Auditing Crypto-Financing

Courtesy of Vanessa Villanueva Collao and Verity Winship

Distrust in traditional intermediaries after the financial crisis incentivized the crypto community to develop private coinage and to allow different applications (software platforms) to function as a vehicle for funding startups through the Initial Coin Offering (ICO) process. The self-executing nature of smart-contracts enabled decentralization and promised a world without suspect middlemen.

However, the elimination of intermediaries has intensified the need to address investor confidence in the marketplace and the perennial problem of fraud in financial markets – or crypto-lemons. Our recent article, The New ICO Intermediariesassesses three potential functions of a new intermediary: (i) translating the code, (ii) reconciling the code with other materials, and (iii) verifying offline/off-chain activity. It identifies critical areas in which the new intermediaries might act in the interface between the offline world and digital realities. This framework addresses the difficult sorting questions about what can be automated, and what (still) needs outside validation and review.

Is there a role for intermediaries in the ICO process?

One current goal of venture capital is to provide financing through ICOs, a process where participants send funds (fiat or cryptocurrencies) to a smart contract designed to issue an equivalent value of tokens or coins. Unlike IPOs, the ICO launch provides little information regarding the project itself. As the crypto market diversified the investor base, the practice of issuing a white paper developed over time as a primary source of information on a given ICO. Some regulators treated the white paper as a prospectus, underemphasizing the real source of the investor’s information – the code. The increasing asymmetry of information between retail investors and coders gives rise to the need for an intermediary in the ICO market.

Certainly, introducing new intermediaries conflicts with the most utopian view of the crypto community. However, the actual investor composition in the ICO market requires the ability to read, deconstruct, and analyze the feasibility of the encoded project. Particularly for investors who are not code-literate, this task cannot be accomplished without the aid of an intermediary. 

ICO Auditors—A New Intermediary in the ICO Process

ICO auditors resemble the traditional auditors of the capital markets, actingas reputational renters, reviewing the startup’s operations, and bringing market transparency by signaling the quality and reliability of the project audited. The difference is that they need to bridge the elements of the ICO process— namely, the code, the white paper, and in some circumstances, related offline activity. The intermediary’s role continues through all the phases of the ICO, verifying the information during the minting process and protecting the private interests of investors in smart contract projects, as well as comparing the information in the code with the information provided after the ICO has taken place.


Pre-ICO crowd review of the code is not an easy task, even for experts. Several of the smart contract projects are released in a machine-readable form such as bytecode, which is publicly available but not easily accessible. Even when the code is accessible, the crowd of coders potentially achieves the technical audit but falls short on the legal audit side.

To some extent, the practice of enhancing legal compliance is advanced through white paper writing and consulting. For example, CodeLegit has established partnerships with law firms to provide a complete package of security in cyberspace and the real world. Nevertheless, the uncertainty about how these assets and activities will be regulated requires more than technical audits and mere legal compliance that ignores the encoded promises.

Thus, the auditor’s function coincides with the one of a reader and translator, who can inform investors of the ICO’s essential encoded terms. In other words, it requires translation by an actor who can both read the code and translate it for others.


The reconciliation function is all about the intersection between the code and other human-readable information, such as information released through white papers and social media. Some of the promises are found in the code, which also contains the operational aspects of the project, while other promises are spread all over the media and white paper releases.

Hence, the ICO auditor reconciles and links all these promises. The purpose is to ensure that additional promises made in white papers (or elsewhere) are actually encoded, and therefore enforceable: a mind-the-gap function reviewing the correspondence between human-readable and encoded promises.

The white paper might have a unique role when promises that may be important to investors and ICO promoters – and that are routine in lawyer-drafted contracts – are difficult or impossible to encode. One such example is force majeure or hardship clauses, which would appear in a lawyer-drafted contract, but that, even if included in a white paper, would be difficult to express in code.


This last category addresses the persistent intersection between the digital and offline worlds. It is important to know whether offline conditions are satisfied, even more in an area of the law dealing with contractual agreements, the intention of the parties, and the conditions imposed. In smart contracts, aspects of the contractual language, the denotational aspects, do not appear. Thus, verifying the offline performance of a condition remains a task that cannot be executed through the code alone. This function goes beyond what is customarily done through code publication, i.e., security audit. Hence, it is not centered on the project’s operational feasibility but on legal compliance.

Indeed, knowing the offline identities of the parties may be necessary for investors. They may want to better assess the credibility of ICO promoters’ credentials, particularly in an opaque scenario where this identity is deliberately obscure.

The impossibility of entirely eradicating intermediaries has opened the door to middlewares, such as oracles. The oracle works in a centralized way, using multiple external sources, which are centralized. Oracle intervention is the connection between the real and digitalized world, since it is linked to real-world situations, enhancing trust in the flux of information transmitted. Thus, issues with contractual conditions or ambiguous terms can be mitigated through oracles, not only by controlling that the program is doing what it is supposed to do but also by validation of the results.

Furthermore, another example that requires verification is the launch of anti-bitcoins, better known as collateralized stablecoins, which increases the risk of market manipulation in the ICO scenario. The off-chain collateral requires an external audit to assess the amounts collateralized and, at the same time, preserve decentralization.


All of these functions aim to give investors information in order to make an informed decision before embarking on a poorly regulated token transaction. The auditor’s role is not only backward-looking – assessing the existing white papers and other information – but its task may involve ensuring the quality of the information in the white paper or even drafting the white paper based on its reading of the code.

ICO auditors are not a panacea. They face some of the same issues as traditional financial auditors and other gatekeepers, which emphatically revolve around auditors’ independence from the companies they audit.

Despite these caveats, in a decentralized and disorganized market that crosses jurisdictional boundaries, ICO auditors as third-party intermediaries may serve an important role.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *