Issue Brief: Volume 6, Number 9

Regulating Initial Coin Offerings (ICOs)

Author: David Hoffman, Professor of Law

In 2017, Bitcoin vaulted from the fringes of popular media to become one of the ubiquitous financial stories of the year. The price of a single bitcoin hit nearly $20,000—up from a nickel in 2010—as widespread demand for cryptocurrencies (and information about them) skyrocketed.[1]


  • Initial Coin Offerings (the process for raising funds for a business venture through the establishment and sale of a new cryptocurrency) are attracting a great deal of interest—in 2017 alone, an estimated 370 ICOs raised around $6.2 billion—but they are not well understood.
  • ICO transactions are based on “smart contracts”: automated rules, designed by programmers, to govern the functionality of the digital cryptoassets sold in ICOs. In theory, transactions based on smart contracts do not require human oversight, as the computer code embedded in the contracts is supposed to ensure proper governance.
  • But an analysis of the 50 ICOs that raised the most capital in 2017 reveals a troubling trend: for many ICOs, the software code does not deliver what the ICO promises in its investor disclosure documents. ICO code often fails to ensure key investor protections, and sometimes provides founders with significant, undisclosed authority to alter investor rights.
  • Currently, there is no ICO regulatory regime comparable to what the SEC and state securities regulators provide for IPOs. Policymakers would do well to develop a regulatory environment that can help the ICO market mature, particularly in the accurate encoding of smart contracts. But they first will need to understand who is on the buy side of ICO transactions­—and whether they warrant protection.

With this rise in price and interest, the technology underlying Bitcoin has evolved significantly, enabling a range of new projects with more advanced features. This innovation has led to the explosion of another “crypto” phenomenon that has received comparatively much less mainstream attention than the Bitcoin craze: the ICO, or Initial Coin Offering. It is important that policymakers understand that 2017 was not just the year of Bitcoin; it was also the beginning of an ICO tidal wave.

The largely unregulated process known as an ICO allows a start-up, or even an established corporation, to mint[2] and sell its own digital “token” to raise funds—either in the form of cash or another cryptocurrency like Bitcoin, Ethereum, or Ripple—thus bypassing traditional capital markets and avenues for venture financing. But unlike its namesake, the IPO, an ICO does not typically involve the sale of equity in (or governance rights pertaining to) a corporation. Instead, ICO participants buy an asset—a token—that enables its holder to use or govern a network that the promoters plan to develop with the funds raised through the sale.[3] It would be as if Coca-Cola had funded its initial deployment of vending machines through the sale of tokens its machines might one day require. For ICOs, however, the tokens and the “machines” they operate are digital. They exist on the Internet, embodied in software code.

ICOs expand the role played by computer code in governing transactional relationships. Laws, regulations, contracts, and commercial norms heavily mediate traditional capital market transactions. ICO transactions promise to augment, and perhaps replace, those intermediaries by embedding controls within “smart contracts.” These smart contracts—automated, “if-this-then-that” rules that programmers can design to govern the functionality of the digital cryptoassets sold in ICOs—are the key forms of software driving this innovation.[4] Smart contracts may be digital and automated, but they structure real-world relationships. ICOs are therefore both a financial innovation and a technological one, where promoters attempt to effectuate their promises to investors through computer code, rather than by traditional contract. At the same time, the smart contracts on which ICOs are built may be a regulatory innovation: human oversight of these transactions is supposed to be unnecessary because the embedded computer code ensures proper governance.

Figure 1

ICO Capital Raised in 2017 (By Month)

That ICOs are a potentially powerful financial tool is undeniable. Already they have enabled a widened range of potential investors to support the development of new, software-based enterprises.[5] In 2017, an estimated 370 ICOs raised around $6.2 billion.[6] By July of 2018, an additional 430 ICOs had raised almost $17.2 billion.[7] At the same time, though, ICOs are ripe for fraud and exploitation. Government-led ICO investigations at both the federal and state levels have resulted in criminal charges for fraudulent and unregistered sales.[8]

Given the amount of capital in play, and the clear existence of at least some bad actors in the ICO marketplace, legislators and regulators would be right to question the quality of ICOs. Do ICOs actually deliver what they promise? Answering that question carries significant policy implications, and requires that we take a closer look at the smart contracts that make ICOs possible.[9]

