Tuesday, November 29, 2022

A worthwhile Canadian stablecoin initiative

One interesting thing about stablecoins, the world's newest payments technology, is that they are almost all U.S.-dollar based. More than 99% of the $145 billion worth of stablecoins in circulation are denominated in dollars, the remaining 1% being mostly euro-denominated. 

Even though no significant Canadian dollar stablecoin has emerged to date, the Canadian government is beginning to think about these financial products. A financial sector legislative review of digital currencies -- including stablecoins -- was announced in the government's recent budget. I suspect that a big part of the review will involve trying to answer the question of how to regulate these new instruments.

A few quick thoughts on how we Canadians should regulate stablecoins.

1) There's nothing fundamentally new about stablecoins. All digital Canadian dollar balances are recorded on databases. In the case of a Bank of Montreal account or a PayPal Canadian dollars wallet, balances are instantiated on an internal SQL or Excel database (or whatever database traditional institutions use). Stablecoin issuers opt for a different sort of database to record dollar balances: blockchains like Ethereum, Solana, and Tron. These blockchain-based databases are often described as decentralized, although it is disputable how decentralized they actually are.

But abstracting from the choice of database, stablecoins are just another instance of regular old finance.

Canadian financial regulations should, in principle, be database agnostic. And so in my opinion, all existing financial regulations that are currently applied to issuers of Canadian dollar balances should be passed on to Canadian dollar stablecoins, perhaps with a bit of pruning.

2) In the spirit of the database agnosticism that I set out in 1), OSFI-regulated banks and credit unions should be able to issue blockchain-based Canadian dollar balances (i.e. stablecoins) under all the same rules that they issue SQL-based Canadian dollar balances (i.e. deposits). Those stablecoins would be insured, too, up to $100,000.

Here's where the "pruning" comes in. Some thought will have to go into how to apply deposit insurance to failed stablecoin issuers. For instance, if $10,000 in failed Canadian dollar stablecoin units is locked up in a Uniswap contract, how will deposit insurance be applied? What happens if no one ever withdraws the coins to claim the insurance? How do the smart contracts of a failed stablecoin get turned off? What happens if the decentralized database itself fails?

Because smart contracts can be programmed, I think it's possible to solve most deposit insurance problems. Regulators like OSFI or CDIC might even go so far as to specify the exact code that issuers must include in their smart contracts in order to qualify for insurance.  

3) In addition to 2), non-banks should be allowed to issue uninsured stablecoins, perhaps under the emerging payment services provider license that the Bank of Canada will be administering.

There are some caveats. Non-bank stablecoin issuers should only be allowed to invest customer funds in safe short-term assets. They would also have to  keep customer funds ring-fenced in bankruptcy-remote structures, like trusts, so that if the issuer fails, customers will be guaranteed to get their money back rather than being treated like a regular unsecured creditor.

4) Lastly, regulators will have think about stablecoin anti-money laundering and countering the financing of terrorism issues. 

Right now, popular stablecoin issuers like Tether and Circle only identify people who are redeeming stablecoins for "fiat" money or withdrawing stablecoins by depositing fiat. But the great majority of stablecoin transactions currently occur bilaterally between those who never go through a know-our-customer (KYC) process, much like physical cash. 

This "no-identity" model is a big part of what has made these stablecoins so popular. Users can rapidly deploy stablecoins across multiple decentralized financial protocols without having to go through the frictions of an onboarding process. Exchanges and other financial intermediaries can use stablecoins as a way to replicate U.S. dollar balances for their customers without having to establish formal banking relations.

But this cash-like treatment also makes stablecoins riskier. For instance, I recently wrote about a ponzi scheme called Meta Force, which is using Dai stablecoins on the Polygon network for pay-ins and pay-outs. Thanks to the way that the stablecoin smart contracts have been deployed, and the lack of KYC, there is nothing to prevent the scammer who manages Meta Force from openly making use of these safe instruments to con his unwitting customers.

Canadian regulators will have to weigh the usefulness of a no-identity cash-like model against the risks of pseudonymity. 

There is one last risk to consider. Say that regulators choose to tolerate a cash-like model for Canadian dollar balances instantiated on "decentralized" databases like Ethereum and Tron while continuing to require full KYC on Canadian dollar balances instantiated on regular databases. The consequence could be that regulated financial institutions migrate over to the former in order to avoid the more onerous requirements of the latter.

Thursday, November 3, 2022

Reversibility on Ethereum

[CoinDesk published my article on reversible Ethereum transactions last month. I'm reposting it here for anyone who didn't have a chance to read it.]

Reversibility on Ethereum: The Benefits and Pitfalls

Imagine that one day you absentmindedly fall victim to a crypto phishing scam, the perpetrator stealing 10 ether (ETH) from you. Crypto transactions are final so there's not much that you can do, right?

Well, not so fast.

To ensure that stolen crypto gets returned to its rightful owner, a group of Stanford researchers recently raised the idea of introducing reversible transactions to Ethereum. If such a standard were to be adopted, your stolen 10 ETH could, in theory at least, boomerang back into your wallet, the frustrated thief being left out of pocket.

Reversibility would probably be a popular feature, especially among the risk-averse who have until now refused to adopt Ethereum. But there are costs to consider, too.With any payments system, tweaking one element to solve a particular problem means introducing a new set of problems somewhere else along the network. There's no such thing as a free fix. Let’s dig into what these costs are.

Crypto theft is everywhere, from large-scale exploits to small retail phishing scams. To make the crypto economy safer, Kaili Wang and colleagues have floated the idea of introducing an Ethereum token standard that allows transactions to be temporarily reversible. During that time period, say four days, a victim of a theft could appeal to a decentralized adjudicator to have their stolen crypto returned.

Satoshi Nakamoto, the creator of the Bitcoin blockchain, would be shocked. After all, Nakamoto's white paper can be read as a diatribe against reversible transactions. Financial institutions "cannot avoid mediating disputes," wrote Nakamoto, and as a result merchants must be "wary of their customers, hassling them for more information than they would otherwise need."

But the Stanford researchers don’t intend for Ethereum to be 100% reversible. People who don't like the idea of reversible tokens could continue to limit their interactions to non-reversible tokens. As for those who are intimidated by the high degree of expertise required to safely use Ethereum, reversible tokens could be the extra guardrail that draws them in.

Now the costs.

Welcome, reversal fraud

Payments systems involve many complex trade-offs. Solving one problem means adding another problem. A good way to think about this is in terms of the following too-small-blanket dilemma.

Say that you want to go to sleep but your blanket doesn't cover your toes. You pull it down, but now your neck is uncovered. You rotate the blanket to cover both your toes and neck, but now your shoulders are exposed. There is no perfect fix. You need to pick and choose what part of your body to cover and what part to leave exposed.

