The Future Risks of Smart Contracts

The Future Risks of Smart Contracts

At a young age, I was conditioned to experience new technologies every 5-8 years.  It started with gaming consoles:  I could not wait to see the evolution of graphics, especially when it came to my favorite Role Playing Game (RPGs) developer, who seemed to always be on the cutting edge of the technology spectrum.  Would then migrate into computers and the internet, and lastly with TVs and phones.  It is amazing to see the consumer’s reluctant or slow adoption to advancements in technology to an attitude of acceptance that this is now the new normal.  I believe that period to be on the horizon again.

With the fast adoption of NFTs, the world of Web 3.0 is expanding at great speeds.  What was once considered a joke or scam, is now getting the attention of prominent Fortune 500 firms and spawning new companies in this space.  At the center of this technological marvel is the concept of Smart Contracts.

What are Smart Contracts?

In its simplest form, Smart Contracts are programmable logic (or code) that exists on a blockchain.  It is commonly used to define terms or agreements among parties such as ownership, rights, payment options or business logic.  It is immutable meaning that once committed to the blockchain, the terms cannot be altered or changed.  

This is important as it gives Smart Contracts legitimacy by alleviating possible disagreements among parties, related to unfilled terms or breach of contract.  Although they sound foolproof, it is important to know that Smart Contracts are not without vulnerabilities, which we will discuss later.

Visually speaking, Smart Contracts look like JSON or JavaScript coding.  For the uninitiated, this could seem daunting to look at and even understand, but most platforms do a great job of summarizing the details and outlining what is being executed.

For those interested in writing Smart Contracts, there are tools widely available that can help, including Solidity (Most Used), Rust and Vyper.

How Smart Contracts will change our world?

This space is exploding because it has the real potential of transforming the way we do things, especially behind the scenes.  Today, in the NFTs space, artists have the ability to sell their work online, assign resell rights and profit along most of the distribution chain.

In going to, the largest NFT Marketplace today, you can browse millions of digital art pieces and see what the going rate is and the terms.  One of the things I find the most fascinating is understanding what you can and cannot do, once you have the rights to the work.  In the piece below owned by Zlim, they have the rights to use the image in “advertising, [to] display privately and in groups, including virtual galleries, documentaries and essays by [the] holder of the NFT, as long as creator is credited.” Consequentially, there are “no rights to create commercial merchandise, commercial distribution, or derivative works” as that is solely retained by the original creator. Angry Birdy by MelihERSAHiN screenshot image]

Although art is primarily the first thing that come to mind for Smart Contracts, it is not the only application that have many including myself excited.  Industries such as Healthcare or Financials can benefit from non-repudiation and attribution features, especially when it comes to determining who made a critical change.  State and Local governments can utilize Smart Contracts to improve the efficiency in the voting process, Insurance companies can better improve the claims handling process, Law Enforcement could better positioned to facilitate chain of custody and with any new technology, you are bound to need cybersecurity experts to ensure protections.

And on that note, it’s time to dive into the big elephant in the room.  Is it safe?

Are Smart Contracts Safe?

This is probably one of the most asked questions on the internet: 

Unfortunately, the answer isn’t as binary as the concept of the topic.  Although the majority of Smart Contracts are “safe,” in the sense that they do what they are supposed to; because they are based on code, they are susceptible to vulnerabilities or bugs.  So why is this a big deal.

As stated earlier, one of the benefits of Smart Contracts is that they are immutable once committed to the blockchain.  If an artist were to unintentionally introduce code that allowed royalty payments for their $100 digital artwork at a rate of .1% (0.001)  instead of 10% (.10), they wouldn’t be particularly happy earning ten cents instead of dollars.  This could have higher implications for other industries.

In 2017, the Parity Bug resulted in over 550 wallets containing 514K Ethereum tokens being locked out. Parity Technologies advised that “a user exploited an issue and thus removed the library code, as it seems unaware of the consequences.”   Library codes are common reusable code for developers. It allows them to save time by reusing code that has been proven to work.

Last month, Minswap Labs released a patch to address “a critical vulnerability that would allow someone to drain all the Liquidity in the Smart Contract.”  In a blog post, they advised that this was discovered during an audit.  The vulnerability would allow a user to mint (create) at a large scale, liquidity pool tokens 

What I find fascinating about this was that in order to remediate or patch the vulnerability, Minswap Labs had to actually utilize the exploit to migrate all holders to the new Smart Contract.  This is pretty unprecedented considering the concept of Smart Contracts by many is to avoid anyone from being able to have this power.

Are Smart Contracts Legally Binding?

Perhaps an even more pressing issue is the legality of smart contracts. To date, I am not aware of any legal prescient that Smart Contracts can be held up in court.  My suspicions are complemented by industry experts who were asked on this very topic in 2018 at the Singapore FinTech Festival.

In response, Brian Harley, a registered foreign lawyer at Clifford Chance stated that he’s “…not really sure if they are legal contracts,” but suggested the concept of Smart Contracts could replace legal contracts due to the overall efficiency and effectiveness involved with the process.  I also found humor in the suggestion that “you have to build in the functionality to have a dispute.”