In the first detailed analysis of the inner workings of ICOs, we surveyed the 50 ICOs that raised the most capital in 2017. Simply put, ICO software code and ICO investor disclosures often do not match. In a financial ecosystem built around the proposition that regulation is unnecessary because code is the final guarantee of performance, the absence of coded governance protections is troubling. We further discovered that at least some popular ICOs not only have retained the power to modify their tokens’ rights, but also have failed to disclose that ability in plain English. In this Issue Brief, I summarize the results of the research I conducted with several colleagues and offer some specific considerations for the future gatekeepers and regulators that this space needs.[10]

The Three Promises of Coin Promoters

In the traditional IPO context, the SEC and state securities regulators oversee issuer activity from soup to nuts. As of 2017, no similarly clear regime was in place for ICOs. In lieu of the heavily lawyered products of IPO documentation, the ICO market coalesced on an informal document known as a “white paper.”[11] Cryptoasset white papers are public documents, hosted on issuers’ websites, which describe promoters’ plans for development and solicit community involvement. The legal status of such documents is unclear.

We analyzed the relationship between the “paper” promises made by ICO promoters in their offering documents and white papers, and the actual functionality of the digital assets they deliver. We established actual functionality by examining the smart contracts associated with each ICO, along with the broader software environments (i.e., “distributed ledgers” or “blockchains”[12]) through which those smart contracts function.

The fifty firms we studied raised a total of $2.6 billion in revenue at their ICOs, and the notional initial market cap was $3.8 billion. The business sectors in the sample varied, with most being located in infrastructure (14), trading (8), payments (7), and other aspects of finance (5).[13] In the sample, 12 (25%) were headquartered in the United States, 9 (19%) in Switzerland, and the remaining in variety of countries, including Singapore (5), England (2), Russia (2), Estonia (2), and Thailand (2). By May of 2018, six of the projects had not released any kind of alpha version or demo of their project.

We evaluated our sample on three aspects of governance that ICO proponents have claimed can be delivered through code, and which economic theory suggests should be salient to ICO investors. Without spending a large sum of money purchasing the time and know-how of a very motivated and talented reverse engineer, an investor would be restricted to relying on these promises as articulated in promoters’ white papers and sales documents.

  • First, did ICO promoters make any promises to restrict the supply of their cryptoassets? Were these promises enforced using smart contracts? A purchaser’s protection against wanton inflation of supply comes directly from the cryptoasset code. Maximum supply of a cryptoasset can be specified and enforced (or not) via the code comprising the cryptoasset itself. Supply caps are a typical part of an ICO’s marketing materials, although some cryptoassets lack this feature.[14]
  • Second, did ICO promoters pledge to restrict the transfer of any cryptoassets allocated to insiders according to a vesting or lock-up plan?[15] Were these pledges built into smart contracts? A vast majority of promoters in our sample made vesting promises in their sales documents. Most vesting schemes are time-based but provide few of the other contractual conditions that accompany traditional stock vesting. Examining how vesting promises are enforced using smart contracts–if at all–sheds light on whether investors should be confident that a project’s key people will not run off with their newly-raised capital.
  • Third, did ICO promoters retain the power to modify the smart-contract code governing the tokens they sold, and if so, did they disclose that they had allocated themselves that power? Because cryptoassets are defined by smart contracts, whether those smart contracts are modifiable should profoundly impact price and receive intense investor scrutiny. But our data suggests investors pay little attention to even simple non-technical markers of quality; it’s thus incredibly unlikely that they have the technical skills to monitor a development team’s use of modification.

An ICO that promises particular governance terms but does not encode them is not delivering on an archetypal feature of this financial form. According to those who argue the ICO is novel—so novel as to deny the need for wise intermediaries, VC vetting, and regulators with teeth—it is the immutable, transparent code that enables (and creates) a trustless but trusted market. Yet thus far, there remain good reasons not to take promoters at their word.