The same goes for payments. While reversibility may help reduce theft, the too-small-blanket dilemma dictates that it could open the network up to new problems, in particular forms of reversal fraud.

Credit card systems provide a good idea of what to expect.

Credit card owners can dispute card payments and have them “charged back,” or reversed. While this feature protects honest users from card theft, fraudsters take advantage of this feature by making purchases and then disputing the charge, falsely claiming they have not received the item or service. Merchants lose billions of dollars every year to credit card chargeback fraud.

Or take the example of PayPal. For risk-averse shoppers, the ability to dispute and reverse PayPal transactions is a helpful feature. But it has given rise to all sorts of PayPal fraud. In a PayPal overpayment scam, for instance, a scammer takes advantage of PayPal's dispute system to overpay a seller for something, then asks the seller for a refund of the excess. After the overpayment is returned, the scammer asks PayPal to reverse the original transaction. The seller effectively loses the overpayment amount.

PayPal or Visa could do away with overpayment scams and chargeback fraud by making all transactions non-reversible. But then their systems would become less friendly for risk-averse buyers, and adoption would suffer. It's the too-small-blanket problem.

So the price to pay for reversible Ethereum transactions is an inevitable wave of reversal fraud. The decentralized judicial system the Stanford researchers envisaged would quickly be flooded with scammers trying to take advantage of that very reversibility. Weeding out these scams would increase the judges’ overall adjudicating costs.

Providing a degree of protection from theft may very well be worth the hassles of reversal fraud. But the point to remember is this: There is a price to pay for introducing new features. Nothing is free

Not so fungible

Introducing reversibility to Ethereum would also have implications for fungibility. When something is fungible, assets are perfectly interchangeable. Fungibility is an attractive feature of a payment system. If all dollars are interchangeable, then it makes the dollar payments system easier to use.

Reversibility would split the Ethereum network in half. Rather than swapping reversible tokens with each other, sophisticated traders would mostly stick to non-reversible tokens. The prospect of having one's $10 million trade unwound because of an appeal by a previous owner for a reverse is just too risky.

But not-so-sophisticated users would probably choose the peace-of-mind of reversible tokens.

Splitting the network in half wouldn't be a big deal if the two token types traded on a 1:1 basis. Alas, they probably wouldn't.

Imagine that Jack owes 100 stablecoins to Jill. There are two ways that Jack can pay Jill, with reversible stablecoins or non-reversible ones. Jill will prefer the non-reversible ones. Reversible ones introduce the risk that a transaction will be unwound, leaving her out of pocket. And so she’ll tell Jack that he can either pay her 100 worth of non-reversible stablecoin or 105 in reversible ones. That’s non-fungibility.

As the four-day reversibility window comes to a close and the danger of a reverse ends, reversible stablecoins would move back to par with regular non-reversible stablecoins. But until then there would be two different prices for the same instrument.

It's another instance of the too-small-blanket dilemma. By adding a new layer of protection, an extra layer of confusion has been introduced.

The Ethereum network would still be usable. Much of the extra burden of non-fungibility would probably be borne by specialist risk appraisers, or brokers, who profit by buying consumers' reversible tokens at a discount (in exchange for non-reversible tokens), and holding them to maturity. As Satoshi suggested, these intermediaries may have to “hassle customers” for extra information in order to protect against reversals.

Even after considering the twin costs of non-fungibility and new types of Ethereum-based fraud, reversible transactions may still be worth it. While non-reversibility may be great for traders, corporations and the tech elite, the enduring popularity of PayPal and credit cards demonstrate that what regular folks want is safety. An opt-in reversible standard would create a warmer and fuzzier Ethereum, one that is more inclusive and attracts a wider range of users.

My gut feeling is, go for it.

Monday, October 31, 2022

The PayPal misinformation wars

If you ever glance through the acceptable use policies or terms of service of consumer-facing payments company like PayPal or GoFundMe, you'll see that they have incredibly long and stifling lists of prohibited activities. Why would these companies willingly turn away legitimate business? 

There are a bunch of reasons, but here are three important ones:

1) Some customers are a nuissance. Their businesses may suffer from high rates of payments fraud and/or frequent chargebacks, which means that it may not be to expensive for a payments company to connect them.  
2) The products that some businesses sell are semi-legal (i.e. marijuana) or potentially illegal (libelous publications), and so it's too risky to connect them.
3) Some businesses engage in activity that is legal but potentially controversial (like white supremacist lit or sex toys). The payments company that connects them could look bad, which means potentially losing customers, shareholders, or employees.

This is a pretty sensible set of reasons for prohibiting certain activities from your payments platform. However, if you're a businesses that has been barred by a processor, you'll certainly be upset, and understandably so. Payments are vital to any enterprise. Having as many competitors to choose from is important. To boot, being suddenly cut off is a pain; you'll need to scramble for an alternative.

When a payments firm enacts a new prohibition on a certain type of businesses, this in turn feeds into the political arena. In return for votes and funding, political actors offer support to particular companies and business lobbies. When their constituents are suddenly prevented from accessing a certain payments platform, these political agents loudly broadcast their displeasure. And so the acceptable use policies of companies like PayPal have become incredibly politicized documents. Progressives bellow when sex workers are cut off from PayPal. Republicans howl when firearms are disallowed.  

Case in point was the massive push back against PayPal which earlier this month updated its acceptable use policy to prohibit "misinformation." I've screenshotted the update below, with the changes being entirely confined to section 5. PayPal already fines customers $2,500 for engaging in prohibited activities such as selling cigarettes, hate literature, and items that are considered obscene. With this new update, PayPal would now be prohibiting anyone from using its platform to engage in fake news and would extend its existing $2,500 fine to infringers. [An archived copy of the policy update is available here.]

PayPal's updated acceptable use policy, since rescinded. The changes are all in section 5.

PayPal executives probably had good business reasons for wanting to prohibit misinformation from their platform. Last month conspiracy theorist Alex Jones was ordered by a judge to pay almost a billion dollars to his victims for fabricating fake news about them. With numbers as big as that being bandied around, lawyers at payments company have to be wary that they too could be pursued by the victims of misinformation for facilitating the disinformation attacks of their customers.

Not only that, but associating with a bad actor like Alex Jones could hurt the reputations of consumer-facing payments companies, leading to customers bolting.

Long story short, the legal, financial, and reputational risks of having fake news artists as customers are just too high for mainstream firm like PayPal, and thus the prohibition on misinformation was introduced into its acceptable use policy page.

But acceptable usage policies have become politicized, and so PayPal's move led to all sorts of outrage. Republicans were furious. Senators Bill Hagerty, Cynthia Lummis, Pat Toomey, and others expressing their "deep concern" in a letter to PayPal, subsequently broadcast across social media. A big chunk of the internet's many misinformation artists are their misinformation artists, after all, and need to be protected. 

