🛢 Tokenized Custody Transfer

One of my projects involved the examination of the possibility to connect flow meters via a secure gateway to a distributed file storage system that makes measured data during custody transfer of crude oil or gas transparent and immutable. More specifically, each metering rig and the components during custody transfer must be uniquely identifiable and certified. The measurement results together with identification properties of the metering components can be written to a distributed ledger system in real time and linked to the batch number of the product. Each participating stakeholder in the system continually replicates and saves an identical copy of the ledger. The system should employ a chain of blocks to provide a secure and valid distributed consensus between all stakeholders during custody transfer. With the key features notarization, immutable data storage, and transparent real-time data, the stakeholders will receive enough security to handle their business processes via the platform. Each stakeholder would have the opportunity to compare own measurement results with other measured values for the same batch, enabling a higher degree of transparency and process automation in a trustless environment. The concept was developed by Thibault Paulet, Dr. Florian Stengele, and myself.


The oil and gas (O&G) industry is a global giant, comprised of myriads of companies, providers, governments, and regulatory bodies. Crude oil and gas are some of the most globally-traded commodities handled by this industry, being a raw source that can be refined to supply most of the world’s energy needs, including gasoline, diesel, and several petrochemicals.

Today, this industry is mainly siloed and dominated by proprietary databases and infrastructures. This encompasses complicated and centralized ledgers to track, manage, and record data. While these systems are difficult and expensive to maintain, they are open to manipulation, hacking, and corruption. In keeping with this, countless opportunities for transparency, efficiency, and optimization regarding data processing exist.

This report outlines the current state-of-the-art technology in the oil & gas industry with regards to custody transfer, the process of handing over oil and gas from one stakeholder to the next. We will continue by combining the concepts of IoT and blockchain technology and elaborate its advantages. Finally, we will propose how this vertical use case can be realized in a blockchain infrastructure, and conclude with our vision for this project.

Oil & Gas 101

In this section, we will provide an overview of the O&G industry and its use of sensors to automate processes during custody transfer.

Industry Segmentation

In general, the O&G industry is divided into three segments: upstream, midstream, and downstream. These segments describe its way from its reservoir underground to its final destination.

  • Upstream refers to the parts of the industry having to do with resource exploration and extraction – often known as the exploration and production industry (E&P). It includes multiple cooperating stakeholders: survey companies that decide where to drill, the companies that perform exploratory drilling, contract companies that supply oilfield or oil rig employees, a subset of entities that own operating rights of a rig, and more. More than any other “stream” of work, the upstream oil and gas process involves the largest number of stakeholders
  • Midstream refers to parts of the industry involved with storing and transporting resources once they are extracted. The midstream oil & gas process includes the transportation of crude or refined oil from rigs and fields to refineries. Resources can be transported on barges, tankers, trucks, rail, and pipeline. The coordination among companies – like upstream – is immense. Downstream refers to parts of the industry that refine resources into the multiple final products and provides those products to end users such as gas stations.
  • Downstream consists of the processing, refining, and purifying of crude oil and natural gas into products that end consumers commonly recognize, including: gasoline, jet fuel, diesel, asphalt, and many others.

The journey of one drop of a resource through those three stages can include dozens, if not hundreds, of separate entities, companies, processes, and legal agreements. Currently these parties coordinate through traditional means — written contracts, manual data entry, laborious dispute reconciliation processes, and high-friction cooperation.

Custody Transfer

One crucial process prevalent in all three industry segments is custody transfer, which takes place at those points in the process where the resource, in this case oil or gas, is handed over from one stakeholder to the next. A transfer of ownership does not necessarily take place at the same time, but the value can be transferred for further processing or transport and remain in the possession of the original stakeholder. The owner could, for example, be an oil or gas production company, a pipeline company, or a utility company. In a custody transfer flow measurement situation, one or two custody transfer flow meters measure the volume or mass of fluid before the transfer is made, and then another set of flow meters measures the flow after the transfer. What makes custody transfer unique among flow meter applications is that money changes hands and that accuracy requirements are paramount in contrast to most other applications.

