What Does It Mean to “Own” Crypto?

From multimillion-dollar digital art sales to multibillion-dollar blockchains inspired by dog memes, 2021 generated some truly outrageous crypto headlines. Occasionally, though, a story arises that is as thought-provoking as it is bewildering. Take this one: German prosecutors seized a large cache of stolen Bitcoin from a man imprisoned for fraud. However, law enforcement officials couldn’t access the money because they didn’t know the “private key”—a kind of cryptographic password that allows the funds to be moved—and the jailed fraudster wouldn’t give it to them. 

Besides coming across as slightly comical, the impasse that the German authorities and their close-lipped man found themselves in also reveals the highly complicated nature of digital asset ownership. As long as the fraudster refused to give up the password—while the government kept him imprisoned without Internet access—neither side could truly lay claim to the seized Bitcoin, which at one point last year was valued at more than $100 million. Does this mean criminals who would otherwise be forced to surrender stolen property can now get away on a technicality? How do we know our stuff is ours, when no centralized authority exists to enforce ownership rights on the blockchain? Furthermore, the crypto world has continued to evolve at its signature warp speed in the last year. We’ve since seen the meteoric rise of NFTs (non-fungible tokens) and, with this, a new and fervent interest in tokenizing everything—from music royalties to works of art to sports collectibles. Unlike simple currency, a non-fungible token might hold value beyond its market price, whether because it represents the copyright to a creative work or because it has a certain sentimental meaning to the holder. Clarifying what it really means to own virtualized—yet irreplaceable—property has never been more important. If your NFT is stolen, how can you be justly compensated—and who should arbitrate this process? 

Over the years, a number of high-profile hacks in crypto have raised these same questions—and the resolutions of these incidents tell us quite a bit about current thinking around digital asset ownership. So far, the precedents set by these cases have fallen in line with our intuitive understanding of fairness. We know that the right thing to do when a theft happens is to return the stolen property to its rightful owner—and, perhaps, to punish the thief—and that’s usually the consensus reached in the aftermath of a major hack. However, when decision-making power on the blockchain is distributed by design, enforcing a system of restitution and retribution isn’t always possible—or even clearly preferable. In each of the cases I examine, the approaches taken to uphold these fairness rules come with significant tradeoffs that were deemed necessary in the face of crisis, but wouldn’t make sense if applied as policy.

As blockchain technology continues to mature, we will need to contend with this question: How can we effectively protect ownership rights of digital assets? 

What the (blockchain) record shows

Technically speaking, you own your cryptocurrency simply because you possess the ability to spend it. As the German authorities discovered, accessing funds requires you to supply a private key. Provided the private key is correct, a transaction to move your crypto will be recognized as valid on the blockchain, without the need for any other kind of proof of ownership. This makes crypto a “bearer instrument”—an asset whose holder is presumed to be its rightful owner. In the non-crypto world, cash and bonds would both be considered examples of bearer instruments.

However, in the non-crypto world, we don’t conflate practical control with rightful ownership—even when the asset in question is a bearer instrument. I could steal the cash in your wallet, but you would still have plenty of channels at your disposal—from local police to the court system—to compel me to recompense you for your property. 

In contrast, it is nearly impossible to force a thief to return stolen crypto to their rightful owner. Blockchain history is designed to be immutable, such that changing a single past transaction will invalidate all the transactions that occur after it. This feature is vital to being able to maintain a trustworthy public ledger. 

However, this also means that a fraudulent transaction initiated by a hacker to drain your wallet would be virtually irreversible. The only way to initiate a “clawback” would be to essentially turn back time, and have every transaction that happened since the moment your assets were stolen be erased. This is not just a huge headache that requires coordination of a majority of network participants—it’s a costly one. Everyone else on the network would need to redo their transactions for you to make this change. Now, imagine if someone else also had a transaction that they’d like to undo, and then someone else after that—and, well, you get the idea. 

And it’s not just users who are impacted. Since rolling back blockchain state undoes the intensive computational work required to produce these blocks in the first place, such an action is highly unpopular with miners, who take a monetary loss as a result. As a result, instances of a network-wide rollback are extremely rare. 

The most notable example of this happened in 2016, when a hacker siphoned off close to $60 million from The DAO—a smart contract designed for collectivized, ETH-based investment. In the aftermath of the hack, the Ethereum community was faced with a choice: restore the stolen funds to the project’s investors by forking or allow the funds to remain in the possession of the attacker. Though a majority of the network ultimately agreed to a hard fork, a portion of the community refused to adopt the change. As a result, the move effectively split the Ethereum network into two separate blockchains—Ethereum (ETH) and Ethereum Classic (ETC)—each representing not only two different versions of chain history but also two competing philosophies about how a dispute of ownership on the blockchain should be resolved. While Ethereum reverted blockchain state to a point in time prior to the hack before allowing investors to transfer their funds from the vulnerable smart contract, Ethereum Classic continued along the pre-fork version.

Even more interestingly, the perpetrator of the DAO attack (or someone posing as the hacker) published an open letter to the Ethereum community in the midst of the incident. In an undeniably audacious move, he declared that he had “rightfully claim[ed]” the funds by “making use of [an] explicitly coded feature”. He threatened to take legal action against anyone attempting to seize his property, warning that a fork would irreparably damage trust in the Ethereum network and blockchain technology.

Though their prediction hasn’t come true, it’s tough to argue with our marauder’s logic. Smart contract code is deployed publicly, and this attacker had leveraged a legitimate feature available to everyone in order to pull off his heist. In a sense, he was simply advocating that the system continue to function as it was designed to, without inappropriate third-party intervention.

At the center of this controversy is a complex question: when criminals successfully steal crypto from honest users, who should be recognized as the rightful owner of these assets? The answer we give could decide who has a legitimate claim to tens of billions of dollars’ worth of cryptocurrency. In the meantime, it is highly unlikely that such a large-scale rollback of blockchain state would ever happen again. The DAO hack affected a significant portion of the Ethereum community at a relatively early point in the blockchain’s history. Coordinating a rollback today would come at a much steeper cost—one which the network would almost certainly be unwilling to bear. In light of this fact, we need to consider alternative approaches to restoring fairness in the aftermath of a hack.

Sanctions, sanctions, sanctions

Questions about ownership rights become much more poignant when we consider a class of digital assets that has risen dramatically in popularity this year: NFTs. If the kinds of cryptocurrency we’ve discussed so far are like cash in a safe, then NFTs are more like heirloom jewels or property deeds. Different NFTs can have drastically different market values—and, as is increasingly the case in certain communities, NFT owners often attach significant sentimental value to these digital assets.

“You fall in love with them,” says Rushil Reddy (@HerkshireBathaway), an avid NFT collector. Reddy boasts a portfolio valued at over $1 million—but, he declares, “I’m never going to sell them.”

The creators behind top NFT projects have worked hard to build this kind of attachment among their followers, from embedding unique artwork in the tokens to offering some serious real-world perks for owning these digital assets. Bored Ape Yacht Club is famous in the space for throwing extravagant parties and organizing exclusive events open only to holders of its tokens, affectionately known as “Apes”.

Perhaps even more important than the cachet that owning a valuable NFT provides, Reddy says, is the sense of community that exists among token holders. When Reddy traveled to Los Angeles this year, he was graciously hosted by local Apes, who invited him along to dinners, barhops and other social gatherings. “I felt such a kinship with them,” he said.

Maybe this is why, when entrepreneur Calvin Becerra fell victim on October 30 to a social engineering hack that robbed him of his 3 Bored Ape NFTs—valued at over $1 million—he turned to the community for help. Taking to Twitter, he attempted to negotiate the return of his tokens—and, when that failed, to prevent the stolen assets from being sold on any major NFT marketplace. Much to his satisfaction, OpenSea, Rarible and NFTTrader all obliged a day later by blacklisting the NFTs on their sites.

“[These platforms] all have done the RIGHT THING,” Becerra tweeted that same day. “No one wants to buy a stolen car, yet [sic] alone STOLEN ART!” 

As Becerra continued to document his progress in negotiating with the hackers, at times the whole incident seemed like a hostage crisis:

Calvin Becerra@calvinbecerra

I’d like to announce that Kit has officially come back home. I’d like to thank his captors for negotiating his safe return. #BAYC @BoredApeYC He still misses his two brothers. #NFTCommunity

November 2nd 2021, 8:30pm EST

28 Retweets479 Likes

Eventually, even the creators of the Bored Ape NFTs weighed in, promising to ban any individual holding these stolen tokens from attending Ape-only events. Ultimately, after a dramatic week, Becerra was able to secure the return of all 3 tokens.

As we’ve discussed, blockchains are decentralized by design, so as to prevent a single entity from wielding outsized influence in the system at large. Yet, in his quest to secure the return of his property, Becerra called upon institutions in this space to step in as privileged arbiters. Instead of trying to coordinate a large-scale rollback, a platform like OpenSea can impose “sanctions” on ill-gotten goods, thereby preventing would-be hackers from benefiting from the sale of a stolen token. Unlike with a rollback, this approach wouldn’t impact the rest of the network, making it much more suitable for resolving individual disputes. Of course, the power that a centralized platform wields here isn’t absolute—a hacker can still sell off a stolen token via other channels—but this method was demonstrably effective in Becerra’s case, at least.

However, other challenges do limit sanctioning as a viable solution for enforcing fairness in digital asset ownership. For starters, this practice can be easily abused. Given the level of anonymity that exists on the blockchain, it can be difficult to verify whether a token was transferred as part of a legitimate transaction or a hack. If I voluntarily send you an NFT and subsequently regret it, what’s stopping me from reporting the transaction as a hack and—at least temporarily—rendering the token useless to you? Even with an independent review process in place, I could still hold you hostage for long enough that you decide to return the token to me.

And, even when a hack really does happen, it’s unclear whether sanctioning the stolen tokens always yields a fair outcome. According to Breck Stodghill, an engineer at Zora, attackers typically flip NFTs for their floor price—the lowest asking price for a token from a particular collection—immediately after a successful hack, before any platform has banned its sale. As a result, by the time a stolen token is blacklisted, it may have already changed hands—and some unlucky user will be out both the contraband token and the money they paid for it. As Stodghill says, “You’re essentially pushing the burden of paying for the hack onto an innocent third party.”

If the last year has been any indication, we’ll be seeing much more of NFTs in the near future. Already, startups and tech giants alike are looking at use cases for non-fungible digital assets beyond art and collectibles. Royalty Exchange, an online marketplace for buying and selling music royalties, made headlines in June when it sold the publishing rights as an NFT for—quite appropriately—Lil Dicky’s 2015 hit “Save Dat Money”. In late October 2021, Facebook threw its hat into the ring when the company announced its plan to rebrand to Meta (as in, “metaverse”), joining several other ventures such as Decentraland and Sandbox in the effort to build an open-world virtual reality space—and, in the process, to allow users to own tokenized versions of everything from land to unique avatars.

Clearly, it’s essential that we think about how to enforce digital property ownership, before we find ourselves living in the world of Ready Player One. In the cases we’ve examined so far, we’ve seen the limitations of relying on either the network at large or an institutional entity to protect property ownership. In the final portion of our discussion, we will consider the implications of a third approach—in which the responsibility for protecting your assets falls on you alone. 

Protecting your own assets, plus a brief history lesson

The year was 1789, and newly appointed Treasury Secretary Alexander Hamilton was busy finalizing the details of his plan for managing public credit. Before he could present his recommendations to Congress, however, he needed to deal with a rather prickly political issue. During the American Revolution, many war veterans had been paid in government bonds, which had subsequently plummeted in value. Over the years, many cash-strapped soldiers had sold their securities to predatory speculators at steeply discounted prices. As Hamilton prepared to unveil his proposal for paying down government debt, though, he expected these bonds to rebound to their full face value, raising the question: should speculators pocket the windfall from the bonds’ appreciation? Or should the money go to the original holders, many of whom had fought for the country’s independence?

Unsurprisingly, enriching speculators at the expense of war heroes did not make for popular policy. Nevertheless, Hamilton ultimately decided to let the bonds stay in the hands of current buyers, in order to uphold the credibility of the still-nascent securities trading market in America. In other words, to establish the concept of the “security of transfer”—that is, the idea that the government could not retroactively reverse a financial transaction—Hamilton was willing to take a gamble and side with the speculators over patriotic citizens.

What parallels can we draw between this episode, which took place more than 200 years ago, and the controversy over digital asset ownership today? Just as 1789 saw the foundations being laid for America’s economic system, we are arguably witnessing the birth of a new paradigm for collectivity in blockchain technology. The existence of tamper-resistant and highly democratic systems has already proven to be a powerful tool for good, from facilitating borderless financial transactions to empowering indie artists to make an income from their music. Perhaps, in order to continue benefiting from the increased freedom provided by decentralized technology, we will need to come to a new understanding about what ownership of our property means. Rather than rely on an external entity to protect our rights, what if we took on this responsibility ourselves? Of course, the implication of such a framework would be that, in the event that we fall victim to fraud, we would have no recourse. As upsetting as this idea may be to our sensibilities, it arguably represents the most coherent policy on crypto ownership that we have explored so far. If blockchain technology exists to distribute decision-making power back to the individual, shouldn’t that power come with the corresponding responsibility of handling risk?

As Hamilton himself writes, “The general rules of property, and all those general rules which form the links of society, frequently involve in their ordinary operation particular hardships and injuries. Yet the public order and the general happiness require a steady conformity to them. It is perhaps always better that partial evils be submitted to than that principles should be violated.”

In the near future, we will have to contend with the fact that blockchain systems can—really, are meant to—subvert existing power structures. Our idea of what it means to “own” a digital asset may need to evolve accordingly to eschew the need for a judge, jury or NFT creator to step in as the arbitrator of disputes. Or, we may decide that the benefits of decentralization are not worth the dangers of “trading at your own risk”. In either case, it’s essential that we’re making a conscious decision on which principles should make up our “general rules of property”.

In the meantime, though, we should probably all double-check that our private keys are secure.