The Results: Promises Unfulfilled

These are the results of our analysis, which compares promises made to investors with cryptoasset software and code. For each listed promotion, we scrutinized the white papers, token sale agreements, and computer code posted by the promoters:

  • Of the 50 tokens, we audited the code of 46.[16]
  • Overall, only about 2 in 3 firms that we audited (31 of 46) encoded a supply restriction, even though about 90 percent (41 of 46) promised it.
  • Only 37 of the 46 auditable issuers promised vesting in their marketing documents or white papers. Of those that promised to vest, the vast majority (29 of 37) apparently did not use smart contracts to encode those rights.
  • Modification is rarely discussed in marketing materials: only 7 of the 50 firms discussed the token’s modifiability in their marketing materials or soft contracts. But overall, 10 of the 50 firms permit modification through their code, 60 percent of which (6 of 10) did not discuss modification but still encoded it.

To sum up: there are significant differences between code and contract in our sample. These results demonstrate that ICO code often fails to deliver key investor protections, and sometimes provides founders with significant, undisclosed authority to alter investor rights. While ICOs are promoted by an industrial community that espouses techno-libertarian beliefs in the power of the “trustless trust” and carefully designed code, actual ICO practices do not uphold that ideology. Promoters are making governance claims modeled on traditional equity-based rules intended to reduce agency costs, but they are not encoding those promises into the decentralized systems undergirding their projects’ purported sky-high values.

Who is Buying?

If investors know about the problems we have identified, then the makeup of the top 50 ICOs suggests that they don’t much care. We would expect to see (all else equal) higher capital raises by teams that faithfully coded supply and vesting protections, and also disclosed their modification powers. But we find no evidence of that effect in our sample. It is also worth noting that ICOs, like stocks, have developed a wide range of secondary information sources, including “ratings” websites. But most of these raters do not vet smart contract code, and there is essentially no emphasis on checking that coded governance actually happens.[17]

So how should regulators, legislators, and scholars think about these problems? Some see evidence of fraud and call for the whole market to be shut down.[18] Others would like the state to keep out.[19] For the pragmatists out there, the answer depends a lot on who is investing in ICOs, and why.

We see four archetypal participants on the buy-side in the ICO market. Each has different implications for how to interpret the sell-side picture we have painted in this Issue Brief. Gaining a better read on the precise ratios and combinations of each will be a key next step for policymakers who deal with ICOs.

1. Bubble Speculators:

A lot of people have jumped headlong into cryptocurrencies. A bubble would be the least surprising and most manageable version of the ICO market we are living through. Regulators would simply need to focus on popping the bubble with better informational requirements.

2. Criminals:

Many signs suggest that a material portion of cryptoasset demand is driven by money-launderers, tax evaders, and other holders of illicit cash. Recently, this has been made salient by allegations that Russian hacking of the Democratic National Committee in 2016 was bought and paid for using Bitcoin.[20] Indeed, one recent paper found that approximately half of all Bitcoin transactions were associated with some form of illegal activity.[21] Another found that the imposition of “Know Your Customer” policies designed to enforce tax and anti-money laundering laws shrank ICO returns.[22]

3. Crypto Gamblers:

ICOs might serve as a decent place for “Bitcoin millionaires”—investors who raked in large gains on early investments in Bitcoin and Ethereum—to park and diversify winnings that are trapped in crypto purgatory. Or, investors could just be gambling with house money. There is preliminary evidence supporting this idea. Specifically, one time-series analysis suggests that blockbuster ICOs have negative effects on Bitcoin and Ether prices.[23]

4. Smart Money:

Anecdotal reports indicate that a wide range of old-growth VC firms, hedge funds, and family offices are, in fact, investing in ICOs.[24] Are “smart money” investors doing the heavy analytical lifting in the ICO market? It is hard to say. If that were the case, we would expect to see greater price sensitivity to promoters’ broken promises. Smart money investors would have the best access to sophisticated technical tools used to monitor what ICO teams are actually doing with their software code—and whether they are making good on promises in their sales documents.

Based on the strong evidence that smart money is not leading this market, it can be tempting to cast doubt on all aspects of ICOs, including smart contracts. Though it will take future research to prove it, the ICO buy side today looks like a mixture of a bubble and an illicit market, with some smart money riding its coattails.