Sensors & Software

A custody transfer installation is complex and involves the coordination of many different types of sensors, such as flow meters, pressure sensors, temperature sensors, density sensors, gas chromatographs, and others. For the sake of clarity, we will focus on flow meters only.

There are several types of flow meters widely used in the industry, such as ultrasonic meters, differential pressure (DP) meters, and turbine flow meters. The main categories are elaborated in the Appendix. The engine of a custody transfer or fiscal metering installation is the flow computer. It is the device that takes the inputs from the measuring devices and calculates the amount of liquid or gas that has been transferred. These calculations are based on a variety of industry-standard flow calculation algorithms.

Current Challenges

Notwithstanding the functionality sophisticated ERP software that monitors and controls the flow of resources during custody transfer, centrally controlled systems are vulnerable to cyber attacks.

For example, in 2008, hackers interfered with alarms and communications for Baku-Tbilisi-Ceyhan pipeline in Turkey, super-pressurizing crude oil to cause an explosion that resulted in the spilling of more than 30'000 barrels of oil.

One year later, an explosion happened in Bayamon, Puerto Rico. The fire blazed for three days, burning down houses and causing black clouds of gasoline-fueled smoke and forcing residents to flee their homes. Investigators said it was a glitch in the facility’s computerized monitoring system. A storage tank was getting refilled with gasoline from a fuel ship docked along the San Juan harbor. Since the tank’s meter malfunctioned, the petrol kept overflowing until it met an ignition source.

In 2012, as a result of cyber attack on Aramco, the Saudi Arabian national petroleum and natural gas company, 30000 computers were damaged. The attack aimed to stop gas and oil production in Saudi Arabia and prevent resource flow to international markets.

In keeping with this, we identify some common operational and maintenance issues of oil and gas transfers as follows:

  • No clear delegation of duties between companies
  • Too many duty distractions
  • Lack of time dedicated exclusively to transfer
  • No standardized operating procedure for the transfer for all participating companies
  • Transfers should be conducted prior to arriving and during daylight hours
  • Miscommunication or misunderstanding about which tanks are to be filled or emptied
  • Lack of supervision during the process
  • Misjudgment the receiving tank capacity or supply tank liquid volume

Our proposal aims to circumvent these challenges through implementation of a platform based on a distributed ledger system.

Our Proposal

In the future, all devices that can benefit from an Internet connection will be connected. Internet of Things (IoT) technology is a key enabler of this vision by delivering machine-to-machine (M2M) and machine-to-person communication on a massive scale.

It is often misconceived what IoT and its implications means. IoT has been around for a decade, but has had considerable obstacles regarding connectivity, computing power, and security. With the rise of efficient standardized network technology and edge computing, these challenges can be overcome to employ IoT in valuable use cases. We believe that the next years will prove prosperous for IoT and open new doors for the extensive deployment of expedient IoT systems.

IoT sensors provide transparency, trust, and collaboration, leading to a completely new set of data behaviors, yet their security protocols are yet to be optimized and implemented. Online sensors cannot carry software encryption protocols because of their energy savings and memory space requirements. Therefore, there is a predominant need for new architectures to maintain costs low while preserving efficiency of the industries using IoT technology.
However, connectivity to the Internet can — in most cases — be equated to vulnerability to hacking and  manipulation. Over the past few years, efforts have been made to standardize the security protocols in IoT systems. Blockchain is the most tempting system to integrate as it addresses security issues and has the potential to become a standard to ensure security in a corporate data environment.

Sensors on the Blockchain

The concept of integrating sensors on the blockchain has existed for quite some time for obvious advantages:

  • Autonomous coordination: The integration of IoT devices into the blockchain, making them interact autonomously by the interplay of smart contracts and avoiding a complete control of the network by altering a single node.
  • Peer-to-peer messaging: The connected devices interact via a distributed ledger, exchanging data in a cryptographic environment in order to prevent any man-in-the-middle attack.
  • Distributed file storage: The use of a public blockchain encrypted by SHA-256 would delegate the flow meter data storage, allowing cost efficiency in comparison to standardized cloud storage with a centralized database.
  • Self-amending evolution: The distributed and immutable record of history created by the blockchain combined with the interoperability of the IoT devices opens opportunities to self-amend and regulate the network for higher efficiency and security.

