The Singapore Law Gazette

Legal Risks Beneath Blockchain-enabled Smart Contracts

Blockchain technology and its various applications have been gaining momentum rapidly in recent years. With the ability to disrupt whole industries and multi-national corporations, regulators have become aware of its potential as much as being wary of its inherent risks. This article seeks to shed light on the intricacies of blockchain, its opportunities and threats, the current legal regime in Singapore, and its effectiveness in mitigating inherent legal risks.

Introduction

In the aftermath of the 2008 financial crisis, amongst the widespread unrest and general mistrust of banks and financial institutions, blockchain technology was presented as an alternative decentralised value-transferring and transaction system.¹Primavera De Filippi, et al, “Blockchain as a Confidence Machine: The Problem of Trust & Challenges of Governance” (2020) 62 Technology in Society (101284). What initially started out as purely a cryptocurrency payment platform has now evolved and transformed into a ground-breaking technology that is in the process of disrupting a vast number of industries and businesses. In a global survey conducted by Deloitte, more than 85 per cent of respondents believe that blockchain technology would eventually achieve mainstream adoption.²Deloitte’s 2020 Global Blockchain Survey. <https://www2.deloitte.com/content/dam/insights/us/articles/6608_2020-global-blockchain-survey/DI_CIR%202020%20global%20blockchain%20survey.pdf> (accessed 4 January 2021).

However, along with the various benefits of blockchain, there are underlying issues that could be deemed potential risks from a regulatory perspective. Indeed, the security problems associated with blockchain-enabled smart contracts should not be underestimated. For instance, smart contracts are irreversible and immutable. If a smart contract has been infected with a bug, it becomes impossible to patch the smart contract without reversing the blockchain. In a study conducted in 2016, it was found that out of the first 19,336 smart contracts from the first 1,460,000 blocks in the Ethereum network, 8,833 contracts are potentially infected with security bugs.³Loi Luu, et al, “Making Smart Contracts Smarter” (2016) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security 254, 255. These bugs can be used to sabotage or steal coins from passive users.⁴Loi Luu, et al, “Making Smart Contracts Smarter” (2016) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security 254, 255.

The article therefore seeks to provide a non-technical exposition of blockchain technology followed by an examination of some of the pertinent legal risks and challenges where blockchain-enabled smart contracts are concerned, including an exploration of the regulatory developments in mitigating these risks.

Mechanics of Blockchain

A relatable example to explain the idea of blockchain would be Google Docs. Traditionally, collaborating on a Microsoft Word document would entail creating a draft, sending it to the recipient to make revisions, and subsequently receiving a new edited copy, etc. The problem with this method is that there is too much back and forth between the collaborating parties and each time the document is sent to one party, all other parties have no access and are incapable of editing the document. With Google Docs, multiple parties have access to the same document, at the same time, and can concurrently revise and edit the document. This ensures that all parties would always have a copy of the latest version of a single document.⁵William Mougayar, “If You Understand Google Docs, You Can Understand Blockchain” CoinDesk (8 September 2016) <https://www.coindesk.com/understand-google-docs-can-understand-blockchain> (accessed 4 January 2021). This is analogous to how blockchain works as every user of the platform would have a simultaneously updated version of the ledger.

Primarily a system of organising data that falls under the umbrella term of “distributed ledger technology”, blockchain is a public electronic ledger developed within a peer-to-peer (P2P) network that is accessible by disparate users to create an unalterable record of transactions without the need for a central intermediary. There have been numerous articles explaining blockchain technology in depth over recent years but the three pillars of blockchain technology are, namely, immutability of records, transparency and decentralisation.⁶See for instance, Yeong Zee Kin, “Blockchain Records under Singapore Law” Singapore Law Gazette (September 2018) <https://lawgazette.com.sg/feature/blockchain-records-under-singapore-law/> (accessed 4 January 2021). At present, there are two forms of blockchain: permissionless (public) and permissioned (private) blockchains.⁷Louis Lehot, et al, “If Blockchain Is the Next Big Tech Paradigm Shift, What Legal Issues Matter?” Law.com Legaltech News, (1 October 2020) <https://www.law.com/legaltechnews/2020/10/01/if-blockchain-is-the-next-big-tech-paradigm-shift-what-legal-issues-matter/> (accessed 4 January 2021).