Takeaways for Policymakers

ICOs are not inherently a scam, and smart contract code has enormous promise as a regulatory innovation.[25] But their promise and their present form are miles apart. Policymakers might do well to look beyond the bubble (and its certain fate) and help the ICO market mature beyond this first experiment in blockchain governance. Here is what policymakers should take away from our findings:

Before all else, unmask the buyers. Optimal regulation depends heavily on a better understanding of the buy side of the market. Policymakers need to know whether a substantial fraction of market activity raises genuine consumer protection concerns, or if the market is driven by money laundering and or other illicit activity instead. While the bursting of the ICO bubble would certainly provide some insight, proactive investigations could be more enlightening. Policymakers should consider building out regulatory capacity to police this market.

The biggest flaw with ICOs: No one reads smart contracts

Code has the potential to be a substitute and complement for legalistic governance mechanisms in financial contracting, but smart contracts are extremely difficult to read and, in practice, no one actually reads them.[26] The community of people who are able to vet and audit smart contracts has much room to grow. As it does grow, and as existing institutions develop vetting capacity, we would expect to see quality improve. Smart contract code was supposed to render traditional intermediaries useless, obviate the need for regulation, and reduce transactions costs for participants. Without those justifications—or without a move in the direction of regulation—it is difficult to see ICOs as anything other than regulatory arbitrage.

Investors and honest coin promoters want intermediaries

Some firms are encoding their promises, though it’s not obviously rewarding to do so. Others are working to create intermediaries and certification regimes despite the contrary incentives present in a sharply rising market. Although our research shows that computer code is not presently a reliable part of the ICO form, it also strongly suggests that an increased presence of gatekeepers and regulators might help that process along. The rise of trusted intermediaries appears to be the next necessary step in the maturation of the ICO market.[27]

Rewarding Good Actors Should Be As Important as Punishing Fraudsters

On the one hand, creating new coins and selling them through an ICO is a project that is ripe for fraud and should be policed. On the other hand, smart contracts and blockchains may end up being as revolutionary as their proponents suggest, so it is important to support a regulatory environment that rewards honest actors for accurately encoding promises made to investors, without creating new barriers to entry that protect first-movers. For these efforts to be successful, it is imperative for policymakers to understand the contours of ICO transactions, and the institutional environment in which they take place, in detail.

About the Author

David Hoffman, JD
Professor of Law, University of Pennsylvania Law School

Dave Hoffman, an expert in contracts, law and psychology, and empirical legal studies joined the Penn Law faculty in January 2017. From 2004 through 2016, he was a professor at Temple University’s Beasley School of Law, where he was, most recently, the Murray H. Shusterman Professor of Transactional and Business Law. Professor Hoffman won Penn’s Harvey Levin Award for Teaching Excellence in 2018.

Hoffman’s scholarship uses observational and experimental data to explore individuals’ behavior relating to legal rules. His recent work on contracts, for example, investigated whether millennials have developed a distinctive set of views about promising which relate to their experiences with online commercial transactions. In current work, Hoffman is exploring the frontiers of contracting—how firms use form contracts as brands to better engage users with exchange platforms; whether (and how) to regulate nondisclosure agreements about sexual harassment; and the contractual documents governing Initial Coin Offerings.

Before joining the legal academy, Hoffman was a litigation associate at Cravath, Swaine & Moore LLP in New York City and a law clerk for Judge Norma L. Shapiro of the Eastern District of Pennsylvania. He earned his JD from Harvard Law School and a BA in archeology and history from Yale University.

[1]See, e.g., Google Trends, using search terms such as “Bitcoin” and “Cryptocurrency.”

[2]Minting is the process of creating new cryptoassets (i.e., tokens or coins). Often, the new coins created for an ICO are minted using the system established by Ethereum, using that community’s coding standards (specifically “ERC-20”).

[3]While an ICO can occur after a network has been built, the core practice is to raise funds pre-development.

[4]Smart contracts were first introduced by Nick Szabo, who drew inspiration from the “humble vending machine,” in “Formalizing and Securing Relationships on Public Networks,” FIRST MONDAY, Sept. 1997. Today, smart contracts exist on the Ethereum blockchain. Some are written in a complex, hard-to-read coding language known as byte code.

[5]Nathaniel Popper, “Dealbook: Easiest Path of Riches on the Web? An Initial Coin Offering,” The New York Times (June 23, 2017).

