Blockchain Technology – Getting Ready
By Tom Greer, CCA, CGMA
Blockchain technology, which was introduced over 10 years ago, is still in its infancy. Early indications are that it will significantly alter the landscape of how we do business. The first blockchain was created to facility Bitcoin transactions. That use is now just the tip of the iceberg as other potential uses are quickly being discovered and researched. Worldwide spending on blockchain applications is projected to grow from the current $3 billion in 2019 to almost $12 billion in 2022. All four of the Big Four accounting firms and every major financial institution are investing hundreds of millions of dollars into this technology. Two of those accounting firms, Ernst & Young and Price Waterhouse Coopers, accept payment via bitcoin. All that just to point out the level of commitment towards adopting this new technology.
The purpose of this article is to provide readers with a basic understanding of blockchain technology and its risks and encourage them to monitor developments on a regular basis.
In essence, Blockchain is an accounting technology. It maintains a ledger of asset ownership and obligations. The intent is a ledger that is continuously updated and verified without being altered or corrupted. In our traditional general ledgers, when we want to correct a previous entry we just create an adjusting journal entry. Not so in the blockchain. Entries cannot be changed – only new transactions can be entered.
To understand Blockchain Technology and where it is going, it is important to go back in time and look at the events and personalities that brought us to where we are today.Until the 1970s cryptography was something used by the military and spy agencies. That changed, though, when the U.S. Government created the Data Encryption Standard (DES) which became the standard for encryption technology. In the 1980s, marketplace cryptographers began to publish articles about the need to create security without identification to protect against “1984 Big Brother” fears. In the 1980s and 1990s, the government attempted to stop export of cryptography.
In 1992, three of these cryptographers (Eric Hughes, Timothy C. May, and John Gilmore) got together and founded a group which became known as “cypherpunks.” The word is a combination of “cipher” and “cyberpunk” and was added to the Oxford Dictionary in 2006. They met monthly and created an email list of 700 participants within 2 years and 2,000 in 5 years. One of the early members of the list was Julian Assange. In 1993, Eric Hughes drafted “A Cypherpunk Manifesto.” The premise of the manifesto is that we cannot trust government, corporations, or other large, faceless organizations to grant us privacy… We must defend our own privacy. The cypherpunks have taken it upon themselves to write the code to protect the privacy of all individuals.
“We must defend our privacy, if we expect to have any. We must come together and create systems that allow anonymous transactions to take place… We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money…” – Excerpt from A Cypherpunk’s Manifesto
In 1998, with the help of the cypherpunks, a $200,000 machine was built that could crack the encryption code of the government’s DES key in a few days. Suddenly, the code the government touted as the standard was obsolete.
Since then, a war has been going on between the government, which wants to control the tools of encryption, and the cypherpunks. To most of us, who have no knowledge of these issues, this war seems as remote as the supernatural battle between angels and demons. We know the battle is going on, but we do not perceive it having much impact on our daily life. To the cypherpunks, our freedom in the 21st Century hinges on winning the war – and now it looks like success is within their grasp. The outcome of the battle has risen to the world we live in and is staring us in the face. And the business community is charging full speed ahead to adopt the technology created by the cypherpunks.
As we look at the development of Blockchain Technology, some basic questions need to be asked:
1. If the code developed by the government could be cracked by the cypherpunks, how can we be sure the code created by the cypherpunks cannot be cracked?
2. How can we be sure the cypherpunks have not kept a “backdoor” access to the blockchain? Have we ever seen a software/programmer that did not keep a backdoor access?
3. The current security of the blockchain is based on a decentralized network of thousands of computers that are all in agreement. Hacking the blockchain would require hacking all the computers in the network which is currently technologically unfeasible. What if future advances in technology make it feasible?
For the cypherpunks to create security without identification, they needed to overcome the limitations of the current financial system which required an intermediary third party, such as a bank or brokerage firm.
