ConsenSys Software Inc. respectfully submits this letter in response to the U.S. Department of the Treasurys’ request for comment on the responsible development of digital assets. ConsenSys was founded in 2016 after the launch of the Ethereum protocol with the goal of facilitating decentralization through the development of blockchain-based computing platforms. We believe that, through decentralized networks like Ethereum, we can innovate and achieve like never before. We have dedicated our people, products, and resources to help drive this evolution.
ConsenSys is the leading Ethereum software company. We enable developers, enterprises, and people worldwide to build next-generation applications, launch modern financial infrastructure, and access the decentralized web. Our software suite, composed of MetaMask, Infura, Quorum, Truffle, Codefi, and Diligence, is used by millions and supports billions of blockchain calls. Ethereum is the largest programmable blockchain in the world, leading in developer community, user activity, and business adoption. On this trusted, open source foundation, people around the world are building the digital economies and online communities of tomorrow.
As the Treasury Department works on legislative and regulatory proposals, we encourage policymakers across government to pay attention to the innovation in the programmable blockchain ecosystem. This ecosystem not only offers the opportunity for economic growth but also the potential to make the internet more open, egalitarian, private, and secure.
We view this letter as the invitation to converse further, and we hope to engage with you in greater depth on the summarized points set forth below. We appreciate the opportunity to collaborate with you on the important task of bolstering innovation while mitigating the risks that new technologies may present.
1. Blockchain networks are programming platforms
We applaud the Administration’s earnest efforts to understand the features of blockchain systems before reaching conclusions on the risks they may present and the most effective and efficient means of avoiding or mitigating those risks through laws and regulation. Those efforts are particularly important because, to date, the focus of the regulatory conversation has largely been off the mark. This has unfortunately confused important issues and often caused policymakers to pose the wrong questions. We hope that this comment process results in the Treasury Department leading a clear-eyed reframing of the debate to where we engage in policy discussions from the baseline that blockchain networks are in fact entirely new computer programming platforms.
As the Treasury Department most assuredly understands, programmable blockchains like Ethereum allow anyone to write and publish code that is accessible to anyone else in so long as they have access to the blockchain network and the ability to compose and transmit on-chain transactions. In recent years, the increase in blockchain software development, as reflected in the number of developers committed on platforms such as Github to solve particular programming problems, has been notable. According to one analysis published at year end 2021, over 18,000 monthly active developers were working on blockchain programming projects, with over 34,000 new developers migrating to the blockchain ecosystem in 2021. While these numbers may be small compared with the global developer community writ large, the trend of developers expressing their interest in and becoming proficient at blockchain software development is unmistakable.
This trend is something that ConsenSys has directly observed through ConsenSys Academy. This offering is an educational resource aimed at building the community of blockchain developers. It offers an online developer bootcamp that provides an industry-standard, instructor-lead, and community-driven certification program with the mission of getting enrollees programming in Ethereum at a professional level in about 11 weeks. Academy also offers on-demand courses and remedial offerings for those who may not yet be developers but who nevertheless want to understand or explain blockchain technology. The interest in these courses by both the U.S. and international developer community has grown steadily year-over-year, and many enrollees of these offerings now work in the blockchain industry, including at organizations like IBM, Ernst & Young, and the National Institute of Standards & Technology. It is through our experience with ConsenSys Academy as well as our other offerings that we know that the blockchain ecosystem is now the best, most exciting place for U.S. software developers to build, collaborate, and innovate.
This trend is also something that ConsenSys is working hard to bolster by offering software platforms that permit developers to innovate new tools that can be shared with an increasingly broad user base. While the ConsenSys offering MetaMask is recognized as the world’s most popular Ethereum self-hosted wallet, few recognize that it is as much a developer platform as it is a client-side key management solution. The clearest expression of this is the release of MetaMask Flask, which is an experimental MetaMask application that allows developers to create new features that can be tested and refined before offering to the public more broadly. The first feature offered through Flask is the Snaps system, which allows developers to create their own programs that expand the functionality of the wallet. ConsenSys is not alone in working to bolster developer engagement and productivity. Examples abound of a thriving developer ecosystem where brilliant minds from all over the globe are tackling the novel problems presented by a nascent technology.