Meanwhile, commentators like Glen Greenwald were upset by what they see as a PayPal attempt at "punishing dissidents in the West through exclusion from the financial system." Which I don't think is the right way to process the event. PayPal is a business. It doesn't refuse to serve a certain set of customers because of an ideology requiring it to punish "dissent from neoliberal orthodoxies." PayPal chooses to stop serving clients because it believes that this would reduce its income, adjusted for risk. While some "dissenters" are too risky for PayPal to serve, many dissenters aren'tand probably make for fine customers.

Greenwald's reliance on the word "banishment" also betrays a misunderstanding of how payments work. PayPal is a low-risk payments processor, not a high-risk one. There are other payments companies that do specialize in serving a riskier clientele. These firms will compete to reconnect the fake news sites that PayPal has decided to offboard. In short, there is no such thing as payments banishment.

In response to the push back, PayPal said that it would not be adding the misinformation clause to its acceptable use policy after all. (It actually said that the update was an error, but that sounds unlikely.)

And again, you can see why it made a business decision to change its tune. The move had made some of its existing rule-abiding customers unhappy, and they threatened to close their acconts. PayPal wants to drop bad customers, but not at the expense of losing the good ones.

This is interesting because it shows how a business decision gets ingested by the political machine, the resulting output being fed back into PayPal's business decision making process, leading to a 180 degree turn.

Nor did things end there. With acceptable use policies having become a key political battleground, and politics loves controversy, the fake news mill – the very targets of PayPal's misinformation clause – kicked into high gear. Across the internet, articles began to pop up alleging that PayPal's rescinded misinformation clause and associated $2500 penalty had been stealthily "added back into the terms of service with equally ambiguous language," as one article put it.

One of many articles wrongly claiming that PayPal sneakily re-updated its policy

A quick check of PayPal's acceptable use policy in the WayBack Machine shows that these claims aren't factual. Agree or not with the $2500 fine, it wasn't added back after "criticism on social media died down." The fine has been there since it was tacked on by PayPal back in September 2021.

The article also alleges that the misinformation clause has reappeared in the form of a prohibition on intolerance. But the intolerance clause has been there since 2018. Never mind that it's an error to equate a prohibition on intolerance with a prohibition on misinformation. They're just not the same thing.

The fake facts continued to pile up. PayPal has a long-existing rule against lying about account details like your name and age. A second article erroneously tries to claim that this longstanding rule is a new one, more specifically that it is the "misinformation" clause sneakily reintroduced back into PayPal's list of acceptable uses. It's a silly argument that I rebutted more fully on Twitter.

So no, the controversial rescinded misinformation clause has not been quietly added back to PayPal's acceptable use policy. But the facts don't necessarily matter. This wave of fake news successfully fed back into the political arena, with folks like Republican representative Tom Emmer seizing on them to air his worries that PayPal is being "weaponized to control speech." There are existing users of PayPal, the ones that PayPal would like to keep, who will listen to Emmer and close their accounts.

The whole series of events illustrates how complicated it is for a company to modify its terms of services.

Firms want to boost their profits, which means establishing policies to reach a certain type of desirable client while excluding other types of clients that don't fall within their targeted market. But firms also need to try and calculate how their proposed changes will be digested in the political arena, and how the resulting outrage feeds back into the decisions of their desirable clients, who might choose to leave.

And firms must also consider the third degree of complexity: how the political controversy over their  policy changes gets respun by fake news sites, the resulting sausage being imported back to the political arena for additional consumption, more outrage, and (potentially) more client departures. It's a difficult nut to crack. I wouldn't want to be PayPal, or its lawyers, the next time it comes time to update its acceptable use policy.

Thursday, October 13, 2022

Stablecoins, meet 3% interest rates

The global rise in interest rates is finally beginning to percolate into the stablecoin sector. One of the effects of this rise is that centralized stablecoins like USD Coin and Gemini Dollar, which by default pay 0% to holders, are introducing backdoor routes for paying interest to large customers. (See my tweets here and here).

In the case of USD Coin, Coinbase refers to interest as a "reward." Gemini calls it a "marketing incentive." But less face it: they're really just interest payments.

The links I provide are the only public evidence of stablecoins doling out interest, but you can be sure that behind closed doors, large issuers like Circle/Coinbase, Gemini, and others are offering their largest customers -- in particular exchanges like Binance and Kraken -- the same deals.

Stablecoin issuers are offering interest to select customers because of the inexorable pressure of competition. After hovering near 0% for much of the last decade (see chart above), interest rates have ramped up to 3% in just a few months. Issuers hold assets to back the stablecoins that they've put into circulation, and now these previously barren assets are yielding 3%. That means a literal payday for these issuers. In the first quarter of 2022, for instance, Circle (the issuer of USD Coin) collected $19 million in interest income after making just $7 million the quarter before. In the second quarter of 2022, interest income jumped to $81 million. I suspect the third quarter tally will come in well above $150 million.

However, if they don't share at least some of this juicy reward, issuers risk having their customers flee to alternatives that do offer interest, like Treasury bills or corporate deposit accounts. And then the amount of stablecoins in circulation will shrink, eating into issuers' revenues.

And thus, we get to a world where Gemini is promising incentives and Coinbase rewards.

Alas, while large stablecoin holders may be benefiting from this trend, small holders of stablecoins are being ignored. They don't get to share in these sweet flows of interest income. Even folks with old-school U.S. savings accounts are being paid 0.17%!

Small stablecoin holders need to unite. By working together through a StablecoinDAO, their bargaining power vis-a-vis the big stablecoin issuers improves. They may be able to negotiate the same interest payments from Circle and other issuers that large stablecoin customers are getting.

For a good example of strength in numbers, take a look at the phenomenon of high-interest savings ETFs in Canada. Corporate customers of Canadian banks get far better interest rates on chequing deposits than retail customers do. A high-interest savings ETF manager bridges this divide. They collect money from retail customers, invest the proceeds in banks at the corporate rate, and then share the superior return with thousands of retail ETF unit holders.

A StablecoinDAO would work along the same lines as a high-interest savings ETF. People would deposit their stablecoins -- USD Coin, Gemini Dollar, Binance USD, USDP, Tether, Dai -- into a smart contract. In return they'd get a new stablecoin called, say, UniteUSD, which would be redeemable on demand into any of the DAO's underlying stablecoins. UniteUSD itself would be useful. It could be used for purchases, deposited into smart contracts, or traded on decentralized exchanges and whatnot.

StablecoinDAO would have the authority to swap one underlying stablecoin out with a new one. That potential threat would give the DAO the necessary leverage to negotiate interest payments. "Hey Circle, if you don't pay us 1% then we're going to shift the DAO's holdings over to Binance USD, your competitor." As a nuclear option, the DAO could threaten to buy short-term government debt.

The interest that the DAO receives would be funneled back to UniteUSD holders. 

In sum, that's how interest rates finally filter through to small stablecoin owners.