[6] We have observed a number of instances where reports of market capitalization greatly exceed what we have been able to identify on blockchain explorers like Solely to ease exposition, we use market values (in US dollars) reported by widely used coin data sites.

[7]All data is from

[8]For background on federal and state investigations of ICOs, see and (discussing SEC enforcement); and (highlighting NASAA and Colorado State enforcement actions).

[9]See, e.g., Kevin Werbach, “Trust but Verify: Why Blockchain Needs Law,” 32 Berkeley J.L. & Tech. (forthcoming 2018).

[10]Issue Brief is based on Shaanan Cohney, David Hoffman, Jeremy Sklaroff & David Wishnick, “Coin-Operated Capitalism”, 119 COLUM. L. REV. (forthcoming 2019).

[11]Iris M. Barsan, “Legal Challenges of Initial Coin Offerings,” 3 Revue Trimestrielle Du Droit Financier 54 (2017).

[12]Blockchains are the publicly or privately distributed ledgers for cryptocurrencies.

[13]All sectors in the top 50: commerce & advertising, data storage, energy & utilities, finance, gambling & betting, gaming & VR, health care, identity & reputation, infrastructure, legal, social media, trading & investing, and payments. We use the sectors provided by

[14]For example, there is no cap on the amount of ether that can be created. Indeed there is heated debate about whether this is a desirable feature of Ethereum or not.

[15]The story of a project called Matchpool demonstrates how the absence of coded vesting rules can result in mischief. Within days of a reported $5.7 million ICO, one founder departed from the project and wrote that his cofounder, the CEO, had withdrawn 37,500 ether from the wallet without explanation. See Nick Tomaino, Tweet (Apr. 5, 2017, 3:46 PM):

[16]Three remained in byte code, which we did not have the capacity to read, and one, FileCoin, which raised the most money in the sample ($257 million), has not released any code or token.

[17]Jonathan Rohr and Aaron Wright, “Blockchain-Based Token Sales and the Democratization of Public Capital Markets,” 97 Cardozo Leg. Stud. Res. Paper No. 527 (2018) (suggesting that failure to list code in an open source site “may signal ulterior motives on the part of the party selling the token”).

[18]This has been the approach taken, for instance, by regulators in China and South Korea.

[19]Max Raskin, “The Law and Legality of Smart Contracts,” 1 Georgetown Law & Tech. Rev. 304 (2017) (arguing for a light hand on smart contract regulation).

[20]Jordan Pearson, “The Russians Who Allegedly Hacked the DNC Mined Bitcoin to Fund their Operation,” Motherboard (July 13, 2018).

[21]Sean Foley, Jonathan R. Karlsen, & Talis J. Putnins, “Sex Drugs, and Bitcoin: How Much Illegal Activity is Financed Through Cryptocurrencies?” (unpublished manuscript).

[22]Jongsub Lee, Tao Li, & Donghwa Shin, “The Wisdom of Crowds and Information Cascades in FinTech: Evidence From Initial Coin Offers,” (unpublished manuscript) (June 2018).

[23]Christian Masiak, Joern H. Block, Tobias Masiak, Matthias Neuenkirch, and Katja N. Pielen, “The Market Cycles of ICOs, Bitcoin, and Ether,” (unpublished manuscript).

[24]See, e.g., Olga Kharif & Camila Russo, “Venture Capital Surges Into Crypto Startups,” Bloomberg (Mar. 26, 2018).

[25]On the contrary, economic theorists have recently begun developing models that show the potential for cryptoassets to unlock information and value for investors during the early stages of an entrepreneurial venture. See note 21 in my paper for more.

[26]The obvious allusion is to ordinary contractual fine print. See Yannis Bakos, Florencia Marotta-Wurgler, and David R. Trossen, “Does Anyone Read the Fine Print? Consumer Attention to Standard Form Contracts,” 43 J. Legal Stud. 1 (2014) (finding vanishingly low reading rates for traditional contracts).

[27]The SEC, with its newly developed “Cyber Unit,” is increasingly active in patrolling the scene. Other regulators, along with courts, will also contribute to increasing formalization of ICO code standards. See Press Release, SEC, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017), available at