It is from this perspective that the Treasury Department should consider regulatory issues around blockchain protocols. While considerable attention to date, both regulatory and otherwise, has focused on the price of digital tokens in U.S. dollars and the speculation often attendant in their issuance and secondary market trading, sound regulation will only be realized when the technological functionality of nascent blockchain networks is the focus of the inquiry.
2. Risks in blockchain networks and related software
For purposes of this comment, we focus on certain risks associated with using blockchain software (both on-chain code and off-chain tools) and participating in blockchain ecosystems. We also provide some observations on how these risks may be mitigated.
Those that hold digital assets and use them on blockchain protocols are often the targets of scams designed to separate those users from their tokens. As the owner and operator of the MetaMask wallet, ConsenSys sees this phenomenon as regularly as anyone. MetaMask users are targeted on social media and via email by phishers looking to defraud the users into sharing their wallet passwords, which only the users may possess and safeguard. Currently, around 80% of all customer complaint tickets that MetaMask receives through its customer support channel are users reporting phishers. While we maintain a list of reported domains and take steps to warn users from visiting those sites, it is very difficult to keep up with the volume of reports. The situation is made worse by social media platforms like Twitter, where tweeting the word “MetaMask” will conjure bots trying to coax you into handing over your wallet. Those social media platforms have not taken any effective steps to reduce the predatory activity happening on their sites.
Several approaches to this problem are worth pursuing. First, social media platforms that are feeding grounds for predatory phishers should invest more time and attention to eliminating this type of predatory behavior, particularly where these scams are being launched through paid advertising campaigns to the benefit of these platforms. If you are capable and willing to police the content of speech on your website, you can be rightfully expected to take seriously the explicitly illegal scams that use your platform to target your users. Second, regulators and law enforcement could collaborate more closely to report, investigate, and disrupt large, organized phishing scams. Third, the blockchain ecosystem should create tools that fight back against the tide of online predators. Indeed, this approach is already being taken in a number of forms, including the project “MobyMask,” which is the brainchild of a MetaMask developer. This platform would allow users to report Twitter phishing bots by Twitter handle to create a shared database that would be updated in an accountable and transparent way. The database would serve as a peer-to-peer anti-phishing database that could be integrated into user interfaces for the purpose of warning users. While the project is still in proof-of-concept phase, it is an example of the initiative of the blockchain developer community to tackle and solve problems facing the space through innovation.
Hacks and bugs
A risk of on-chain software (i.e. smart contracts) is that it will be hacked by a malicious actor or that it contains a latent bug that may result in a user losing funds. These risks have been highlighted in recent news coverage of a number of sophisticated hacks of protocols and contracts in recent months.
These technological challenges are difficult to address because they arise from the fact that composing reliable, readily available, and resilient software is very difficult. But they are not insurmountable. First, it is important to remember that blockchain software is in its very early stages. Those that are building and participating in very much experimental protocols are generally aware of the risks they are taking and do so freely. When vulnerabilities are discovered, sometimes through hack or transaction failure, solutions are fashioned to avoid a repeat of the problem. Second, as protocols age, users have a longer track record of reliable performance upon which they can rely when using the protocol. While risks do not completely disappear, they do meaningfully decrease the longer a protocol has functioned without being hacked or suffering from a material bug in the code.
Third, best practices with respect to software development help reduce the risks of hacks and bugs. These best practices include having a third party code audit conducted before the software is released. ConsenSys specializes in this type of service through its Diligence offering. Diligence maintains a suite of blockchain security analysis tools and pairs up that service with in-person review of smart contract code by a qualified code auditor. This service has been increasingly popular among smart contract developers who wish to avoid vulnerabilities, employ mitigation best practices, model possible threats, and test their software before it is published. The Diligence team has worked on projects for many of the most notable names in the blockchain developer community, such as Uniswap and Aave. Industry-led solutions like software auditing will play an important role in keeping blockchain network users safe from hacks and bugs.
