Threat models in tokenization systems

Distributed LabBlogThreat models in tokenization systems

It’s interesting that in the case of today’s hack of Tether, nothing was actually stolen — although newsmakers have already been spreading the news to everyone, and some exchanges suspended their trading. The fact is that stolen tokens can only be redeemed with Tether, and transfers between accounts are controlled by their own wallet.

It makes an excellent case for illustrating threat models in tokenization systems (let’s call these public blockchains with centralized governance).

Unlike crypto-currencies, in which there is no central issuer, transactions are irreversible and there is no need for the agreement of all parties to the transaction — digital assets are subject to entirely different conditions, as follows:

  1. There is a concept of collateral
  2. The issuer creates digital tokens backed 1:1 with collateral
  3. Transaction processing takes place according to rules established by the system
  4. Audit of the collateral security and correctness of transactions is carried out

Storage, emission, processing and audit are four different processes that could be performed by separate organizations. In the real world, things works exactly like that. In the case of crypto currency, all actions are performed by one system (which in the end will make sense for all currencies, but that would be a topic for a separate post). Tether is somewhere in between. Further ideas on this topic can be read at

Yet in the case of physical assets, the situation is different. There is the role of the custodian, responsible for the storage of the asset. (If you were to tokenize receipts for cheese in a warehouse, should someone be responsible for its security?). As soon as someone becomes a client of the system, they explicitly signal their complete trust in the custodian, yetmay have recourse to external audit. In this case, trust in the transaction processing is of less significance (since the most serious offence would be stealing the collateral, not defrauding your own balance).

In Tether’s case (just as with any other digital asset), if you trust that they keep the money on account at a bank in Taiwan, then you have already agreed that the company will resolve conflicts in transactions at its own discretion — in cases where you can prove that tokens were stolen, and not transferred in exchange for something. In the future, any unified asset (gold, ownership rights, etc.) will be tokenized by multiple companies, and they will compete for users. Competition will be based on the quality of service, the speed of transactions, the reliability of the audit and the reputation of the company itself.

Illustration by Katerina Krashtapuk
Pavel Kravchenko
About the author

Founder & cryptographer