Cryptocurrencies are having a moment. Not only is the price of one bitcoin hovering around the all-time high of nearly US$42,000 ^[1] it hit in early January, but the Reserve Bank of Australia has announced that it’s researching a crypto-based digital currency ^[2], and bitcoin has been accepted as collateral by Australian courts ^[3]. Advocates are confidently predicting ^[4] a greater role for cryptocurrencies (shorthanded to ‘crypto’) in the public and private sectors.

But those ebullient narratives don’t give a complete picture of the security risks posed by greater use of crypto in Australia. Cryptocurrencies have inherent vulnerabilities that can’t be overcome solely by Australian regulations, suggesting that continuing tight restrictions on their potential use are essential.

At heart, cryptocurrencies are computer protocols that harness sophisticated cryptography to create unique digital tokens. A bitcoin, for example, is the token of the bitcoin protocol. The integrity of crypto networks depends on large numbers of independent computers continuously running each protocol, with greater numbers of such ‘validators’ providing increased security against malicious attack. The validators are incentivised to participate through rewards of each protocol’s tokens.

Most of the focus on the risks of cryptocurrencies emphasises potential nefarious uses, such as sanctions evasion ^[5] or purchases on darknet markets ^[6]. But even legitimate uses of crypto entail significant security risks and their use in the public or private sector must be treated very cautiously.

One such vector of insecurity comprises vulnerabilities inherent in any system that attempts to eliminate trust in anything but computer code. Crypto is designed to obviate the need for institutional gatekeepers like banks and governments, which means that there’s no trusted third party to undo any harm if a protocol or other software tool turns out to have bugs ^[6].

Most infamously, a bug in an application designed to run a ‘smart contract’ on Ethereum—the second-largest cryptocurrency by value—was exploited to steal US$50 million worth of the ether token in 2016, causing such turmoil that the Ethereum blockchain itself ultimately split in two ^[7].

Coding issues don’t just harm direct victims of attacks. Perceived security issues can lead to a catastrophic loss of confidence in a given protocol, prompting its users to move their assets elsewhere. With reduced economic activity, the reward for validators that dedicate computing power to securing that network also diminishes, making them less likely to participate. The resulting death spiral has befallen cryptocurrencies such as bitcoin gold ^[8].

A second vector of insecurity hanging over even legitimate uses of cryptocurrencies is their dependence on crypto exchanges. The exchanges are the gateways to crypto ecosystems, allowing users to turn tokens such as bitcoin or ether into government-issued (or fiat) currencies, such as Australian dollars. Well-functioning exchanges are required for the secure operation of cryptocurrencies. If validators can’t ‘cash out’ their crypto tokens into a local fiat currency, they won’t be able to pay any bills that require fiat cash, such as rent, utilities and taxes.

Effective regulation of exchanges is therefore essential. In Australia, crypto is treated as a form of property and exchanges are regulated by the Australian Securities and Investments Commission. Elsewhere, however, crypto exchanges are often very loosely regulated, flout the regulations that do apply, or both. Major exchanges are hacked on a near-monthly basis ^[9], are plagued by exit scams ^[10] (in which operators seize users’ assets left on the exchange and disappear) and often exhibit breathtakingly poor security management ^[11].

But the bigger problem is that the risks of crypto exchanges are global, and even strong Australian regulation can’t protect against turmoil elsewhere. The effects of the collapse of, or a crackdown on, exchanges in one part of the world often ripple around the globe ^[12], as validators find it impossible to translate their crypto rewards from securing a network into a fiat currency that’s more widely accepted—and so drop out of the system entirely. As validators are eliminated, protocol security declines.

The sky-high price of bitcoin today shows that the concerns about crypto exchanges have certainly not tanked the market for cryptos just yet, but that doesn’t mean that all is well in the industry. Instead, it points to another vulnerability with crypto exchanges: their shallow pools of liquidity and dependence on opaque digital assets to prop up crypto prices.

The small size of crypto markets makes them highly vulnerable to manipulation ^[13]. Though Bitcoin’s market capitalisation recently rocketed to a notional value of more than US$770 billion ^[14], so few coins are tradeable that one recent sale of 150 bitcoin was enough to drop the spot price by 10% ^[8]. And markets for all coins are plagued by pump-and-dump schemes ^[15], in which large market players exploit a lack of liquidity to artificially inflate the price of smaller coins before selling large holdings at excessive values.

Similarly troubling is the curiously central role of tether coins ^[16] to the crypto ecosystem. Tether is a so-called stablecoin—a cryptocurrency designed to maintain parity with a particular fiat currency (typically the US dollar). Tether Limited has admitted in court that it doesn’t have the dollar reserves to fully back all outstanding tether tokens, and is being investigated by the New York attorney general ^[17] for fraud. Nevertheless, tether has become crucial to the functioning of cryptocurrency markets and has a daily trading volume greater than that of the next three cryptocurrencies combined ^[18]. It also appears to be closely associated with, if not the direct cause of ^[19], bitcoin’s recent price explosion.

An ecosystem that is heavily dependent upon the vagaries of an opaque asset, that trades in shallow pools of liquidity vulnerable to manipulation and that has no institutional safeguards against technical mishaps is inherently insecure. No action that Australian regulators could take on their own would be sufficient to truly defang such structural risks. Investors who choose to speculate on such a product of course remain largely free to do so, but regulators will need to strictly scrutinise any proposed use of crypto to underpin public services (as countries such as Georgia ^[20] are doing) or as a central component of the financial system.