Frank Desvignes, a Global Head at AXA Next Labs, suggested that they may not be binding contracts but attaching legal contract documentation may be a good practice.

The latter panelist may have the right of it.  The Smart Contracts themselves may not be legally enforceable, but perhaps using them as an addendum to a legal contract (whether electronic or paper), could be enforceable similar to how a Service Level Agreement (SLA) is attached.

As the technology becomes more adopted, I believe we will have more clarity.

**Disclaimer: The information in this blog is for informational purposes only.  I am not a legal or financial advisor, and the information on the blog related to such topics should not be construed or taken as legal or financial advice.  Please consult with an appropriate advisor in your State **

How to make my contract secure?

As with anything coding related, unintended events are bound to occur in your code.  Here are a few ideas that can help make a Smart Contract less prone to bugs:

  • Code Reviews
    • This is a good way of having someone else either on your team or preferably someone not directly involved in the project go through the code to identify and/or test for bugs or anomalies.
  • Testing Environment
    • Set up a pre-production environment and test every aspect of the Smart Contract.  See if it is possible to answer the following:
      • Does it work as intended?  
      • Is it doing something it is not supposed to do?
      • Do you think a user could reasonably exploit the Smart Contract with elevated permissions?  
      • What are you most concerned about, and how can a threat actor achieve it?
  • Perform both an Internal and External Audit
  • Tools
  • Contingency Plan
    • As with most businesses, it is important to consider the implementation of a Disaster Recovery Plan.  Think of all potential scenarios that could go wrong in the development and production of a Smart Contract, and think of solid ways to deal with the issues as they come up.

Forward Thinking

As with all the technological advancements I have witness, I look forward to the evolution of Smart Contracts.  Firmly, I believe it has the ability to transform economics and our way of life if implemented correctly.  It goes without saying that I am worried of all the pitfalls to come as the space continues to grow, but I am optimistic that there are enough people invested that things will not go completely sideways.

To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Title Image: AI Security Realities: Rethinking PII as the Sole Indicator

AI Security Realities: Rethinking PII as the Sole Risk Indicator

During a client meeting, I addressed misconceptions about cybersecurity, especially the notion that absence of PII equates to no risk. I discussed how cyber threats extend beyond data theft to include system vulnerabilities that could disrupt operations and impact users, citing the SolarWinds and New York Times attacks as examples. I explained that comprehensive assessments are crucial for understanding broader cybersecurity risks, not just those involving PII. Additionally, I highlighted the importance of protecting AI models from poisoning, underscoring the need for robust security measures in AI development.

Client Confidence Crisis: How Neglecting Security Practices Can Drive Customers Away

In today’s digital landscape, establishing an Information Systems Security Program (ISSP) is no longer optional but a crucial necessity for organizations. This blog post explores the vital importance of implementing an ISSP early on and understanding the factors that influence its establishment and modification. Senior management’s role in championing ISSPs is emphasized, as their buy-in and recognition of its significance set the tone for organizational security practices.

However, misconceptions and flawed reasoning often hinder the adoption of robust security measures. From the belief that “it will never happen to us” to relying solely on insurance coverage, these notions can prove detrimental to an organization’s security posture. Furthermore, assumptions that clients don’t care about security or that the cloud provides ultimate protection are debunked, shedding light on the evolving expectations and regulations surrounding data protection.

The ugly truth emerges as we delve into the constant threat of internet vulnerability scans and the risks organizations face when vulnerabilities are discovered. This post aims to dismantle these flawed mindsets, highlighting the need for a comprehensive security approach beyond insurance coverage and the importance of addressing vulnerabilities proactively.

Stay tuned for the upcoming parts of this conversation, where we will explore additional influential factors and provide insights into developing effective ISSPs. Together, let’s navigate the complex world of system security and ensure the protection of your organization’s invaluable assets.

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Investigating the FAA Outage: Separating Fact from Fiction

On January 11th, the Federal Aviation Administration (FAA) experienced a nationwide outage that caused widespread delays and cancellations for flights across the United States. The outage was caused by a problem with the FAA’s NOTAM (Notice To Air Mission) system.

NOTAMs are messages issued by the FAA to provide pilots with important information about flight restrictions, hazards, and other critical information. The NOTAM system is a critical component of the FAA’s air traffic control infrastructure, and the outage caused a ripple effect throughout the entire aviation system.

Creating Your Wireless Workspace in 2023

As more and more of us work remotely or from home, having a wireless workspace has become increasingly important. Not only does it allow for greater flexibility and mobility, but it can also help declutter your desk and make your work environment more efficient.

Sage Knows IT: Moving Emails from Inbox to Labels using Outlook

How To Move Emails Directly Into Folders Using Gmail

One of the most successful ways to organize your Gmail is using the labels and filters option. Today, I will show you how to make the most out of this option and transform your inbox into a stress-free environment.