A few random afterthoughts about stablecoins and interest payments, in no particular order:

* A version of StablecoinDAO may already exist... in the form of MakerDAO, a decentralized-ish bank that issues Dai stablecoins. Think of MakerDAO as an organizing device for small stablecoin customers to extract interest from stablecoin issuers. These small holders deposit their stablecoins (USD Coin, USDP, etc) into MakerDAO smart contracts and receive Dai stablecoins in return, which are convertible to any of these underlying stablecoins on a 1:1 basis. MakerDAO negotiates with issuers for interest payments, sluicing this interest back to Dai owners.

* Some tricky regulatory issues arise when retail customers are promised a return. If StablecoinDAO were to pay interest on UniteUSD, then UniteUSD might be deemed to be a security, and thus StablecoinDAO would have to register with a securities agency. This could doom StablecoinDAO, or at least make things very difficult for it. (Remember, when PayPal used to pay interest to customers? It did through an SEC-registered money market mutual fund.)

* StablecoinDAO would become a stablecoin black hole: all other stablecoins would quickly get sucked up into it. Why? In a world where USD Coin and USDP can only pay 0% to small stablecoin holders, but depositing said coins into StablecoinDAO means earning 2%, then every small holder will deposit their funds into StablecoinDAO. The DAO would inhale the big stablecoins -- USD Coin, Binance USD, Tether, etc -- right out of circulation, leaving UniteUSD as the dominant stablecoin.

* As competition forces large issuers to share the interest they earn, this will have implications for the finances of those very issuers. Circle, the issuer of USD Coin, envisions being profitable in 2023, as the table below illustrates:

Source: Circle Q2 2022 financials [link]

A big part of Circle's estimates are based on higher flows of interest from the assets that it holds to back USD Coin. What this table isn't accounting for is the concurrent pressure to share interest income with USD Coin holders, both large and small ones, which threatens Circle's 2023 projections.

Sunday, October 9, 2022

How to stop illegal activity on Tornado Cash (without using sanctions)

List of sanctioned Tornado Cash addresses, via OFAC

[This is a republication of my latest piece from CoinDesk.]

How to Stop Illegal Activity on Tornado Cash (Without Using Sanctions)
Rather than sanctioning code, U.S. authorities should have targeted the human intermediaries.  

Did the U.S. government have better tools at its disposal to counter the crimes on Tornado Cash than the one it eventually used? Could it have avoided the blunt instrument of sanctions, which are normally aimed at individuals rather than code?

In August, decentralized obfuscation tool Tornado Cash (a currency “mixer”) was designated by U.S. authorities as a sanctioned entity. In the years prior Tornado had become the default platform for blockchain users – both licit and illicit – for privacy in transactions.

Users deposit their ether(ETH) into any of Tornado’s 0.1, 1, 10 or 100 ETH pools, then wait for a period of time to withdraw it. Thanks to this collaborative placing of ether into the same pot, which disguises its origins, and Tornado's innovative use of zero-knowledge proofs the trail is broken.

The crypto community was furious with the U.S. government. The need for privacy is especially pressing on blockchains because all transactions are viewable by the public. Without Tornado to mix funds, achieving blockchain privacy becomes much more complicated.

Sanctions or not, it's hard to deny that the authorities had to do something about Tornado-based money laundering. Tremendous amounts of dirty money were being cleaned by the mixer, including big batches of funds stolen during the $182 million Beanstalk hack, the $196 million BitMart exploit and the $34 million compromise of Crypto.com, just to name a few.

To make matters worse, in April 2022 North Korean state-sponsored hacker group Lazarus began to use Tornado to launder the proceeds of its massive $625 million hack of the Ronin Bridge. Lazarus was sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC) in 2019.

OFAC is the U.S. federal government agency responsible for enforcing economic sanctions programs against countries and groups of individuals. Its targets include terrorists, narcotics traffickers and money launderers, among others.

Although the U.S. government’s response to Tornado Cash could have taken many forms, the one it ultimately chose was to sanction Tornado Cash itself. On Aug. 8, Tornado was listed by OFAC as a Specially Designated National, or SDN, along with all of the smart contracts that drive the tool’s functionality. It is illegal for U.S. citizens to interact with SDNs, so in that very instant Tornado Cash’s Ethereum-based smart contracts became off-limits for Americans.

The pushback to the U.S. government’s decision arrived immediately. According to the Electronic Frontier Foundation (EFF), a nonprofit that promotes internet civil liberties, Tornado Cash smart contracts are code. By sanctioning code the authorities are treading on constitutionally protected freedom of speech.

Coin Center, a Washington, D.C., nonprofit that advocates for decentralized computing technologies, argued that OFAC had overstepped its authority. According to its rules, OFAC can only target entities that are individuals or companies. But Tornado Cash smart contracts are neither; they cannot alter their behavior, nor lodge an appeal with OFAC to have the sanctions revoked, a key element in any sanctioning process.

If OFAC can designate Tornado Cash to be an SDN, the implication is that it can add other defenseless open-source software tools, too – hardly a great precedent.

Don’t penalize code, penalize users of code.

The criticisms aired by EFF and Coin Center are serious ones. Let's imagine the U.S. government had a chance to do things over. Rather than sanctioning Tornado Cash smart contracts, did the government have alternative tools available for countering Tornado-based money laundering, tools that avoided triggering these criticisms?

Yes. Rather than punishing code, penalize the people who use the code. There are three types of Tornado Cash users who could be targeted by the authorities: relayers, liquidity providers and the Ethereum-rich.

Let’s start with relayers, the people who add a key layer of privacy to Tornado Cash by processing withdrawals.

Relayers solve the following problem. If someone wants to remove mixed funds from Tornado to a new wallet address, he or she needs to pay a gas fee for the withdrawal, and so the new wallet must have some funds on it. But prefunding may compromise anonymity because this transaction can be traced.

Tornado Cash creators solved the prefunding problem by introducing third-party relayers who pay the necessary gas fees, sending on the user's withdrawal to the new address. These relayers collect a service charge for their efforts.

Highlighting the importance of relayers, over 75% of all Tornado Cash withdrawals are made with their intermediation.

In addition to going after relayers, the authorities could target liquidity providers.

Liquidity providers are people who use Tornado Cash to earn a profit. They deposit ether into various Tornado pools in order to receive anonymity points, which in turn can be sold for TORN, Tornado's native token.

After this points-based incentive scheme was introduced in late 2020, the quantity of ether deposited into Tornado's mixing pools began to grow exponentially. These deposits, often referred to as the tool's anonymity set, improved Tornado’s ability to anonymize funds. The deeper the anonymity set, the easier it is for users to hide.

Law enforcement could investigate relayers and liquidity providers and charge them with money laundering, a criminal offense. The case can be made that by indiscriminately forwarding mixed ether, relayers conduct transactions involving criminally derived funds. As for liquidity providers, they profit financially by widening Tornado’s anonymity set, which abets criminals in their efforts to hide their financial trails.