Smart contract approvals
Some programmable blockchain protocol users do not understand that, when they interact with a smart contract, they are often granting that software approval to send the tokens in their wallet to other addresses. This is a risk to users because, while some contracts require the user to grant narrowly tailored approvals to leverage their functionality, some smart contracts require broad approval, up to and including control over all tokens in your wallet for whatever purpose. These contracts are either irresponsibly written or, in some instances, purposefully malicious. An example of a malicious smart contract is one that purports to distribute (or “airdrop”) a fungible token or series of new non-fungible tokens (“NFT”). When a user signs an approval to receive the airdropped tokens or to mint a new NFT, the smart contract instead is programmed to drain the user’s wallet of some or all tokens.
Blockchain developers are currently grappling with how to address this problem from an industry best practices perspective. MetaMask, for one, is considering solutions that can be integrated into the MetaMask interface to warn users whenever a smart contract is asking for unlimited approval over their wallet. In addition to improved ecosystem tooling, user familiarity with how smart contracts function and their attendant dangers will also reduce this risk. Just as it became commonly understood risk management when navigating the internet not to click links or download files relating to unfamiliar websites, so too will it become more common for blockchain users to understand and avoid risky interaction with on-chain software. Government, law enforcement in particular, can greatly assist with reducing this risk by working with industry to pursue any and all malicious actors who are deploying malicious smart contracts to prey on U.S. users.
Software as middleman
Blockchain front-end interfaces that facilitate consumer engagement with on-chain smart contracts perform a valuable service today and will undoubtedly continue to. Given the already complex ecosystem of permissionless blockchains, composable smart contracts, and user-friendly web-based interfaces, end users today largely have to trust the web-based interfaces to be honest, secure, and reliable. As stated above, users could be better served if the industry, in consultation with regulators, developed standards around these interfaces to better protect users from bad actors, security vulnerabilities, and other risks. It is critical that the right balance be struck between fostering innovation and user protection, and that requires a thoughtful, iterative approach.
A serious question the industry must consider is whether a software provider that is providing a front-end interface or even on-chain smart contracts should be publishing information to better inform users about the functionality and risks of that software, and how such information could be most productively conveyed. These are difficult questions in large part because software development can implicate freedom of expression. (However, for-profit businesses that are engaged in software development are already required under the law to be honest and forthright about their offerings, as is every business. See Central Hudson Gas & Electric v. Public Service Commission, 447 U.S. 557 (1980). The Supreme Court has also set forth a standard by which the government can constitutionally compel commercial speech. See Zauderer v. Office of Disciplinary Counsel, 471 U.S. 626 (1985)). Separate and apart from whether software development by a business would constitute commercial speech, and thus whether the government has wider latitude to regulate such development under the U.S. Constitution, risks relating to an informed user base are more quickly and productively addressed by the industry setting and organically enforcing disclosure standards.
Although programmable blockchain systems present risks, like those highlighted above, there are two more overarching points to understand about how financial crime risks can be mitigated. First, there are new tools native to the digital asset ecosystem that allow law enforcement to more effectively detect, track, and identify criminals that are using blockchain networks to commit crimes and abscond with illicit gains. The Treasury Department’s familiarity with these blockchain analytics tools is well established today. These new approaches generally do not rely on the traditional model of deputizing middlemen to require users to identify themselves, monitor transactions, and report suspicious behavior. We support law enforcement and regulators steadily increasing their proficiency in leveraging these new software tools built upon the transactional transparency of public blockchains. But it is imperative that these tools be used responsibly and in accordance with the rule of law, regardless of whether the government uses them directly or third party private organizations use them at the government’s behest. Notions of personal and financial privacy and federal law must be scrupulously minded as these tools are brought to bear, and as the Treasury Department considers future legislation and regulation pertaining to surveillance and investigation of on-chain transactions.
Second, bad actors that are committing crimes targeting or using digital assets generally still aim to exit the blockchain ecosystem with any ill-gotten gains by converting them into fiat currency. Illicit digital asset proceeds are most vulnerable to seizure and recovery when they are turned over to a third party fiat off-ramp in anticipation of converting to fiat and ultimately withdrawal. It is these off-ramps that are rightfully receiving law enforcement and regulator attention to better interrupt a bad actor’s access to fiat currency.