Enter Satoshi Nakamoto who published a white paper in 2008 leading to the creation of the first accepted cryptocurrency, Bitcoin, and the launching of the initial code in 2009. Nakamoto is a pseudonym for an unknown creator, but many think he is one, or more, of the original founders of the Cypherpunks. Bitcoin allowed peer-to-peer transactions without any third-party involvement. The ledger in which transactions were recorded was called a blockchain. Since then, other digital currencies have been developed, but they all use some form of blockchain as a transaction ledger. It was soon determined that blockchain technology had many more uses than just as a tool to facilitate and record digital currency transactions.
WHAT MAKES BLOCKCHAIN DIFFERENT FROM THE CURRENT ENVIRONMENT?
1. It provides the opportunity for peer-to-peer transactions without third party involvement – no banks or other financial institutions are required.
2. The individual/organization is now 100% responsible for security of their assets. If you get ripped off there is no financial institution or agency to turn to for recourse. This creates the chance of significant loss to the owner.
3. It seems like every month we become aware of major database breach that puts millions of people at risk to identity theft. Blockchains, because of their decentralized nature, are virtually impossible to hack compared to centralized databases such as Facebook and credit card companies.
SO, WHAT IS A BLOCKCHAIN AND HOW DOES IT WORK?
While there would be no blockchain without Bitcoin, blockchain and Bitcoin are not the same thing. No one owns Bitcoin the public blockchain, but anyone can own Bitcoin the currency.
There are four core components of blockchain technology:
1. The ledger (a blockchain) – the record of all transactions
2. Peer-to-peer network (P2P) – many decentralized computers (nodes) connected through the Internet
3. Consensus mechanism – a process so the nodes can agree on the same version of the blockchain without having to know or trust each other
4. Incentive mechanism – the cryptocurrency (such as Bitcoin) that incentivizes participation to secure the network
• The blockchain is like a general ledger in the cloud that records transactions in the unique digital currency of that blockchain.
• Transactions are grouped into a block and added to the blockchain. Every blockchain has limits to the size and number of transactions that can be recorded in a block. All the blocks of the blockchain are tied together with a “hash” that references the previous block.
• Cryptography is used to ensure no data has been changed in the blockchain (immutable blockchain).
• The network is many computers (nodes) that store the complete and current record of the blockchain.
• Every node in the network agrees at any point in time.
• A malicious hacker would need to hack every node on the network simultaneously. The power requirements to accomplish that is currently not feasible.
• If a node goes offline it does not affect the integrity of the network.
• The Consensus Mechanism is what makes the Ledger and P2P Network immutable.
• It is comprised of Protocols (rules) and Algorithms (instructions) to enforce the rules. An example of a Protocol is the specifications for a valid digital signature. An example of an Algorithm is the instruction to test compliance with the rule.
• Most common Algorithms are 1) Proof of Work, and 2) Proof of Stake. We will discuss them further in the next section
Blockchains can be permissioned or permissionless.
Private blockchains are permissioned and public blockchains, such as Bitcoin, are permissionless.
In a public blockchain, anyone can participate as a node, developer, or end user without permission.
Every node on the blockchain has a complete copy of the ledger.
Mining nodes use mining hardware and software with the expectation of reward.
A miner gets a reward of cryptocurrency for establishing a block with the correct connecting hash. In addition, the miner gets a small transaction fee for transactions occurring within the block they created. Solving the mathematical puzzle that creates the new block and connecting hash is the Proof of Work Algorithm. Proof of Work by miners helps to secure the network
Cryptocurrency coin holders stake the value of their coins to secure the network. They act honestly or risk losing their coins (stake) if they act dishonestly
All miners are nodes, but not all nodes are miners.
Miners use hashing algorithms to link transactions together within a block (Merkle Tree) and link blocks together to form the blockchain.
The series of hashes for all transactions within a block are used to create a “root” hash which becomes the hash of that block.
The root hash of the previous block is added to the current block, linking the two blocks together.
Types of Blockchains
Permissioned (private) Blockchains – participation is restricted to selected users. Users can choose to participate or not. Additional controls over read/write accesses.
Permissionless (public) Blockchains – participation is unrestricted.