Because blockchains are transparent, it’s likely that relayers and liquidity providers would have been aware that criminals and SDNs were using Tornado Cash. Thus they knowingly offered their services.

Along with a money laundering offense, federal prosecutors could potentially indict relayers and liquidity providers for using Tornado Cash to provide money transmission services to those without such a license.

Alternatively, relayers and liquidity providers could be sanctioned, fined or charged by OFAC.

Relayers and liquidity providers are individuals, not code. And so arresting or sanctioning them wouldn't trigger the code-is-speech criticism raised by EFF. And since these users have agency, they can defend themselves against their accusations, addressing Coin Center’s concerns.

At the same time, by targeting relayers and liquidity providers the U.S. government would achieve its goal of reducing Tornado-based money laundering. A successful prohibition of relayers would have made it easier to link depositors with withdrawn funds, thereby making Tornado Cash less able to hide criminally-derived funds.

Targeting liquidity providers would reduce Tornado Cash’s anonymity set, the effect being to reduce criminals’ capacity to launder funds through it.

If pursuing liquidity providers and relayers doesn’t crimp Tornado-based money laundering, the authorities could have gone after the Ethereum-rich: large licit owners of ether who regularly interact with Tornado Cash’s 100 ETH pool to get privacy.

The authorities have a number of tools to target the Ethereum-rich, but one of the best tools would be OFAC’s civil monetary sanctions.

U.S. citizens who regularly make large deposits to Tornado Cash’s 100 ETH pool could be named by OFAC and fined a suitably large amount of money. OFAC could argue that by putting their ether into the 100 ETH pool at the same time as Lazarus Group, the Ethereum-rich enabled the laundering of Lazarus’ funds and thus ran afoul of OFAC’s 2019 sanctions on the group.

OFAC civil monetary sanctions have been used before on crypto users. BitPay, a bitcoin payment service provider, had to pay a $500,000 fine for allowing individuals in sanctioned locations like North Korea, Sudan, Iran and Syria to transact.

Since civil fines are levied on Tornado users, and not the code, the concerns raised by EFF and Coin Center are addressed. And fined individuals would be free to appeal their punishment.

By signaling to the public that depositing funds into Tornado Cash is prohibited, the fines would encourage the Ethereum-rich to avoid Tornado. Tornado's anonymity set would get smaller, making the tool less capable of cleaning large transactions from SDNs and thieves.

A recipe for dealing with future smart contract crime

Like them or not, OFAC's sanctions appear to have worked, up to a point.

In an effort to avoid penalties, the public has mostly stopped using Tornado smart contracts. The amount of ether in Tornado Cash pools has plunged by 61% from 225,000 to just 89,000. As a result, Tornado-facilitated money laundering has taken a hit. The mixer wasn’t even used to launder the proceeds of the $160 million Wintermute exploit, the biggest hack since the Aug. 8 sanctions.

This same result could have been achieved by targeting the users of the code, like relayers, rather than the code itself. It would have taken the authorities more time and effort. But many of the thorny criticisms that a direct outlawing of code are now attracting would have been sidestepped.

It's too late now for Tornado Cash. But the next time a set of smart contracts gets mobbed by bad actors, the U.S. government needn’t put a blanket ban on code. It has a more nuanced, user-centric approach at its disposal.

Friday, September 2, 2022

Some thoughts about the resilience of decentralized stablecoins

If a decentralized blockchain protocol is worried about being shut down by the authorities, how can it defend itself? A recent discussion surrounding MakerDAO explores this question. MakerDAO (or just Maker) issues the Dai stablecoin, of which there are around $7 billion in circulation.

Rune Christensen, the founder of Maker, sees a precedent for a clampdown on Maker in the US Treasury's recent sanctions on Tornado Cash, a mixer. He worries that the authorities may try to shut down Maker by seizing its assets, specifically its real-world assets, or "RWA." To counter this threat, Christensen suggests that Maker turtle into what he calls phoenix stance:

Source: MakerDAO forum

While in phoenix stance, Maker would no longer rely on RWA. By RWA, he is referring to centralized stablecoins such as USD Coin and loans to banks and other financial institutions that have a physical address and a regulator. These are the sorts of assets that can be used by authorities as a lever to hurt the Maker protocol. With nothing for authorities to confiscate, presumably Maker would be resilient to attempts by authorities to shut it down.

I disagree. Christensen exaggerates the degree to which Maker's resilience relies on seizability. Seizing a protocol's assets is just one of many levers that authorities have to stop a protocol like Maker. In the case of Tornado Cash, for instance, sanctions were used, not seizure. Even though no ether in Tornado's smart contracts has been confiscated (indeed, it would be impossible to do so), the sanctions have effectively cut off much of Tornado Cash activity:

A ban or sanctioning of Maker would mean less licit usage of Dai, a removal of collateral from Maker, delistings of Dai at off-ramps like Coinbase, a drying-up of liquidity, and employees and investors abandoning it. Dai would shrink to irrelevance all this achieved without the government seizing an ounce of the collateral behind Dai.

To sum up, a focus on seizure-resistance, so-called Phoenix stance, won't render Maker meaningfully more resilient.

That being said, I agree with Christensen that removing real-world assets will make Maker less susceptible to being attacked. But the way I get to this conclusion is different.

Removing real-world assets from Maker would make the Maker system less usable. First, without centralized stablecoin reserves, Dai's peg to the dollar wouldn't be as tight. A looser Dai price would make it more inconvenient to own Dai. It would also make it riskier to borrow Dai, since borrowers couldn't know ahead of time precisely how much they'll have pay back. Secondly, the sorts of collateral acceptable for loans would be restricted to one asset, ether, which effectively cuts off huge parts of the market for Dai loans.

As Maker becomes more awkward, fewer people will use it, and it'll shrink... perhaps to the point that it begins to fly under everyone's radar. No regulator or authority is going to bother trying to shut down a rarely-used $50 million protocol. So it's the irrelevance that a no-RWA policy brings, and not the inability to seize assets, that leads to safety from attack.

Conversely, introducing real-world assets makes Maker more practical, attracts additional users, and brings Maker onto everyone's radar, which increases the odds of authorities shutting it down using any of the many levers they have at their disposal. (Conversely, the jump in relevance that RWAs entail also increases the odds of authorities finding regulatory space for Maker.)

To finish off, here's a way for Maker stakeholders to think about the system's susceptibility to being shut down, and how real-world assets enter into the equation:

Stakeholders should ask themselves how relevant Maker has become. Has Maker become so important (and its public perception so negative) that it is about to attract the baleful eyes of regulators? If so, one defensive option is to engage in a rational form self-sabotage: make the tool less useful. This will shrink the pool of Maker users, and thus the tool's visibility to regulators, and therefore the likelihood of it being shut down. Real-world assets enter into the picture because their removal is one way to impinge on the system's usefulness.

