Validity & Security
May 30, 2023
Introduction
This page is analogous to the occasional "Trust & Safety" statements in web2 ecosystems. However, for our real-world asset (RWA) attestation and support services (currently limited to bankruptcy claims) for on-boarding into web3, we find that reassurances on validity and security are more accurate.
The philosophy is not having to "trust" that a bankruptcy claim (represented by an NFT) is valid, but incorporating sufficient evidence for parties with a need to know to independently verify with sufficient confidence that such claim is valid. Because the evidence inherently contains some private data, we discuss how it is secured by encryption and access control.
These containments of fraud and personal information abuse both support the safety of the ecosystem, enabling parties to efficiently trade claims or productively unlock capital in exchange for yield.
Claim Validity
The hallmark of a valid NFT bankruptcy claim is its ability to be minted after passing due diligence which is replicable. A "claim evidence" section is added to the metadata of each NFT, containing proofs that are verifiable manually or programmatically. Only actual or prospective purchasers or lenders with a need to know can access the evidence containing private data, which is stored encrypted.
Documentation Supporting the Claim
The “claim evidence” section contains mostly emails sent by the claims agent and an assignment of claim, but might include other documentation.
If a claim transfer to a claim administrator such as the planned private foundation was filed with the court, a public link to the filing will be present in the NFT metadata.
Email Evidence
The NFT metadata generation process requires original emails received by claimants from the CEX or claims agent confirming their claim. Claimants must also confirm their email during the claim on-boarding. If the email is authentic, it confirms the minter's control of the claim.
Court Records Check
We check if the claim was transferred to another party on the bankruptcy case docket or is involved in legal proceedings, so as to not authorize their minting. This information is publicly verifiable by traditional means without the need for data attached to the NFT. However, we might host open-source tools to make these checks more accessible.
Facultative Video Verification and KYC
In addition to email verification, claimants can verify their ID matches the claim holder name and confirm the claim on-boarding in video; then a KYC attestation (not hard proof) would be added into the NFT metadata. This is an extra step that involves trust in an attestation, but does not change that validity is ascertainable independently by other means (i.e., by email signature verification and by an uncontested transfer on file with the court). We will not share data from the KYC process (held until claim resolution), unless required by legal process in the US (or Singapore for future cases in Singapore).
This step is facultative at least for claimants with locked value under $10,000, and will likely remain requested for claims from $10,000.
NFT Collection Tiers
There will be different NFT collections representing different tiers of claim verification. Once deployed, the verification requirements are immutable. This ensures marketplace participants can transact according to their risk acceptance simply by logical organization of the collections.
For illustration, there may be a collection for claims under $10,000 with no KYC, a collection for claims under $10,000 with KYC, and another collection for claims over $10,000 with KYC.
AML
In addition to the Court Records Check, per our terms, the claimant represents and warrants that the assets owed to the claimant by the bankrupt entity were lawfully obtained and owned by the claimant, free from any connection to, or involvement in, money laundering or other illegal activities. If the new claim owner finds any such connection or involvement, the new claim owner shall have the right to cancel the purchase and the claimant shall promptly refund the purchase price. In such conditions, a lender may similarly cancel a loan.
Sanctions / Enforcement
An attestation of the country and state in which the minter was based (relying, for example, on the IP address used when on-boarding for small non-KYC claims or document country if KYC was completed) is posted in the NFT metadata (not the information itself) for parties with a need for sanctions compliance or wanting to deal with counterparties in specific jurisdictions.
Since the bankrupt CEXs usually did not on-board sanctioned customers and the on-boarding process has a Court Records Check, much efforts should not be necessary.
Additional Requirements in Private Deals
When transacted P2P rather than by market order, purchasers or lenders may customize more validity checks or other requirements in addition to the existing metadata.
Legal Security
Legal Agreements
Contractual rights are evidenced in the NFT metadata. We forked the legal agreements used by the top bankruptcy claims marketplaces, and a redline is available to review minimal modifications (essentially for Claim NFT On-Boarding Consent, Cooperation and Compliance).
