundationThe Ethereum Wiki)
c11.5 million post-fork ETH returned to DAO withdraw contract and can be claimed by DTH based on their current DAO token balances
20 July 2016
ETC, the ‘not-forked’ chain continues to be mined
The RHG and The DAO hacker will eventually have access to ETC in Child DAOs


After the fork, there are two chains in parallel universes. One, ETH, where the hack is undone, and one ETC, where the hack remains. The RHG have still secured around 70% of the ETC, and could have continued the attack on the ETC chain using the aforementioned ‘DAO wars limbo’ strategy, but decide not to. To refund DTH on the ETH chain, a withdrawal contract is used, which DTH must call to claim their ETH.


Date Event Movement of Funds
23 July 2016
ETC is listed on Poloniex, other exchanges follow suit. ETC/USD reaches 1/3 of ETH/USD
(Source: Twitter)
9 Aug 2016
The RHG hands ownership of the ETC funds to the WHG. The WHG receive funds in their ETC multisig wallet as the ETC Child DAOs mature
(Source: Bity)
c8.1 million ETC Secured by the WHG
10 Aug 2016
Unannounced, WHG/Bity use Bity’s “verified money service business” account to attempt to tumble and swap 3 million ETC on 4 exchanges for ETH, BTC and EUR
(Source: Bity)
Poloniex freezes 2.3 million ETC, Kraken trades but freezes 1.3 million worth of ETC, Bittrex trades and processes 82k ETC, Yunbi trades and processes 101k ETC
12 Aug 2016
After the majority of the tumbled ETC is frozen, WHG/Bity announce that they have decided not to sell the ETC for ETH, and instead will distribute ETC to DTH
(Source: Reddit)
Bity trade back BTC, ETH and EUR into c1.5 million ETC, bringing their balance back to c8.1 million ETC


Graphical illustration of the above transactions

Source: Gliffy


Date Event Movement of Funds
26 Aug 2016
Bity announce launch of the “Whitehat Withdrawal Contract”
(Source: Bity)
30 Aug 2016
Bity announce that the first version of “Whitehat Withdrawal Contract” is published
(Source: Bity)
c4.2m ETC transferred from WHG to the withdrawal contract, c0.6 million claimed by DTH.  DTH are entitled to receive funds based on their DAO token balance at the time of the harfork, not the current token balance as is the case for ETH.
30 Aug 2016 Bity announce that second version of “Whitehat Withdrawal Contract” is published
(Source: Bity)
c3.8 million ETC transferred from old contract to new contract
6 Sept 2016
Bity announce that the remaining ETC (including that which was attempted to be traded on exchanges, and some from matured Child DAOs) is transferred to the Whitehat Withdrawal Contract
(Source: Bity)

c4.3 million ETC transferred from WHG exchange accounts and multisig into withdrawal contract.

During the time these trades were made, the price of ETC dropped in value relative to ETH, BTC and/or EUR, causing the trade back into ETC to yield an additional 700,000 of ETC that was added to the Whitehat Withdrawal Contract.  The exact details of these on-exchange swaps were not made public.


Graphical illustration of the above transactions

Source: Gliffy


Date Event Movement of Funds
6 Sept 2016
DAO Hacker moves the funds from his “Dark Child DAO”
(Source: Gas Tracker)
c3.6 million ETC Secured by Hacker
6 Sept 2016 DAO Hacker donates some ETC to the ETC development fund
(Source: Gas Tracker)
1,000 ETC sent to ETC developer fund
25 Oct 2016 to
7 Dec 2016
DAO Hacker tumbles funds into many different accounts, potentially swapping to different currencies
(Source: Gas Tracker)
c0.3 million ETC tumbled by hacker


At the time of writing the hacker has not touched the vast majority of the drained ETC, and is sitting on a stash of 3,360,332 ETC, worth US$58 million.

One feature of the Whitehat Withdrawal Contract is that a limit is set for the ETC funds to be withdrawn (originally set to 3 months, expiring on 30th January 2017). Due to a large proportion of the funds not being claimed within the 3 months given, this period was extended twice:


Date Event Movement of Funds
30 Jan 2017
Bity Announce the extension of the ETC Whitehat Withdrawal contract deadline to 14 April 2017
(Source: Bity)
14 April 2017
RHG Announce the extension of the ETC Whitehat Withdrawal contract deadline to 10 January 2018
(Source: Reddit)
10 Jan 2018
ETC Whitehat Withdrawal contract deadline ?


