In November we reported that Daiwa Securities, Japan’s largest security token underwriter, planned to trial digital securities on public blockchains. The digital bond was issued (and redeemed) in February and was the first in Japan to record transfer rights on a public blockchain. However, the experiments aimed to prevent the theft of security tokens when a hacker steals private keys.
The trials involved Fintertech, Daiwa’s fintech subsidiary and web3 firm Ginco. Private blockchains allow for greater control, so if there’s a theft, the tokens can easily be taken away from a thief. Using public blockchains that’s not so easy to do.
Many institutions are keen to use public blockchains but don’t because of the risks or because regulators are not keen. By showing that the risks can be contained, this addresses both concerns.
Hence, a key concept in the trials was that a security token (ST) can only be linked to approved soul bound tokens (SBT). These are non-transferable, non-fungible tokens (NFT) associated with real-world identities. When an investor sells a token, the issuer’s smart contract checks that the new owner is on its list of allowed soul bound tokens.
The experiments concluded that it’s possible to prevent many common hacking scenarios with the appropriate smart contracts.
Security token hacking trials
In the simplest scenario, a hacker steals an investor’s private keys and transfers the security token to its own address. But the hacker’s address isn’t associated with a soul bound token, so the transfer fails. Even if the hacker had a valid SBT, they would be identified and charged with theft. In this scenario, where the hacker gains control of the token, the security token smart contract allows the issuer to move illegally transferred tokens back to their rightful owners.
However, the trials didn’t stop there. They also explored what happens if the SBT issuer’s keys are compromised – in other words, if a hacker could generate soul bound tokens. When keys are compromised, it means the hacker gets a copy of them.
But the SBT issuer still has the keys. Hence, when the SBT issuer becomes aware of the hack, it can invalidate all the issued SBTs and create a new smart contract. It then informs the security token issuers who invalidate the old SBTs as recipients and add the new SBTs.
The final scenario explored what happens if the security token issuer’s keys are compromised. Similar to the soul bound token scenario, the issuer can invalidate the contract and create a new one that returns to the the previous state of token ownership.
The smart contracts for both the security token and the soul bond token can be examined on Ethereum.
In this testing phase, it was assumed that the investment company provided custody. In the next phase of experiments, they will explore self hosted wallets and ensure compliance with anti money laundering laws.