Notwithstanding the brevity of the advantages, the realization and implementation of this have carried some obstacles, the most notable being the multitude of vulnerabilities in the network.

Trustless Protocol

The aim is to create a truly trustless protocol that would allow any user to find supplies of commodities in the most secure way possible while not disclosing the name of the seller to the buyer and vice-versa. Through this consensus, all parties keep their privacy while the goods are shipped for certain. Blockchain is used as a closed loop (feedback) control system comparing real and digital asset transfers through a prescribed relationship consensus.

In the given architecture, the mean of control is the blockchain, the controller is a Smart Contract, the difference studied is the variance between flow measurements of IoT systems and token transfers in the blockchain. The input is the measurement value from the sensor systems and the output is the token transfer. Any variation would transparently disclose in real time the data's discrepancy of any party.

Overview of the Power Control System

The system is made of two interconnected Distributed Control System layers ensuring the security of any real-world transfer such as the one presented Figure~\ref{fig:feedback}. For the system to be functionally capable, the following is required:

  • A feedback loop
  • Two or more inputs that feed into the loop (one is the reference level r, others are disturbances)
  • Effort to adjust a
  • External disturbance in the system d
Power feedback loop.

The first layer of security is made of flow meter IoT systems deployed or already existing along the supply chain. However, because flow meter systems can be tampered with, we aim to improve the reliability of supply chain systems through a second layer. The second layer of security implies tokenized volumes of commodity being transferred over the blockchain at the same time of the real-world transfers by using economic incentives. Therefore, the first layer will be in total coersion with the second one, creating control feedback loops.

The input of the general system is made of the periodic data given by the flow meter system. The output is a proof of "bad" behavior or unconscious mistake by the parties involved based on the discrepancy between the two layers. Please note that, the output can also be a refund to the buyer or any action regularizing the situation.

Buyer, Order, Market Place & Smart Contracts

To start a new process, a buyer should place his claim asking for a specific amount of commodity on a decentralized market place. This amount is proved true and valuable by the network (suppliers and intermediaries) thanks to a stake immutably placed by the buyer in a created Smart Contract. Indeed, in addition of the details of the claim, the order embeds a 50% stake of the whole transaction size in the dedicated Smart Contract. It incentivizes the network to remain clean without being filled with fake or spam requests. Additionally, at this point in the process we could think at features such as a premium fee paid by the buyer to receive the supply faster, incentivizing sellers and intermediaries to process the most rewarding orders on the market place.

Seller, Intermediaries & Proof of Capacity

Once the network validates the quality of the stake, meaning that the Smart Contract created is acknowledged as legit, each party can further get involved in the custody transfer by offering their services. At this point, a consensus called Proof of Capacity (PoC) should ensure the buyer of the seller's ability to supply the goods. A seller willing to take part in a custody transfer would have to stake a particular amount in the given Smart Contract (explained further in the paper) in order to book its position as a seller. In the event of several sellers trying to be positioned on the same deal (staking in a similar Smart Contract), the priority is given to the first seller filling the required stake. A second PoC could require from the seller a full transparency over the number of sensors connected on the blockchain, which are essential to process the transfer correctly.

Payment Value, Target Value & Constant Value as Economic Incentives

As the first step on the buyer side, 50% of the payment value (total price for the amount of commodity purchased) acknowledged the claim as legit. At this point, sellers and intermediaries enter the smart contract by staking (explained earlier) and therefore officialize their positions in the transfer. Once all parties are integrated in the deal, as a second step on the buyer side, the buyer has to show full capacity of funds by staking 100% of the payment value (the Smart Contract acts as an escrow account).