Of course, if a protocol is going to start engaging in self-sabotage, then the people making this decision better be pretty sure that their original assumption that regulators are furious is correct.

Monday, August 15, 2022

How to stop Forsage, Meta Force and other smart contract pyramid schemes

Serial smart contract pyramid schemer Lado Okhotnikov

[This is a republication of my latest opinion piece from CoinDesk.]

Last week the U.S. Securities and Exchange Commission (SEC) charged 11 individuals with creating and marketing Forsage, the world’s largest and longest-running smart contract-based pyramid scheme.

Alas, Lado Okhotnikov, the ring leader of Forsage and rumored to be based in the Republic of Georgia, remains at large. And while the original Forsage smart contracts are nowhere near as popular as they once were, they continue to welcome new money, SEC be damned.

Worse, Okhotnikov's new smart contract pyramid, Meta Force, continues to grow. Over $42 million in DAI stablecoins have been deposited into Meta Force by unwitting investors since the alleged scam debuted a month ago.

Smart contract pyramid schemers like Okhotnikov prey on the weak and vulnerable. What can we do to better fight them?

A quick history of smart contract-based pyramids

A pyramid scheme is an illegal business model where returns to existing investors are generated from newly recruited investors' money or fees. They are ultimately unsustainable because the supply of new investors is finite.

Pyramid schemes have existed for centuries. But pyramid schemers quickly realized the benefits of blockchain technology. MMM Global, a pyramid that tore through Nigeria, India, China and other developing nations through 2014 to 2016, used bitcoin (BTC) for payments. A group of researchers who studied the pyramid found that, at its peak, MMM Global was processing $150 million per day.

The advantages of bitcoin are clear. While authorities can shut down a pyramid scheme by leaning on its payments processors or bank, the Bitcoin blockchain can't be turned off.

The rollout of Ethereum led to the next big innovation in pyramids: the smart contract pyramid scheme. In addition to relying on blockchains for payments, this type of alleged scam built its pyramid apparatus on the Ethereum blockchain using smart contracts.

There are advantages to using a smart contract to run a pyramid. The entire back office structure can be automated using code, which makes administration easier for the scammer. It also allows the pyramid to be marketed as an "honest" Ponzi; that is, because it is implemented by code rather than by hand, it can be said to always run correctly.

Furthermore, because that code is public, it can – in theory, at least – be audited by users.

Smart contract pyramids are safer for the scammer to run than traditional pyramids because they afford a degree of anonymity. And while the authorities can shut down a traditional pyramid by visiting the office out of which it operates, building it on Ethereum makes it much harder to stop.

Smart contract pyramids soon became endemic to Ethereum. A 2019 study by a group of Italian researchers cataloged 184 smart contract pyramids in play at the time.

Most of these were quite small. It was Lado Okhotnikov's Forsage that broke the mold. Forsage's first Ethereum smart contract, x3/x4, would process almost $240 million in payments in 2020. At one point it was Ethereum's second busiest contract, after tether.

Ethereum gas fees would soon rise, forcing alleged pyramid alleged scammers like Okhotnikov to migrate to cheaper blockchains. Over the next few years Okhotnikov launched five other smart contract Ponzis on the Tron and Binance Smart Chain blockchains. Recently, scammers have begun to move back to Ethereum thanks to level 2, or subsidiary blockchain, systems that have lowered costs. In Okhotnikov's case, he has set up his newest pyramid, Meta Force, on the Polygon Network.

A forensic analysis of Forsage

Thanks to the transparency of blockchains, Sarah Meiklejohn and other researchers carried out a precise analysis of Forsage’s payouts and losses, focusing on the $240 million Ethereum x3/x4 contract.

While the founders boasted that the system was transparent and open source, it took the researchers weeks of effort to understand the code, which meant that almost no Forsage participants could have actually audited the smart contract. So much for transparency.

Meiklejohn et al. found that the system had been coded at the outset to benefit only a few people. For instance, participants had to buy slots that offered the right to get payments from new recruits. After recruiting three participants, a slot would be blocked and the recruiter had to pay fees to reopen it and receive payment. The organizers’ slots, however, were coded to be exempt from this rule.

The SEC found that Okhotnikov had coded one of his subsequent pyramids, Ethereum xGold, to divert a portion of investor funds to a wallet that was not associated with a Forsage ID. This contradicted Okhotnikov’s representation that all funds were paid out to investors. By 2022, that address had diverted over 1,000 ETH.

In the end, Meiklejohn et al. report that 1 million Forsage accounts lost money, a remarkable 88% failure rate. The top 1,000 users made 50% of all profits. Okhotnikov and his fellow cofounders capitalized by positioning themselves at the top of the pyramid. The SEC accuses them of owning the best five spots in the x3/x4 Forsage pyramid, the topmost of which earned 5409 ether (ETH), well over $1 million, according to Meiklejohn et al.

Okhotnikov and his colleagues aggressively marketed their scams on social media. Forsage's official YouTube channel, which is now dedicated to the new Meta Force pyramid, currently has over 47,000 subscribers. The most popular Forsage video, which is in Hindi, has been viewed 384,000 times. This is despite YouTube's terms of service having a blanket ban on marketing pyramid schemes.

In their paper, Meiklejohn and her colleagues traced the location of most of the victims of Forsage to developing nations, in particular Nigeria, Philippines and Venezuela. This reveals these alleged scams for what they are: a way for a few rich people to steal from the poor and vulnerable. They need to be stopped. But how?

What can be done?

Because smart contract pyramids are built on censorship-resistant blockchains, they can't be attacked at the root, nor can they be undermined indirectly by removing them from the payments system.

Writing on CoinDesk, Lex Sokolin has proposed that white hat hackers organize to find vulnerabilities in smart contract pyramids and bring them down. It's a nice idea, but so far white hat hackers haven't shown much interest in chasing after pyramids.

Perhaps the most effective way to hurt smart contract Ponzis is by attacking their reputation. The SEC's charges will certainly help on this front. Now when a potential victim searches for Okhotnikov or one of his "investment" products, they'll have the opinion of the world's largest securities regulator to rely on.

The good news is that the SEC's actions seem to have had an effect. The rate of deposits to Okhotnikov's newest (alleged) scam, Meta Force, which has already attracted $42 million in deposits, began to decline the day after charges were announced. On YouTube, a nervous Lado Okhotnikov described the SEC’s charges as slander and defamation.

But we needed the SEC to begin its attack long ago. Publishing a cease and desist early on, like securities regulators in Montana and the Philippines did, would have helped tarnish Okhotnikov's reputation before his alleged scams could hurt more people.

