Executive Summary






            Distributed Ledger Technology (DLT) is a new type   are mapped within a taxonomy to particular layers
            of secure database or ledger using crypto-graph-   within DLT designs: network, consensus, data model,
            ic techniques. The data is consensually distributed,   execution, application, and external layers. These are
            replicated and housed by ‘nodes,’ who may be across   followed  by  discussions  of potential mitigants  and
            multiple sites, countries, or institutions. Often there   recommendations.
            is no centralized controller of a DLT, with DLTs then   We note that while some of these risks and vul-
            said to be ‘decentralized’ and ‘trustless.’ All the infor-  nerabilities emanate from the non-DLT world, many
            mation on it is securely and accurately stored using   emanate from the abundance of new blockchain pro-
            cryptography and can be accessed using keys and    tocols that attempt to vary the initial design with new
            cryptographic signatures. The most prominent of the   features and complex logic to implement them. This
            evolving DLT types is called a ‘blockchain,’ whereby   is exacerbated by the distributed nature of DLTs and
            data is stored on sequentially added ‘blocks.’ The   the associated wide attack surface; a rush to imple-
            concept first appeared in 2008-2009 with a white-  ment solutions that are not properly tested or which
            paper on the crypto-currency Bitcoin.              are developed by inexperienced developers; and
               DLTs  show  potential  multiple  use  in  a  financial   third-party dependencies on often insecure exter-
            inclusion context, from secure (and thus tamper-ev-  nal data inputs - known as ‘oracles - to blockchains.
            ident) disbursement of funds in aid programs; to   Crypto-exchanges have been particularly vulnerable
            secure and transparent access to assets and records   because poor security policies, with hundreds of mil-
            of property; use in agricultural value chains to track   lions of dollars of user value stolen by hackers.
            seed usage and spoilt food; raising of funds as a type   Further, attempts by the flavors of DLTs to address
            of ‘decentralized finance;’ shortening the payment   inherent design  handicaps in  initial  generations  of
            time for small farmers who sell internationally; for   DLTs – now often termed Blockchain 1.0, or Lay-
            fast and more affordable remittances; a means of   er  1,  or  main-nets  -  of  low  scalability  and  low  pro-
            forestalling de-risking of developing world financial   cessing speeds, buttress what is now known as the
            institutions by global banks; as a supervisory tech-  blockchain ‘trilemma’ that represents a widely held
            nique for regulators; to secure identities that can be   belief that the use of DLTs presents a tri-directional
            used to access funds and credit.                   compromise in that increasing speed of a DLT may
               Representation of values stored on a DLT are    introduce security risks, or that increasing security
            ‘crypto-assets’ stored in ‘token’ form which can be   reduces processing speed.
            traded at so-called crypto-exchanges that also store   Policy makers may have a role in DLT deployments
            the keys on behalf of the token owner. Altogether,   in so far they could develop (or even mandate) prin-
            these activities reflect the genesis of what may be   ciples rather than specific technologies or standards
            termed the ‘crypto-economy.’                       that those involved in developing and implementing
               However - and  as  with  most technology  inno-  DLTs need to abide by. Security audits for example
            vations - a number of evolving security risks are   could be mandatory, as well as two-factor authenti-
            emerging with DLTs, reflective of the new actors,   cation (2FA) methodologies if available in a particu-
            technologies and products. Often many of these new   lar environment.
            actors are start-ups who do not necessarily have the   This report enumerates many of these DLT-de-
            resources - or inclination - for assessing and acting   rived security issues as seen from a developmental
            on any security or compliance-related issues.      and financial inclusion prism. It details a number of
               The key security risks and vulnerabilities identi-  security threats per layer and risk profile, and then
            fied in this study include those relating to software   develops approaches and recommendations for sets
            development flaws; DLT availability; transaction and   of users and regulators for overcoming these chal-
            data  accuracy;  key  management;  data  privacy  and   lenges.  This  also  includes  a  recommendations  for
            protection; safety of funds; consensus in adding data   entities building and operating distributed ledger
            to a DLT; and in use of what are known as ‘smart con-  platforms internally in the developing sector.
            tracts.’ These and other security risks enumerated






            6    Security Aspects of Distributed Ledger Technologies