The fundamentals of blockchain technology lies in the components of its name, “block” and “chain”. Each individual block contains data (e.g., details of sender, receiver, amount, and timestamp), the hash of the block and the hash of the previous block.⁸Sandi Rahmadika, et al, “Blockchain Technology for Providing an Architecture Model of Decentralized Personal Health Information” (2018) 10 International Journal of Engineering Business Management 1. A hash is the block’s identity and can be compared to having its own unique fingerprint. The hash is cryptographically generated when a block is created and when any data within the block is altered or updated, a new hash or fingerprint is generated. A new hash creates a new block that displays the hash information of the previous linked block. With each new transaction creating a new block, and each new block pointing towards the previous block, an immutable chain of information is thus created.⁹“Trust, the Real Innovation behind Blockchain?” BearingPoint <https://www.bearingpoint.com/en/our-success/insights/trust-the-real-innovation-behind-blockchain/> (accessed 4 January 2021). Once information is recorded inside the blockchain, it becomes extremely difficult to alter or delete it since all records are individually encrypted. This prevents fraud and many other problems associated with transacting.¹⁰See for instance, Raja Wasim Ahmad, et al, “Blockchain for aerospace and defense: Opportunities and open research challenges” Computers & Industrial Engineering (26 November 2020) <https://www.sciencedirect.com/science/article/abs/pii/S0360835220306525> (accessed 4 January 2021).

Smart Contracts and Associated Risks

Apart from cryptocurrency applications, blockchain can also be employed to create smart contracts. Smart contracts, conceptualised by computer scientist Nick Szabo in 1997,¹¹Nick Szabo, “Formalising and Securing Relationships on Public Networks” (1997) 2 First Monday <http://journals.uic.edu/ojs/index.php/fm/article/view/548/469> (accessed 4 January 2021). are essentially blockchain protocols that automatically execute complex and enforceable agreements.¹²Nathan Fulmer, “Exploring the Legal Issues of Blockchain Applications” (2019) 52 Akron Law Review 161. Contracting parties agree to a set of conditions and the contract self-executes when these conditions are met, eliminating any possible voluntary breaches.¹³Nathan Fulmer, “Exploring the Legal Issues of Blockchain Applications” (2019) 52 Akron Law Review 161. To illustrate, suppose Alice agrees to pay Bob $500 in exchange for Bob’s website development services, the smart contract is capable of temporarily holding the payment, akin to an escrow manager. The payment to Bob is only fulfilled by the smart contract when Alice expresses that she is satisfied with Bob’s services. A dystopian view is that smart contracts could one day progress to replace transactional lawyers.¹⁴See for instance, Eliza Mik, “Smart contracts: Terminology, technical limitations and real world complexity” (2017) 9(2) Law, Innovation and Technology 269-300.

In the index-based insurance industry, Etherisc has developed a number of index-based insurance products on the public Ethereum blockchain. For instance, it created a dApp for flight delay and cancellation.¹⁵Shefi Ben-Hutta, “Etherisc Launches Flight Delay Insurance on Blockchain” Coverager (30 October 2017) <https://coverager.com/etherisc-launches-flight-insurance-on-blockchain> (accessed 4 January 2021). The app works in such a way that users can go to the website, enter their flight details and pay a premium for delay insurance. If the flight is delayed for more than 45 minutes or cancelled, a fixed payment would be transferred to the passenger’s blockchain account automatically.¹⁶“Blockchain and Insurance New Technology, New Opportunities” Consensys Insights (June 2019) <https://cdn2.hubspot.net/hubfs/4795067/Cons-Report-Blockchain-and-Insurance-Digital.pdf> (accessed 4 January 2021) at page 19.

Etherisc is cheap, by comparison with conventional flight insurance, “because … there are no manual processes, and … payments are made without delay and without the need on the part of the passenger to contact an agent and file a claim”.¹⁷“Blockchain and Insurance New Technology, New Opportunities” Consensys Insights (June 2019) <https://cdn2.hubspot.net/hubfs/4795067/Cons-Report-Blockchain-and-Insurance-Digital.pdf> (accessed 4 January 2021) at page 19. A simple and routine transaction is hence easily fulfilled via the use of smart contracts. However, a downside of smart contracts is that it does not take into account the intrinsic value of preserving a long-term commercial relationship. For example, discounts in payment, delays in delivery of services or any other ad-hoc situations would have to be specifically programmed into the smart contract for it to be given effect.

In adverse situations where the contract goes unfulfilled, the traditional option would be to enforce it by going to court or via arbitration. However, due to the high levels of grey areas in the execution of smart contracts, it may cause the plaintiff to incur cost and time spent in legal proceedings.¹⁸Pablo Sanz Bayón, “Key Legal Issues Surrounding Smart Contract Applications” (2019) 9(1) KLRI Journal of Law and Legislation 63-91. It is almost impossible to code every possible “if-then” scenario into the smart contract and therefore it may not align well with real-world business settings and legal dispute resolution methods.¹⁹Stuart Levi and Cristina Vasile, “Blockchain & Cryptocurrency Regulation 2021 – 12 Legal Issues Surrounding the Use of Smart Contracts” (2021) Global Legal Insights <https://www.globallegalinsights.com/practice-areas/blockchain-laws-and-regulations/12-legal-issues-surrounding-the-use-of-smart-contracts> (accessed 4 January 2021).

What happens when a smart contract fails? In particular, what happens when the code executes correctly (from a software point of view) but produces an outcome that is different from what the parties intended (a contract is, after all, defined by what the parties intended)? Indeed, there is a Singapore decision which involved cryptocurrency trading and the doctrine of mistake in contract law, and is best illustrated in the decision of Quoine Pte Ltd v B2C2 Ltd,²⁰Quoine Pte Ltd v B2C2 Ltd (2020) 2 SLR 20. which has been extensively commented on by academics.²¹See for instance, Vincent Ooi and Soh Kian Peng, “Rethinking mistake in the age of Algorithms: Quoine Pte Ltd v B2C2 Ltd” (2020) 31(3) King’s Law Journal 367-372.

Interpretation of Smart Contracts

Smart contracts purport to create not only automated execution systems, but also to ensure that this automated execution is accompanied by a legal contract that a court would be willing to enforce. Despite the benefits of automation, few contracting companies would embrace a smart contract model that would have entirely abandoned the need for a traditional natural language contract in favour of solely a code executed by machines.

For instance, a contract that involves only well-defined rules (“Alice will pay Bob $100 if there is a high tide in Singapore of more than 2.9m on 20 January 2022”) will be relatively straightforward to implement both as machine-executable code and as a human language contract. On the other hand, contracts that involve vague, context-specific human language legal concepts such as “reasonableness” or “emotional distress” or, conversely, code that involves complex machine-level interactions with little reference to human-level legal concepts, are in all likelihood impossible to implement as dual code-contract agreements.²²“Are smart contracts contracts?” Clifford Chance (1 August 2017) <https://talkingtech.cliffordchance.com/en/emerging-technologies/smart-contracts/are-smart-contracts-contracts.html> (accessed 4 January 2021).

Oracles

Even for basic contracts, how does one determine what a high tide of 2.9m is? There is a need to convert these events into information inputs that result in an outcome in a smart contract. These sources of information obtained externally is known as “oracles”. But they result in a problem. The hallmark of a distributed ledger system is that it removes the need for trust by decentralising the sources of information. On the other hand, oracles revive the need to rely on a designated external source. Nonetheless, there are sources of information that one could rely on, such as publicly available sources of tidal data.²³“Are smart contracts contracts?” Clifford Chance (1 August 2017) <https://talkingtech.cliffordchance.com/en/emerging-technologies/smart-contracts/are-smart-contracts-contracts.html> (accessed 4 January 2021).

Yet in a highly connected world, the reliance on an external source for tidal data means there is a risk of failure of dataset. For instance, what if a malicious actor bent on causing chaos surreptitiously alter the dataset, such that it results in a payment where the relevant event has not actually occurred in reality? This is a problem but the risk can be mitigated by selecting data sources carefully and cross-referencing data sources to better manage such a risk.²⁴“Are smart contracts contracts?” Clifford Chance (1 August 2017) <https://talkingtech.cliffordchance.com/en/emerging-technologies/smart-contracts/are-smart-contracts-contracts.html> (accessed 4 January 2021).

Jurisdiction and Governing Law

One important issue for decentralised smart contracts systems is that of jurisdiction. Blocks in the chain are distributed across nodes that can be located all over the world and there is no concrete method to pinpoint the actual location of the server. Even if the smart contracts expressly select a governing law, will that selection always be valid, given the real location(s) of performance? Hence, the question that arises would be on the appropriate jurisdiction and governing law. While it could be that blockchain was created for the very purpose of being able to evade jurisdictional controls, it does not address how disputes are resolved when there is a conflict of laws between multiple jurisdictions.²⁵Louis Lehot, et al, “If Blockchain Is the Next Big Tech Paradigm Shift, What Legal Issues Matter?” Law.com Legaltech News, (1 October 2020) <https://www.law.com/legaltechnews/2020/10/01/if-blockchain-is-the-next-big-tech-paradigm-shift-what-legal-issues-matter/> (accessed 4 January 2021). This is a crucial aspect of the legal risk in blockchain especially in the context of crypto assets since there is a huge divergence among countries on how they perceive the technology. Some regulators are more welcoming, while others view it with scepticism and impose strict prohibitions on use and development of the technology.²⁶Prableen Bajpai, “Countries Where Bitcoin Is Legal & Illegal (DISH, OTSK)” Investopedia (9 May 2019) <https://www.investopedia.com/articles/forex/041515/countries-where-bitcoin-legal-illegal.asp> (accessed 4 January 2021).

It is vital to consider applicable laws and risk management strategies in public blockchains. On the other hand, with a private system, there should be some form of internal governance structure to specify the governing laws that will apply. If an organisation wishes to use digital tokens as a means of raising capital to fund business growth, it would be straightforward to expect these organisations to comply with the usual investor protection laws. The regulators would then only have to decide on laws that must be adhered to.²⁷John Salmon and Gordon Myers, “Blockchain and Associated Legal Issues for Emerging Markets” International Finance Corporation (January 2019) <https://www.ifc.org/wps/wcm/connect/da7da0dd-2068-4728-b846-7cffcd1fd24a/EMCompass-Note-63-Blockchain-and-Legal-Issues-in-Emerging-Markets.pdf?MOD=AJPERES&CVID=mxocw9F> (accessed 4 January 2021). However, it becomes complex when the organisation is also trying to build a user-base through the sale of these tokens. Organisations may promote the subscription of their services via tokens that are designed to be used as a device or currency to consume their services, also known as utility tokens. Although many regulators have expressed that there is no need to regulate utility tokens as an investment, the line is blurred when these tokens are also sold to other organisations, such as investment banks, that do not intend to use these services or when at the time of purchase of these tokens, there is no usable service available. These issues, exacerbated by the lack of a consistent global regulatory framework, prove a real challenge for organisations that wish to reap the benefits of developing their own crypto assets.

Singapore’s Approach to Blockchain Regulation

While considering blockchain’s inherent risks, the Monetary Authority of Singapore (MAS), Singapore’s financial regulatory authority, has nevertheless maintained a crypto-friendly attitude and provides for a flexible regulatory environment to promote expansion and innovation with regards to this technology. Without a doubt, the COVID-19 pandemic has also accelerated the need for trustworthy, reliable, and indefeasible digital business systems. Hence, the recent introduction of the Singapore Blockchain Innovation Programme (SBIP) highlights the Government’s clear intent to continue moving forward with blockchain technology.²⁸“Singapore Invests $12 Million in First National Effort to Expand Blockchain Technology Research” Enterprise Singapore News Release (7 December 2020) <https://www.enterprisesg.gov.sg/-/media/esg/files/media-centre/media-releases/2020/dec-2020/media-release—singapore-invests-12-million-in-first-national-effort-to-expand-blockchain-technology-research.pdf?la=en> (accessed 4 January 2021). Engaging up to 75 companies including MNCs and ICT companies, this national effort aims to develop 17 blockchain-related projects over the next three years.²⁹“Singapore Invests $12 Million in First National Effort to Expand Blockchain Technology Research” Enterprise Singapore News Release (7 December 2020) <https://www.enterprisesg.gov.sg/-/media/esg/files/media-centre/media-releases/2020/dec-2020/media-release—singapore-invests-12-million-in-first-national-effort-to-expand-blockchain-technology-research.pdf?la=en> (accessed 4 January 2021). On the other hand, with regards to managing risks associated with blockchain use and provision, some of the key regulatory developments in Singapore are as follows:

Personal Data Protection Act 2012³⁰Personal Data Protection Act 2012 (No. 26 of 2012). (PDPA)

Aligned with the European Union’s General Data Protection Regulation (GDPR), Singapore has its own PDPA, which governs the protection of a customer’s personal data. Both regulatory enactments stipulate that prior to the collection of personal data, informed consent must be obtained and that the individual is free to withdraw consent at any point in time.³¹Franca Ciambella, et al, “Singapore” in Global Legal Insights – Blockchain & Cryptocurrency Regulation 2019 (Josias Dewy gen ed) (Global Legal Group, 2018). However, would blockchain be prima facie subject to data protection regulations? If yes, there must be a processing of personal data whereby an individual can be identified from the data alone or with other information to which an organisation has or is likely to have access.³²Personal Data Protection Act 2012 (No. 26 of 2012), s 2(1). In a blockchain, it is decentralised and distributed across a P2P network that consists of nodes which are similar to registrars. The nodes identify individual participants via digital signatures which are then collected and stored on the blockchain. Hence, it constitutes as processing of personal data and is likely to be subject to privacy and data protection regulations. However, it is still unclear in terms of the legal basis that will be applied to blockchain and how the different actors would be regarded.³³Garance Mathias, “Blockchain 8 main legal issues” (January 2018) < https://www.avocats-mathias.com/wp-content/uploads/2018/04/LB-GM-Blockchain-Janvier-2018.pdf> (accessed 4 January 2021). Would miners be classified as data processors? Would each participant within the network be considered as having consented? Is the processing of data necessary for the purpose of legitimate interests? The answers to these have yet to be ironed out under current regulations.

Under the PDPA, the Commission has the power to impose a fine of up to S$1 million with regards to data privacy breaches. With such strong penalties, it signals a deterrent approach undertaken by Singapore’s regulatory bodies in providing sufficient safeguards against data privacy breaches. However, by virtue of blockchain’s very design, some fundamental problems in privacy may arise when adapting a regulation framework to deal with this technology.³⁴Steven Snyder, “The Privacy Questions Raised by Blockchain” Bradley (14 January 2019) <https://www.bradley.com/insights/publications/2019/01/the-privacy-questions-raised-by-blockchain> (accessed 4 January 2021). Once data is stored on a blockchain, it is immutable and cannot be amended and such a characteristic may give rise to compliance issues since both the PDPA and GDPR require organisations to accede to requests from individuals to make corrections to, or removal of, their personal data.³⁵Ma Siu Cheung, Blockchain and Data Protection: Rethinking the Essence and Uses of Blockchain” Singapore Law Gazette (April 2020) <https://lawgazette.com.sg/feature/blockchain-and-data-protection/> (accessed 4 January 2021).

Payment Services Act³⁶Payment Services Act (No. 2 of 2019). (PSA)

With commencement of the PSA on 28 January 2020, there is now a broadened scope of regulated activities to include digital payment token services as well as the introduction of a modular approach in calibrating regulations to specific risks. Under the PSA and alongside the guidance issued by the Financial Action Task Force (FATF),³⁷“Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers” Financial Action Task Force (June 2019) <www.fatf-gafi.org/publications/fatfrecommendations/documents/Guidance-RBA-virtual-assets.html> (accessed 4 January 2021). crypto asset providers are required to comply with anti-money laundering/combating the financing of terrorism (AML/CFT) measures, thereby ensuring sustainable growth while enforcing accountability and ethical responsibility. While these measures are unquestionably positive, business that transact with digital payment tokens would have to be cautious and proactive in their compliance with these measures.³⁸David Carlisle, “The Payment Services Act: How Cryptoasset Businesses in Singapore Can Succeed” Elliptic Blog (5 March 2020) <https://www.elliptic.co/blog/payment-services-act-singapore-steps-for-success> (accessed 4 January 2021).

