Differences

This shows you the differences between two versions of the page.

--- fintech [2018/11/26 00:19] – fabio.massacci@unitn.it
+++ fintech [2021/01/29 10:58] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-======= Financial Technologies =======
+======= Security of Financial Technologies =======
 ===== Themes =====
 Among the [[research_activities|research topics]]  of the [[start|Security Group]] the main stream of this research topic is to develop new mechanisms for secure, distributed financial technologies.
+  * Distributed Exchanges
+  * Blockchain security risks
 See also our section on [[security_economics|Security Economics]].
@@ Line 20: / Line 23: @@
 Using the Lean Hog futures data in the first quarter of 2017 obtained from the CME, we demonstrate that our hybrid solution is able to maintain proportional burden in which the crypto overhead for the retail traders are close to zero while the full MPC solution yields magnitude of orders higher burden for them. Our optimized implementation is also practical enough to fit most of the Lean Hog trading days into only 1 or 2 days of computation. Further optimizations are possible, such as zk-proofs generation parallelization.
+==== The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations ====
+Traditionally, security and economics functionalities in IT fnancial services and protocols (FinTech) have been perceived as separate objectives. In {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|our new paper}} in {{https://www.cl.cam.ac.uk/events/spw2017/|SPW 2017}} We argue that keeping them separate is a bad idea for FinTech Decentralized Autonomous Organizations (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of TheDAO (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that **security and economics vulnerabilities**, which we named **seconomics vulnerabilities**, are indeed **new beasts to be reckoned with**.
+Our observation is that, in a //normal// case, monetary losses come //indirectly// from security vulnerabilities. When your computer gets infected with a malware you don't immediately lose your money. Only when the hacker finds very complicated ways to monetize your assets then you suffer from the loss. In other words,
+  * security vulnerability ≠ money loss
+However, it is different for //Decentralised Autonomous Organisation (DAO)// in which the organisation is basically a software running whose information populated on a distributed ledger platform and whose rules are all implemented with the smart contracts (e.g. TheDAO on the Ethereum network).
+^ ^ ^ ^
+| Our first claim, which follows the DAO definition, is that | (A) | code = company|
+| And typically organisations are vectors for contracts and financial transactions (Tirole) | (B) | company = monetary transactions|
+| Then, from (A) and (B), it follows immediately that | (C) | code = monetary transactions |
+| As a result in this case money loss comes //directly// from a security vulnerability, i.e. | | security vulnerability = monetary loss |
+Then we would certainly wonder //"When we face a loss in a DAO, can we undo the damages?"// Unfortunately, the answer is that **there is no possible technical fix for the DAO**, as the thing that happened is the balkanization of the Ethereum network.
+In conclusion, for financial technology protocols, we always have to consider this kind of security economics vulnerabilities in which besides preserving the integrity or some other security properties we also need to consider the economics aspect of the application that we are trying to build because, for example, in TheDAO's case, **any kind of ex-post fix is impossible** (as we can see from the Ethereum network fork into the original Ethereum and the classic Etherum).
 ===== Publications =====
+  * F. Massacci, C. N. Ngo, D. Venturi and J. Williams. **Non-Monotonic Security Protocols and Failures in Financial Intermediation** To appear in //Security Protocols Workshop (SPW 18)//, 2018.
+  * F. Massacci, C. N. Ngo, J. Nie, D. Venturi and J. Williams. **FuturesMEX: Secure, Distributed Futures Market Exchange.** To appear in //IEEE Symposium on Security and Privacy (SS&P'18)//, 2018. {{:sp18proceedings.pdf|Prepub version}}, [[https://www.youtube.com/watch?v=cOGgB9GdPT0|IEEE S&P Youtube channel presentation]], also available as {{:research_activities:economics:futuremex-1h-no-animation.pdf|longer talk}} or a {{poster_csaw18.pdf|CSAW 18 finalist poster}}.
   * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}}