These model agreements have been used routinely for successful claim assignments and transfers on file with the US Bankruptcy Courts. Once the transfer is noticed and uncontested, recovery should be paid out to the transferee (subject to legal processes and remedies).
Self-custody or Administration
Unlike an order book model on a CEX that may require transfer of the claim to an administrator or trustee, our model makes self-custody possible (not just of the token but also the claim itself).
Given it is not efficient to record claim transfers with the courts (which charge $26) after every blockchain transaction, optional administration through a private foundation may also be offered. At this time, we are considering Panama for the jurisdiction, which guarantees property rights constitutionally and enables private foundation assets to be entitled to certain beneficiaries. Ideally and with the claims agent's cooperation, the foundation might be able to direct payments directly to beneficiaries without temporarily having custody for distribution. The NFT holder would be a beneficiary who can elect to whom the distribution shall be made. Otherwise, the distributors would be lawyers and paralegals with trust accounts and ethical accountability in the handling of funds.
Protections Against Hacks
The NFT contract currently does not have an audit or bug bounty. The ERC-721 contract is based on the OpenZeppellin standard and incorporated changes essentially for minting authorization, which was tested with Foundry.
Legal security is a positive aspect of tokenizing bankruptcy claims versus assets living on-chain only. The final distributions remain under the jurisdiction of the bankruptcy court, which can protect creditors in cases of misappropriations of claims such as a hack on the infrastructure.
In case of an individual hack, we have a finality clause in our legal agreements, which gives a previous claim holder a week to dispute an NFT transfer in arbitration. This period is limited to a week due to transaction finality being important for the counterparty and further transactions. We recommend monitoring transfers out of your wallet and may even implement monitoring infrastructure to alert you.
Updateable Contract and Enforcement of Legal Process
Given these considerations, the contract is updateable and we may transfer ownership of an NFT if ordered by legal process either by arbitration or court. Again, an improper transfer of ownership (even by us) can be contested with legal remedies.
In a future contract upgrade, we would like the arbitration and enforcement of legal process to be trust-minimized with on-chain conditions, an oracle and/or decentralized justice.
If any aspect of the current centralization causes a concern for minting your NFT, we are happy to discuss ways to increase decentralization and consider a new, more decentralized collection.
Cybersecurity
Aside from the web3 security necessary for the smart contracts, wallets and encrypted data on IPFS, we handle information prior to the minting of claims and keep records that are necessary for our support functions such as attestations of KYC and the sharing of due diligence to prospective buyers or lenders. We will implement good security practices and standards, and will update this section.
Summary of Trust Assumptions
Opt-in custody of claims by a private foundation or administrator chosen by the minter
Opt-in attestation of information not included on the chain or metadata such as KYC
Trust that we will not misuse or breach data that is to be shared with bona fide parties only (at least initially as more on-chain access control may be implemented)
Stewardship of contract functions, including contract upgrades (at least initially) and enforcement of legal process
If you think we forgot some trust assumptions, let us know and we will gladly add more disclosures.
Dependencies and Supply Chain
We currently use the following solutions and providers (and might use some more), which might introduce security risks.
Lit Protocol* for encryption/decryption of claim evidence
Microsoft for forms, cloud hosting and business productivity
KYC providers Veriff or KYCAid (facultative for claims under $10,000)
--
*Risk of failure in the crypto methods or compromise of nodes. Lit responded they would share reassurances on node security practices, expects to release the node code in May 2023, has a bug bounty and has pending audits in addition to a past one.
Disclaimers
We do not guarantee the validity of bankruptcy claims; our role is providing an on-boarding process for parties to independently verify with sufficient confidence according to their risk acceptance. We do not guarantee any results as a consequence of the processes described herein. We do not give legal or professional advice, only general information. See also the full terms and conditions and privacy policy.
Changes
This is an early version subject to modifications based on feedback from the blockchain and legal communities.
Last updated