‘Yes, This Thing’s a Security, STFU’—A Close Read of the SEC’s DAO Investigation

Cryptocurrency's about to get a lot less punk rock

WASHINGTON, D.C. - NOVEMBER 09: SEC Chairman Mary Jo White testifies during a House Financial Services Committee hearing on Capitol Hill on November 15, 2016 in Washington, D.C. United States. Mary Jo White plans to step down in January, opening the door for a Republican SEC chairman, appointed by President-elect Donald Trump. (Photo by Zach Gibson/Getty Images)
SEC Chair Mary Jo White has had it up to here. Zach Gibson/Getty Images

“Enough with your distributed ledger shenanigans,” the Securities and Exchange Commission said Tuesday (roughly). “If it looks like an investment, smells like an investment and can lose people loads of money like an investment, then it’s an investment.”

The SEC didn’t phrase it in quite so many words, but that’s the gist of an 18-page report released by the agency last night. It also released a succinct public statement that comes much closer to the above and an investor bulletin on initial coin offerings (ICOs). The latter might be summarized this way: don’t get suckered. We recently argued that the initial price surge on each new ICO will eventually have to come to an end, and that may be dramatic.

“The ‘touchstone’ of an investment contract ‘is the presence of an investment in a common venture premised on a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others,'” the SEC wrote. The DAO fit the bill, and its originators broke the rules by failing to run it by the regulators.

One organization is working to make it easy for similar efforts to follow the rules. Coinlist is a Protocol Labs project aimed at executing ICOs by the books. It has been getting flak for its intention to open the Filecoin ICO only to accredited investors, but its judiciousness looks a lot smarter in light of this new report.

So what happened?

The report digs into events that took place last year, when a corporation that existed entirely in code appeared on the internet and people put $150 million into it. It was called the DAO and it was built on the Ethereum blockchain by a German company called Slock.it. The idea was that its owners could vote on what to do with the company’s money (making it a “decentralized autonomous organization”). Owners included anyone who had bought tokens that entitled them to votes in the organization. These tokens were readily for sale on the secondary market.

We gave the project strong kudos as an innovative new model, and then hackers nearly stole a third of its capital ($50 million). In other words, our praise was premature and the model wasn’t ready for that kind of scale, and unwinding that massive theft kind of, sort of broke the Ethereum network. When the network unwound the transactions, it created the same moral hazard Washington engendered when it bailed out the big banks after the subprime mortgage crisis. Both took risks, but neither suffered the real consequences when bets went south.

The DAO also didn’t seek authorization to sell its tokens in the U.S., nor did it give the SEC a chance to review its disclosures. The SEC’s report was a way of saying that we have rules for a reason. The regulator wanted to explain that its authority is flexible enough to govern new investment vehicles, whether they are crafted in code, musical notation or pixie dust. If people buy it with the expectation of making money as its value shifts or selling it when it doesn’t, the SEC gets to weigh in.

“The automation of certain functions through this technology, ‘smart contracts’ or computer code, does not remove conduct from the purview of the U.S. federal securities laws,” the report states.

And what went wrong?

In a lot of ways the DAO case illustrated why everyone’s better off when securities are issued in accordance with the law.  “On The DAO Website and elsewhere, Slock.it represented that The DAO’s source code had been reviewed by ‘one of the world’s leading security audit companies’ and ‘no stone was left unturned during those five whole days of security analysis,'” the report found, and yet five days were not enough.

And the DAO’s security failure was only made worse by the fact that “there were no limitations placed on the number of DAO Tokens offered for sale, the number of purchasers of DAO Tokens or the level of sophistication of such purchasers,” the SEC continued, which meant the potential losses had no ceiling.

The DAO’s code was highly transparent, and yet its organizational structure was also highly resistant to critiques. Several security and blockchain experts noted weaknesses in the DAO, but once the organization got started there wasn’t sufficient will to fix its problems. This allowed for an attacker to exploit a weakness in its code to siphon off more ether than those behind the attack had ever put in.

They almost got away with $50 million worth of cryptocurrency. If the DAO had been capped, the hack might have still happened, but the sum at risk would have been smaller.

So did the people who bought these tokens really run the DAO?

Not according to the SEC.

The SEC continues its beatdown on Slock.it by pointing out that that DAO really wasn’t as purely democratic as it made itself sound. First of all, Slock.it presented itself as a team of Ethereum experts who knew how to build a decentralized organization that could work. “Slock.it and its co-founders did, in fact, actively oversee The DAO. They monitored The DAO closely and addressed issues as they arose,” the SEC wrote.

Second, humans were key to managing the program. Anyone could submit a smart contract to the DAO for potential investment, but it only went to a vote if a group of human curators gave it the okay. “Curators of The DAO had ultimate discretion as to whether or not to submit a proposal for voting by DAO Token holders,” the SEC found. “Curators also determined the order and frequency of proposals, and could impose subjective criteria for whether the proposal should be whitelisted.”

Lastly, the DAO owners really had less power over the organization than it seemed. First of all, the very setup gave token holders an incentive to skip votes, because they couldn’t trade tokens until a vote settled. Second, the anonymous nature of cryptocurrency made it very hard for token holders to form voting blocks.

So what does the SEC want?

In order to protect American investors, investments need to register with the SEC, so the DAO should have been registered, the report contends.

“The registration provisions of the Securities Act contemplate that the offer or sale of securities to the public must be accompanied by the ‘full and fair disclosure’ afforded by registration with the Commission and delivery of a statutory prospectus containing information necessary to enable prospective purchasers to make an informed investment decision,” the SEC wrote.

It wouldn’t have been fun to go through that, but it might have unearthed some of the DAO’s weaknesses.

The SEC isn’t going after anyone involved in the DAO, but SEC Chair Mary Jo White is still very disappointed in everyone’s behavior. It was a warning to other entrepreneurs who might be considering distributing their ledgers above the law.

“Whether or not a particular transaction involves the offer and sale of a security—regardless of the terminology used—will depend on the facts and circumstances, including the economic realities of the transaction,” the SEC wrote.

Translation: just because completely new technology is used to create an investment, the SEC’s old laws still apply.

‘Yes, This Thing’s a Security, STFU’—A Close Read of the SEC’s DAO Investigation