ConsenSys knows this from direct experience. When a MetaMask user contacts our customer support group to report a phishing attack, we have in certain instances been able to track the stolen funds to an account on an exchange. After sharing this information with the user, we have attempted to make contact with someone working at the exchange to get them to intervene. In most instances, those efforts have not elicited a response either at all, or in time to prevent conversion and withdrawal of the stolen assets. Further, at least one effort to reach bilateral agreement on sharing information for purposes of frustrating fraudster scams prospectively was ultimately undone when the counterparty exchange declined to participate.
Failure to collaborate on user-centric issues like this is a shortcoming that should be addressed. To do so, the blockchain community should engage earnestly on new information sharing and crime mitigation practices to interrupt unlawful schemes that are in progress. Regulator engagement that facilitates these industry-wide collaborations would undoubtedly be productive.
Whether blockchain networks demand too heavy a share of energy production or rely too heavily on carbon-generating forms of energy production is also an issue that deserves consideration. As the blockchain ecosystem matures, questions have arisen about the sustainability, security, and scalability of its leading networks. The Ethereum ecosystem anticipated these concerns. From its early days, Ethereum protocol developers viewed Proof of Stake (PoS) as the mechanism to secure Ethereum’s future. Ethereum will be completing the transition to PoS perhaps as soon as September 15th, 2022, which brings several improvements that have been developed for years. One improvement that we eagerly anticipate involves far less energy usage.
Today, Proof of Work (PoW) consensus on Ethereum consumes around 85 TeraWatt Hours per year, although this estimate varies greatly depending on volatile network activity. In contrast, a PoS Ethereum has been predicted based on energy usage required by the PoS testnet called the “Beacon Chain” to be reduced by roughly 99.95%. If that proves true, then PoS Ethereum will be two thousand times more energy-efficient than the proof of work Ethereum. Today’s annualized energy usage would be reduced from 85 TWh/yr to around 0.0425 TWh/yr. To put that figure into proper perspective, the annualized energy demands of YouTube, Netflix, and PayPal have been estimated in recent years at 244 TWh/yr, 94 TWh/yr, and 0.26 TWh/yr respectively.
Additionally, it is anticipated that further advances in blockchain transaction scaling solutions (such as rollups and sharding) will help further decrease the energy consumed per-transaction by leveraging economies of scale. In other words, as PoS will make consensus less energy intensive, scaling solutions will allow the Ethereum protocol to secure far more transactions in each block than it does today. ConsenSys works closely with protocol teams innovating the latest scaling technology to bring those innovations to a broader set of blockchain users and developers.
A powerful argument could be made that the benefits flowing from a global, permissionless computational network like Ethereum would even make continued PoS consensus, with all of its energy usage, nevertheless worthwhile. But that argument soon will be moot, at least with respect to Ethereum. Ethereum’s current mainnet will soon merge with the PoS testnet that has been functioning for quite some time. When it does so, the energy used by the largest programmable blockchain in the world will plummet, while the network itself should get more robust as the energy and equipment needed in order to support the network will become less onerous.
4. Facilitation of further blockchain network adoption
ConsenSys believes that the free and open development on top of blockchain networks is the key to opportunity and innovation in the new digital economy. The adoption of blockchain networks should expand due to three fundamental trends that derive from development.
First, the user experience for blockchains has been under most circumstances more difficult for the average person than comparable use on the current internet. Receiving, holding, and sending tokens and interacting with blockchain software to execute transactions is generally not as easy as sending and receiving email or purchasing a product online using traditional e-commerce infrastructure. However, the user experience improvements over the course of recent years has been notable, and developers are continuing to slowly and iteratively improve user experience. As it becomes less difficult to interact with blockchain systems, this barrier to broader adoption will erode, and onboarding greater volumes of users should follow.