Securities and Futures Act³⁹Securities and Futures Act (Cap 289, 2006 Rev Ed). (SFA)

The SFA is Singapore’s main legislation regulating capital markets and the financial investments sector. Depending on how a blockchain is used and if it falls within the definition of securities under the SFA, providers may face compliance issues under the SFA and other laws, including prospectus registration requirements and mandatory licensing. Moreover, platforms enabling secondary trading of blockchain tokens may also require approval and recognition by the MAS as an approved exchange or recognised marked operator under the SFA.⁴⁰Ho Han Ming and Josephine Law, “The Virtual Currency Regulation Review – Edition 3 Singapore” The Law Reviews (September 2020) <https://thelawreviews.co.uk/edition/the-virtual-currency-regulation-review-edition-3/1230199/singapore> (accessed 4 January 2021).

Proposed New Regulation: “Omnibus Act”

On 21 July 2020, a consultation paper on a proposed Omnibus Act for the financial sector was issued by the MAS entailing two key pillars: (i) licensing requirements and (ii) AML/CFT regulations. Under the Omnibus Act, the definition for digital tokens will mirror the definition for digital payment tokens under the PSA or the definition for capital markets products under the SFA. Essentially, the Omnibus Act would consolidate both the PSA and the SFA into one single framework by ensuring that digital tokens, which currently fall under the definitions of both the PSA and the SFA, would be covered.⁴¹Stephanie Magnus, et al, “Singapore MAS Proposes New Regulation for Singapore Persons Performing Digital Token Services Outside Singapore” Blockchain (13 August 2020) <https://blockchain.bakermckenzie.com/2020/08/13/singapore-mas-proposes-new-regulation-for-singapore-persons-performing-digital-token-services-outside-singapore/> (accessed 4 January 2021).

Conclusion

It appears that both the PSA and the SFA do not regulate the formation or execution of smart contracts, unless they also involve payments using digital payment tokens, or a public offering or issue of digital tokens, respectively. Contract law principles instead appears to be the channel used to deal with such disputes, as the case of Quoine Pte Ltd v B2C2 Ltd⁴²Quoine Pte Ltd v B2C2 Ltd (2020) 2 SLR 20. illustrates. The PSA predominantly combats money laundering. Therefore, Singapore takes a laissez-faire approach where the regulation of smart contracts are concerned. As discussed earlier, one aspect of blockchain technology is its decentralised platform. Where Bitcoins are concerned, this means that it is impossible for a court to order specific performance other than the one the platform has produced as it is impossible to retransfer stolen bitcoins unless the perpetrator can be arrested and compelled to do so.

However, where smart contracts are concerned, it does not need to be structured like Bitcoin. If a smart contract (e.g., in parametric contracts) is able to rely on an oracle for external data, then it should be possible for a smart contract to accept a command from a party such as a notice of a dispute which could cause the performance of the contract to be deferred while the matter is referred to dispute resolution. A judge or a specialised smart contracts arbitrator, can then resolve the issue on the basis of the human language version of the contract and reorder the smart contract to reflect the outcome of the dispute.

On the other hand, where the performance of the contract is a straightforward payment, the outcome can be remedied by a refund. There will be compromises to be made as a contract which can be halted briefly for dispute resolution is not entirely autonomous in its performance. However, the key to a smart contract’s commercial feasibility would be building in dispute resolution functionality. In any case, until smart contracts are able to deal with issues such as dispute resolution adequately, it will not replace traditional contracts in the foreseeable future as the current form of smart contracts cannot address issues of unconscionability or duress, for instance.⁴³Kevin Fandl, “Can Smart Contracts Enhance Firm Efficiency in Emerging Markets?” (2020) 40(3) Northwestern Journal of International Law & Business 333, 360.