The blockchain user has a continuum of blockchain opportunities to choose from; including Public Blockchains where anyone can participate down to blockchains controlled by a single user with hybrid blockchains in between that have a combination of accessibility vs. control.
Higher security (more decentralized) = lower speed/efficiency
Lower security (less decentralized) = increased speed/efficiency
Centralized database (central server) = low security but high speed/efficiency
Attributes of Permissioned Blockchains –
• Do not use tokens for incentives
• Can have multiple ledgers for different types of transactions
• Can have different levels of transparency, including public transparency (grower to plate supply chain)
• Parties of a hybrid (consortium) blockchain have some level of established relationship and trust.
• Restrictions can be placed on who can operate a node.
• Node operators could be required to place assets at stake.
• Parties can be restricted to certain types of transactions.
• Cost benefit issues can make it more difficult to design than a permissionless blockchain. The amount of decentralization will be based on the nature of the relationships of the participants.
• The hybrid will have a public ledger plus a private ledger for each member. Transactions are private but verifiable on the public ledger.
WHAT ARE SOME POTENTIAL APPLICATIONS?
Banks are working to use blockchain as a distributed ledger for interbank reconciliations. Banks spend millions of dollars every year reconciling their ledgers with each other. This would be what is called a “private” ledger and only participating banks would have access. Because of the volume of transactions between banks, there are issues with blockchain speed and capacity to overcome to make this feasible.
The real estate and auto industry are using it to track cost of specific inventory items and the price they were sold.
Ownership of assets and the chain of title has obvious potential. As a public register, blockchain would indicate who has clear title to land and would add transparency to land transactions. This was initially attempted in Honduras which is very corrupt and has no current land ownership registry. The project came to a standstill because the corrupt bureaucrats realized they would lose their control if the blockchain was developed. This same technology could also be used to track food from the field to the shelves to verify its organic nature, or to verify clothing and jewelry are not “knock-offs.”
Smart Contracts can be developed within the blockchain. Just like a traditional legal contract, it can be approved by both parties. Then, when certain triggers are recorded, payment can automatically be made to the appropriate party without a central/third-party to facilitate the transaction. This could be used as an escrow account, to acquire investments, or anything else.
Audits would change dramatically. Sending confirmations to banks to confirm balances or to customers to confirm accounts receivable would be unnecessary. By eliminating some of the detail work, auditors will be able to focus on more high-level questions. They can focus on the purpose of transactions and not just the debits and credits. This has been referred to as the end of “Double-Entry Accounting” and the creation of “Triple-Entry Accounting.” This could have a significant impact on accounting software. While simplifying some audit procedures, you can imagine the myriad of other issues this technology may pose to auditors. On the public ledger, auditors can see what transaction have occurred, but it will not disclose who participated in those transactions with access to the private keys which is discussed in a later section.
Handling Cryptocurrencies & Wallets:
Cryptocurrency “coins” reside on blockchains – not wallets
A wallet is simply hardware or software that creates and stores private keys and public keys related to public addresses. The private key gives authorization to send transactions and a public address is used to receive cryptocurrencies.
Wallets can generate new addresses for sending and receiving cryptocurrencies.
Hot Wallet – connected to the Internet. Higher degree of risk. Typically, used for operating expenses. Never keep more cryptocurrency in a hot wallet than you are willing to lose.
Cold Wallet – not connected to the Internet. More secure.
Think of a hot wallet as a checking account and a Cold Wallet as a savings account.
In addition to hot and cold wallets, wallets can be software or hardware wallets. Most wallets are software wallets which are used on electronic devices. Software wallets can create a “paper” wallet. A paper wallet is a physical, cold storage wallet. A paper wallet is any medium used to store keys offline in physical form (does not have to be on paper).
Hardware wallets are physical devices. They can be used with infected computers without compromising security. Hardware wallets can be restored with what is called a mnemonic seed. A mnemonic seed is a series of words stored on recovery cards using any medium like a paper wallet. A recovery card is a backup to a hardware wallet, but a paper wallet is the actual wallet.