Regulators like the SEC should try to harness the transparency of blockchains to their advantage. It's possible to see these things popping up and monitor how big they get, so regulators can very quickly mobilize resources to combat them.

The SEC should also consider fighting like with like. Smart contract Ponzi scams spread through garish videos on YouTube. Alas, the SEC didn't post its charges to its YouTube channel. A catchy video about Forsage would go much further than a terse tweet.

Finally, influential blockchain personalities like Ethereum co-founder Vitalik Buterin and Binance CEO Changpeng Zhao should step up and speak out against smart contract Ponzis when they crop up. They may not wish to do so, because admitting the problem may attract negative attention to the technology. But addressing these scams as early as possible will not only reduce damage to innocent people, it will also limit damage to the long-term reputation of blockchains.

Monday, August 1, 2022

The puzzle of electrum coins

From the Israel Museum in Jerusalem’s 2013 exhibition White Gold

 [Originally published at Bullionstar.]

For several years Brits have been hearing rumours that their 1p and 2p coins were on the cusp of being discontinued. Not so. Last month the UK Treasury announced its commitment to both coins. The 1 and 2p coins will continue to be produced for ‘years to come.’

Few bits of monetary technology have enjoyed as long an existence as the coin. The earliest coins were produced around 640 BC, some 2600 years ago, by the Lydians, who had built an empire in the western half of what is now Turkey.

To most of us, the usefulness of coins is self-evident. Sure, small coins like the 1p are a bit of a nuisance. They tend to accumulate in our pockets or piggy banks, never used. But compared to barter, or exchanging bits of unrefined metal, coins are a much better alternative.

One would assume that’s why the Lydians created coins in the first place: convenience. But the true story is much more puzzling than that. To this day we don’t entirely know why the Lydians began to turn precious metals into circular discs.

The traditional origin story for coins

The classic story for the adoption of coinage involves the efficiency gains that society enjoys when trade can be conducted by tale rather than by weight. Tale is a sum or a tally. All modern payments are done by tale. A payor counts up the right amount of coins (or notes), then passes the stack to the payee who – if they wish – can glance at the inscription on each coin’s face to ensure that it is legitimate. Circulation by tale is a convenient way of doing business.

But we take it for granted. Before coins appeared on the scene 2000 years ago, numismatists believe that people typically transacted with silver ingots and bars, otherwise known as hacksilber. These pieces could be cut up into smaller amounts in order to cover a range of different transaction sizes.

Because the bits of hacksilber were irregularly shaped, or non-fungible, they couldn’t by counted. Rather, they had to be weighed first, and only then could the transaction proceed. Weighing different bits of silver is a laborious process. A scale must be produced along with a set of weights that both the buyer and seller can trust.

Counting is much easier than weighing. If the stamp on the coin is reliable, buyers and sellers can trust to issuer to have already pre-weighed and standardized the metal for them. And so coinage would have dramatically reduced lineups and waiting time in busy markets all across the ancient world. What a fantastic invention.

Perfectly standardized

At first glance, Lydian coins have all the hallmarks of this classical origin story.

To begin with, they are quite beautiful. Each coin was typically stamped on the obverse side with a design in the form of an animal, human, or myth. On the reverse, or back-side of the coin, a square or rectangular design appears (see image at top). Did these designs constitute some sort of official guarantee of the coin’s weight and fineness? Or did they symbolize something else?

The coins generally lacked any sort of writing on them. Numismatists are thus unsure who actually issued the coins. Was it the city, the king, a merchant or some other rich individual?

One fact that all numismatists agree on is that the Lydians were assiduous to a fault about ensuring standardized weights for their coins. The biggest denomination, the stater, weighed 14.1 – 14.3 grams. Half staters contained half as much metal, followed by third staters (or trites), 1/6, 1/12, 1/24, 1/48, and 1/96th staters, the last of which contain just 0.15 grams of metal.

Smoothed distribution of Lydian coin weights around each denomination. Source: On the Origin of Specie, (2012)

Francois Velde, an economist at the Federal Reserve who dabbles in numismatics, has catalogued thousands of Lydian coins owned by private collectors and museums around the world. Using this data, one can see the remarkable precision of Lydian coinage (see chart above). The weight of the largest coins – staters and trites – tend to be tightly clumped near the standard weight.

Interestingly, the smallest denominations – the 1/96th staters – are much more loosely distributed around the standard weight (see the dark blue line). Velde (2012) attributes some of the lower accuracy of smaller denominations to the fact that they would have circulated more, and thus deteriorated faster.

The inconvenience of electrum

By carefully calibrating the weights of each denomination and stamping them with a seal, surely Lydia qualifies as the first society to make the technological leap to circulation by tale. But it’s here that the story begins to fall apart.

One of the curious facts of early Lydian coins is that they were made from a material called electrum. Electrum is a naturally occurring alloy of silver and gold, often found in streams and rivers. The problem with natural electrum is that the mix between gold and silver is variable. The silver content can be anywhere from 10% to 30%, according to numismatist Robert Wallace (1987).

Given this variability, Lydians must have had difficulties valuing electrum. A given electrum coin wasn’t fungible, or interchangeable, with its cousins. A coin with more gold in it would have a slightly different colour than one with less gold, as the chart below implies. And since gold was probably worth around 10 times more than silver in ancient times, electrum coins with more gold in them would have had a much higher intrinsic value than those with less. But how much more? According to Wallace, this lack of certainty would have caused “endless doubts and disputes over particular coins."

Approximate colours of Ag–Au–Cu alloys [Wikipidia]

What a contradiction Lydian coins are! The Lydians had evidently gone to extreme lengths to perfectly calibrate coin weights, and thus potentially exchange coins by tale, only to undo all the benefits of standardization by making coins with an arbitrary gold-silver mixture. Now buyers and sellers would have to settle on some laborious means of determining a given coin’s mixture, say like using a touchstone, before they could consummate a trade.

The Lydians could have avoided this problem at the outset by issuing coins using silver rather than electrum. Silver, after all, was already traded in ingot form. With silver coins, at least there would be no confusion about intrinsic value. But the Lydians chose not to go this route.

Which leads us to what may be the most popular theory for electrum coins, what I will call the “token" theory.

Electrum coins as tokens

It is Robert Wallace who can be credited with creating what is probably the most widely-accepted theory for electrum coins. Wallace (1987) began by imagining himself in the shoes of an owner of an electrum hoard around 640 BC. This individual had the following problem. His stash of metal was not uniform, and so fellow Lydians didn’t really trust its quality. How could our electrum owner get his suspicious counterparts to accept his metal for its full value?

The easiest solution available to our Lydian would be to refine his electrum into its silver and gold constituents, then sell each separately. But Wallace tells us that the technology for “parting" gold and silver – cementation – would not be available for almost a hundred years, circa 550 BC. So our electrum owner was stuck with his mongrel metal.