There have been no major events since then to the present day; the vast majority of ETH funds have been withdrawn by DTH, as has the majority of ETC.



The unclaimed funds

As at 19th November 2017, there is approximately US$140 million of unclaimed funds, as the approximate breakdown below illustrates.


DAO related funds on the ETH side of the fork

Bucket ETH Unclaimed US$ million Percent
Claimed balances
ETH Withdrawn by DTH 11,286,046 97.3%
Unclaimed balances
Unclaimed ETH in DAO Withdraw (Source) 235,414 86.6 2.0%
Unclaimed ETH in DAO ExtraBalance (Source) 76,204 28.0 0.7%
Unclaimed total 311,618 114.7 2.7%
Claimed & unclaimed
Total funds 11,597,664   100.0%

Source: BitMEX Research, Ethereum blockchain
Note: USD/ETH price of $368 used


DAO related funds on the ETC side of the fork

Bucket ETC  US$ million Percent
Hacker funds
ETC retained by Hacker 3,642,408 66.6  30.1%
WHG Funds
ETC Withdrawn by DTH (including donations) 7,035,319 58.2%
Unclaimed ETC (Source) 1,405,072 25.8 11.6%
WHG Total 8,440,391   100.0%
Hacker & WHG funds
Total funds 12,082,799

Source: BitMEX Research, Ethereum Classic blockchain
Note: USD/ETC price of $18.30 used


DAO related funds on the ETC side of the fork

Source: BitMEX Research, Ethereum Classic blockchain


Unclaimed DAO balances over time – ETH & ETC

Source: BitMEX Research, Github


Unclaimed DAO balances over time – USD

Source: BitMEX Research, Coinmarketcap, Github


As the chart above illustrates, at the Ethereum price peak in July 2017, the US Dollar value of unclaimed Ethereum inside DAO withdrawal contracts was even higher than the US$150 million initially raised.



Withdrawal Contract “Gotchas”

Whilst the notion of a withdrawal contract sounds binding, all of the unclaimed funds are still in the control of the owners of those contracts.


Safety Hatches

All of the three withdrawal contracts have ‘safety hatch’ mechanisms, meaning the ‘owners’ of these contracts have the ability to withdraw all of the funds at any time.



Whilst The DAO Curators have not indicated this is planned, it may be tempting to appropriate these funds if it is deemed that no more withdrawals will take place. The WHG, in contrast, have designed their contract specifically to ensure this happens.


Whitehat Deadline

The Whitehat Withdrawal contract also has a timeout system for when DTH are able to withdraw their funds. This deadline will expire on January 10th 2018 (although it has been extended twice before), so attempts to withdraw after this deadline may be denied.



What next for the US$26 million of unclaimed ETC?

The next obvious question is:

What happens to the unclaimed funds on January 10th 2018?

There are four clear options at present:


  1. Have WHG/Bity keep the funds as payment for their service, returning some of the ETC
  2. Donate the funds to a charity or the “community”, perhaps  the ETC, DTH or ETH community
  3. Extend the deadline again
  4. Commit to allowing withdrawals indefinitely, as with the ETH withdrawal contracts


An official response from Bity, suggested they may lean towards option two:


We feel that these funds should be donated to the DAO Token holders community where they originated from. After 6 months, we want to be able to donate these unclaimed funds to a community wide effort, like a foundation supporting smart contracts security. We want these funds to be used to develop the future of structures of Decentralized Governance, DAOs and smart contracts. We will see what options are available at the time.

Source: Bity


Of course, questions of who represents the ‘DTH Community’ will arise, and whether or not the funds are being spent in a transparent matter may come into question. Due to the anonymous nature of who is behind WHG, it may be difficult for the community to properly audit the spending of these unclaimed funds.

Additionally, this arbitrary timeline that prevents individuals in the future from claiming funds that are rightfully theirs may result in future legal action. As such, there is a possibility that WHG is only left with option 3 or 4, and will potentially allow ETC withdrawals to continue in perpetuity.

However, January 2018 will be over 18 months after The DAO, a long time in the crypto space.  In addition to this the price of both ETH and ETC has risen considerably since The DAO. Therefore perhaps some DTHs may forget about their tokens in all the excitement and wealth generation, which is prevalent in the Ethereum ecosystem.



Whilst many claims made in this note are cited, we do not guarantee accuracy. We welcome corrections.