As a result of taking part in the deal, Intermediaries must mention their expected reward for the services provided. Therefore, we understand that the total flow of money emerging from the deal is higher than the payment value. The addition of the payment value and the sum of fees asked by each intermediary is known as target value. Note that different economic models can be applied (e.g. the buyer set the fees for intermediaries or fees are fixed algorithmically according to specific criteria known on the intermediary). Similarly, the model chosen to pay the fees of intermediaries can vary according to a shared agreement between buyers and sellers.

In the following we will touch upon the creation of a target value as to how it will act as an assurance of supply for the buyer.

A target value (TV) represents the sum of the total flow of cash during the deal (payment value + fees). However, it is also equal to the sum of all the Constant Values (CV) and the Variable Values (VV) filled in the Smart Contract during the process:

TV = Σ (Σ CV + Σ VV)

The target value can be thought as a hedge against a default of transfer in the real world that would compensate the payment value. A constant value is the division of the target value by the number of parties involved.Before starting the deal, each party involved (seller and intermediaries) will stake this constant price as an assurance of trust for the buyer (note that different parameters can be applied to this feature such as variable percentage of stakes according to specific criteria, but the sum of all should remain the target value of the Smart Contract).

Hence, by summing all the constant values exchanged, we can find back our target value. Proving, thanks to blockchain scarcity, that all parties exchanged their constant values and therefore made their part of the deal.

Once the target value is filled and the flow meter system of the ultimate beneficial owner (here: the buyer) acknowledges reception, the Smart Contract is asked to release the 100% stake from the buyer (payment value) to the seller.


In the same way of the constant value, each party has a variable value to stake: VV = TV - CV. Therefore, VV acts as a fractal of the commodity's volume purchased by the buyer. It is called variable because the amount of this stake moves with the state of shipment relatively to each party involved.

When an intermediary receives the asset, he has to stake the variable value in the Smart Contract. Once the asset is sent to the next party and the receiver acknowledged it through the flow meter system, the variable value staked comes back to him in addition to the variable reward. This variable reward attached to his stake is the payment of his service (intermediary's fee).

Flow Meter Process Flow

We will now elaborate the data workflow of a single flow meter. While the ultrasonic sensor has reliably and accurately measures the cubic flow of crude oil through the pipeline, these signals are sent to a secure gateway via MQTT or HTTPS in an edge computing scenario. The MQTT publisher-subscriber scenario, for example, guarantees low battery usage for portable sensors and ensures secure over-the-air transmission. The gateway then encrypts the measurements in a way that prevents malicious MITM attacks and uploads the data, later checking which smart contracts on the blockchain are associated with this. The transfer of measurement data to the distributed ledger occurs by authenticating each set of data with its own digital signature.

Workflow of Proposal.

Because each set of data refers to a digital signature representing a sensor in the network, the parameters of each device will be self-amended if a default is detected. With this architecture, a corporation operating the flow meters avoids single points of failure and enable the automation of tasks. After a message arrives in the sensor hub and is forwarded to the service bus, the measurement is immediately routed to the blockchain, accessing the Smart Contracts of interest in the trustless protocol environment. Furthermore, for the sake of data visualization and communication, a gateway service API is used to push updates from the service bus to the enterprise/user applications. This application could also be used to call or send messages to the responsible individuals in case a party has not been compliant.

Conclusion & Vision

Our vision is to use collaborative forces of high-end hardware and software industry to optimize and modernize one of the most essential processes in the O&G industry. We have developed the concept of a trustless protocol, which allows traceability of assets during the transfer and an immutable record of transaction in real time to prevent any litigious argument between parties while reducing the amount to stake which enhances the liquidity and capital available for the parties while keeping enough security from the economic incentive created. Because a party involved is economically reliable for the shipment until the flow meter system reports valid data, and because the payment of seller and intermediary services are automatically distributed once the shipment is acknowledged, it is believed that such a system creates a new form of consensus for IoT and blockchain integrations. A blockchain-leveraged custody transfer would not only enable the transparent and secure coordination between all stakeholders during resource transportation but also drastically reduce the cost of trust in an immutable measurement system through cutting-edge sensor infrastructure.