According to Wallace, our Lydian stumbled on the solution: turn his raw electrum into stamped coins. Why would a potential buyer trust electrum in coin form but not bar form? The answer is that the owner of electrum didn’t create just any regular coin. Rather than issuing discs that were valued for their (uncertain) metal content, our Lydian electrum owner designed them as tokens.

Electrum coin from Ephesus, 625-600 BC with a stag grazing [source]

A stamped piece of metal can be valuable either because of the material of which it is made or the symbol that is stamped on its face. A token is of the latter sort. By contrast, a piece of hacksilber is the former. It gets its value from the silver itself.

How did a mere stamp create value? Wallace hypothesizes that the issuer’s stamp indicated a promise to “accept back or redeem his coins" at a fixed rate. A skeptical buyer would therefore have no problem receiving an electrum token in trade. After all, the stamp guaranteed that the issuer would buy it back at that very same rate.

Fungibility regained

By setting his redemption price for tokens high enough, the issuer ensured that the market value of his coins would always exceed their intrinsic electrum value. This would have had the beneficial effect of making all his electrum coins fungible. After all, since both a silver-rich electrum token and a gold-rich one could both be redeemed at the issuer for the same fixed price, neither coin was any better than the other.

Electrum could now circulate freely rather than being handicapped by non-uniformity. The decision to turn electrum into coinage had converted “stocks of what was otherwise a doubtful and uncertain substance into negotiable currency large and fixed value," says Wallace. In the process, our electrum owner had become a much wealthier man than might otherwise have been the case.

So what about circulation by tale?

Despite the fact that the weight of electrum coins was so precisely calibrated, numismatists believe that Lydians exchanged the coins by weight rather than by tale, much as they had with hacksilber. The main bit of evidence for this is that electrum coins were never clipped.

Clipping is when someone scrapes or snips a bit of metal off of a coin before passing it on. The clipper keeps the shavings for themselves. Coins that circulate by tale are easily attacked by clippers. Since sellers will accept coins with little more than a glance to the stamp on the coin’s face, a buyer who scrapes off a bit of metal before handing the coin can easily get away with it.

A lack of clipping is consistent with the practice of weighing coins and only accepting those that are up to snuff. If a coin was even a bit too light, then the seller would not take it. And so no one would bother clipping them in the first place.

But if electrum coins circulated by weight and not tale, this hardly seem like a technological improvement over hacksilber. Lydian trade was still as slow and awkward as before.

However, the necessity of weighing electrum coins may have served a purpose. It may have been a security feature designed to protect the issuer’s wealth. Imagine that our issuer of electrum tokens has spent some staters into circulation. Prior to being returned to him for redemption, these staters had all been clipped. Since he has less electrum than what he started out with,  our issuer’s wealth has deteriorated.

To protect himself from this sort of theft, Wallace (1989) suggests that the issuer wouldn’t redeem just any of his tokens. As a security measure, he would only take back those that were still of their original weight. Since no merchant would want to be stuck holding a coin that could not be redeemed, they would always weigh each coin that was offered to them in order to avoid accepting light ones.

They only circulated domestically

Wallace’s theory explains another odd feature of electrum coins. Given the distribution of electrum coin hoards, numismatists believe that they didn’t circulate outside of their area of production. This is unusual for ancient coinage. Roman coins have been found as far afield as Sumatra, while Sassanian coins (minted in modern day Iran) have been unearthed in England.

But if circulation of electrum coins was premised on the guarantee that their issuer would redeem them, then that explains why they wouldn’t have circulated very far. People in a distant city would not recognize or trust the redemption promise of an unknown issuer, and so they wouldn’t accept them in trade.

Electrum diluted with silver

Another oddity of electrum coins is that they often contain far more silver than the natural electrum out of which they were manufactured. Electrum found in naturally-occurring deposits usually contains no less than 70% gold, but the coins themselves often contain just 45-55% gold. For some reason, Lydians coin issuers chose to introduce a bit of pure silver into the electrum mix before coining it.

In the chart below, for instance, the vertical column that represents the 1/6 stater denomination contains around 14 different coins. The majority of these coins contain less than 65% gold.  Only two contain more than 80% gold.

Most electrum coins contained less than 70% gold. Source: Velde

Why would the Lydians have chosen to dilute electrum with silver? The intrinsic value of natural electrum was quite high. Given that gold was worth around ten times the value of silver, numismatists estimate that the most commonly available coin, the trite, was worth several sheep, or ten day’s wages (de Callatay, 2013). Converting into modern terms, the trite would be worth the equivalent of a $500 bill. This hardly seems a very convenient denomination. The smallest coin, the 1/96th stater, was worth about a day’s wages, and thus not useful as small change (Velde, 2012).

Wallace (1987) suggest that by mixing some silver into the natural electrum, the intrinsic value of the coin would have been reduced. The price at which the issuer promised to redeem the coin could now be lowered. This reduction would have permitted electrum coins to participate in a wider range of transactions, thus increasing their usefulness.

Still more questions

New data and theories about electrum coins have improved our knowledge. Unfortunately, it seems that we remain “confused but on a higher level!" remarks historian Francois de Callatay (2013). While Wallace’s theory is elegant, it leads to only to more questions.

Velde asks some of the more glaring ones. If electrum coins were redeemable, what did the issuer promise to redeem their coins with? Gold? Silver? Perhaps they be used to discharge taxes? If gold and silver were to be used to redeem electrum coins, why not use these materials as the basis of coinage instead?

And what did the issuer keep in reserve to “back" his guarantee, wonders Velde. If each coin had to be 100% backed by gold, then our issuer would have had to incur the costs of storing and vaulting the yellow metal. This would have meant that issuing coins wasn’t very profitable. One wonders why our electrum owner would have bothered producing them in the first place.

Electrum coins, what happened to them?

Whereas the Brits still seem to be quite fond of their 1p and 2p coins, the Lydians quickly discontinued their electrum coinage. About a hundred years after electrum coins were first issued, they disappear from the numismatic record.

Around 550 BC, King Croesus decided to issue individual silver and gold coins. This switch from electrum to pure gold and silver coincides with the discovery of the process of cementation, the ability to separate gold from silver. Presumably decomposing electrum into its constituent parts in order to create a uniform currency was deemed superior to issuing electrum discs.

Except for a few smaller city-states that continued to issue electrum coins for another century or two, never again would a mixed silver-gold coin be issued. All that remains is a mystery for modern numismatists to puzzle over.


de Callatay, Francois. White Gold: An Enigmatic Start to Greek Coinage. 2013. [link]
Velde, Francois. On the Origin of Specie. 2012. [link]
Velde, Francois. A Quantitative Approach to the Beginnings of Coinage. [link]
Wallace, Robert. The Origin of Electrum Coinage. 1987. [link]
Wallace, Robert. On the Production and Exchange of Early Anatolian Electrum Coinage. 1989. [link]