Second, adoption will grow as the everyday use cases for blockchain networks proliferate far beyond wallet-to-wallet payments. New phenomena like non-fungible tokens, on-chain digital identity, and decentralized autonomous organizations are still in early development stage, and as programming experimentation continues to innovate on these concepts, we anticipate more users will come into the ecosystem to leverage digital ownership, provable yet private digital identity, and new community-based methods of organization, decision, and action.
Third, adoption will increase as current and prospective users become more familiar with blockchain systems. As was the case with the internet, new technology requires time and exposure for potential users to be willing and able to use it. Ease of use and broader utility will certainly encourage more interest in blockchain systems by the average person, but time is also required to build familiarity.
The Treasury Department and government agencies and policymakers around the world play an important part in further adoption too, but the foremost impact they often have is whether they facilitate or frustrate U.S. developer-led innovation. Frustration of U.S. developer work, it should be said, would only ensure that foreign-based developers define the cutting edge of innovation in the blockchain ecosystem.
5. Legislative and regulatory initiatives
While the list of issues to be resolved by legislation or regulation is long, we direct your attention to four specific issues for purposes of this comment.
First, a tax exemption for de minimis cryptocurrency transactions would fix the federal tax code serving as a barrier to the everyday use of virtual currency in commercial transactions and other small payments. Legislation like the recent bill introduced by Senators Toomey and Sinema would address this issue constructively, and we encourage the Treasury Department’s support of such initiatives.
Second, protocol rewards for validating blocks on PoS networks should not be treated as taxable income upon receipt. For the reasons set forth in papers like those published by the Proof of Stake Alliance, we believe the proper policy for the U.S. government, both with respect to ensuring tax collection and serving the interests of U.S. taxpayers, would be to codify treatment of protocol rewards as property that is taxed only after disposition. Short of that, the Treasury Department should provide guidance that such treatment would be afforded by the Internal Revenue Service under existing law. This is an especially important issue in light of Ethereum’s migration to PoS as well as the continued growth of other PoS programmable blockchain networks. Without this fix, in the near future, millions of everyday Americans may find it extremely hard to comply with their federal tax obligations, largely to no fault of their own.
Third, for the reasons set forth in the considerable volume of comments submitted in response to FinCEN’s notice of proposed rulemaking concerning unhosted wallet software, the Treasury Department should refrain from finalizing any rule that purports to limit the otherwise licit use of unhosted digital asset wallets or to impose greater reporting duties or surveillance burden on wallet users. Jurisprudence such as the “third party doctrine” that has undergirded related regulatory regimes does not neatly fit with peer-to-peer networks and the software that users employ to participate in them. Further, wallets are the mechanism through which users do far more than merely hold, send, and receive virtual currency. They are increasingly the mechanism through which users control their digital identity, participate in online communities such as DAOs, and engage in commercial activity that does not give rise to any meaningful risk of money laundering or terrorist financing. With respect to digital identity in particular, we have increasing confidence that many everyday Americans will in the near future be using an Ethereum account as identity to log in to online applications. A material change in Treasury regulations that undermine the freedom, privacy, and usability of unhosted wallets would be contrary to the Administration’s stated goals of supporting pro-consumer technological innovation and would inevitably be subject to legal challenge on the basis that it is a step too far.
Fourth, the Treasury Department should advocate for a change in the law that would allow a U.S. government employee involved in blockchain policymaking to hold some amount of digital assets. This position would contravene the recent guidance issued by the Office of Government Ethics. That guidance is emblematic of a problem that pervades the OGE’s approach to digital assets (and other government and private sector policymakers as well), namely that they are solely investments rather than elements of a multifaceted system constituting a new computer network technology. Banning large holdings would be one thing, but effectively prohibiting any possession and therefore use of digital assets deprives U.S. government policymakers from using blockchain networks and thus experiencing those ecosystems firsthand. It’s akin to preventing transportation regulators from driving cars, or banking regulators from having checking accounts. That is an indefensible outcome if there is an interest in informed policymaking. We respectfully suggest that the Treasury Department should promote the OGE’s updating its regulations to correct the absence of a de minimis exemption for digital assets and also support any effort to correct this policymaking deficiency through the legislative process.
CONSENSYS SOFTWARE INC.
William C. Hughes
Paul S. Drury