Using their private keys, blockchain members can “cash out” their cryptocurrencies by transferring them to exchanges, which act like traditional financial institutions, where the cryptocurrency can be converted to other digital currencies or traditional monetary currencies and “deposited” into traditional financial institutions.
Risks and Challenges: Module 4
- Key Management
- Key Management
- Wallet & code
- Social Engineering
- Fork and Chain Split
Uncertain Regulations & Standards>
Key Management Risk – the risk that private keys are not properly secured and backed up. If you control the private key, you own the cryptocurrency. If you lose control of the private key, you lose the asset FOREVER!! Remember, in blockchain technology, you are 100% responsible for your security. Is it any surprise why banks love the idea of blockchain? If someone hacks your ATM card the bank protects you from loss. The bank has no financial responsibility to protect you from loss with blockchain.
Wallet & Code Risk – this is a risk in the integrity of software related to wallets. It could be a problem with a smart contract, a wallet or blockchain protocol. Most desktop and web wallets make disclosures in terms and conditions that bugs are possible. Security backup does not always fix the problem which means the potential loss of cryptocurrency. Most hacking resulting in the loss of cryptocurrency has occurred at the wallet level. DAO is an example of a blockchain hack related to a bug in a smart contract on the Ethereum (ETH) blockchain. This resulted in a fork to a new blockchain (ETC) to protect the assets.
– there is huge anxiety surrounding the loss of private keys. People make mistakes when they are anxious.
Social Engineering Risk
– this is where one party tricks another party into releasing information. It is related to Cognitive Risk.
– an example is Bitcoin is sent from the Bitcoin blockchain to side blockchain that has desired programmable features, but the Bitcoin gets frozen in the side blockchain and cannot be moved back to the original blockchain.
– advancements in cryptology could result in current blockchains losing some of their security. Or maybe public keys (read access only) could be engineered into private keys (control of assets).
– governance of technology involves code (the law) and people (decision making). Needed protocol changes require the consensus of a large, decentralized group which is inefficient. (i.e. Bitcoin BTC split to BCH to increase block size and reduce costs)
Fork and Chain Split Risk
– when a blockchain splits, such as in the DAO or Bitcoin cases, the holders of currency in the old blockchain get an equal amount of currency in the new blockchain. This results in free assets to the currency holder, but wallets and exchanges must make software upgrades so both the new and old currencies can be used without risk of loss.
– If 51% or more of the computing power of all mining nodes is controlled by one entity, that entity can double-spend coins. This has happened on some blockchains with smaller hashing power and is becoming more frequent.
– results from inadequate planning in the death of an individual or business succession plans. Death or change of business ownership equals loss of assets. Multi-signature wallets can mitigate this risk. Private keys, wallet information and other important details should be kept in a safe deposit box and not stated or listed in any document.
– one class of a currency could have less value than another class resulting in confusion and lack of confidence in the currency. (i.e., – The Office of Foreign Asset Control is thinking of listing bitcoin addresses of “listed persons/entities.” Banks cannot do business with listed parties. That would result in those bitcoins being discounted).
– are the provisions of a “smart contract” legally enforceable? What happens if, due to a program error, the outcome of the smart contract does not meet the intent. Use a Ricardian contract which is both machine and human readable as a protection.
Uncertain Regulations & Standards Risk
– standard setting groups include the AICPA, the ABA, the IRS, the SEC and The Accounting Blockchain Coalition. Questions surround the accounting and taxation of blockchain forks and the deductibility of acquiring and mining cryptocurrencies
Blockchain technology, while still in its infancy, is moving forward at an ever-increasing rate. Its ultimate impact and potential uses are still unknown, but it is anticipated that blockchains and the use of digital currency will be commonplace in less than five years. Many leaders in the financial world believe the fiat/paper currencies we currently use will be a thing of the past. It would benefit church administrators and financial officers to continually monitor the progress of the technology to evaluate its influence on changes in future church operations, accounting, and finances and be proactive in implementing systems to account for those changes.
Thomas Greer, CPA, CGMA is the Executive Director of Operations and CFO at Eastside Christian Church in Anaheim, CA. He can be reached at firstname.lastname@example.org.