Smart contracts are related to cryptocurrencies and offer more efficiency than usual contracts in certain areas. Meanwhile, they are only as secure as the programmer's best knowledge. Due to bad programming practices, some contain exploitable flaws. So what kind of security risks are there? In this article we look at what smart contracts are, the risks and possible solutions.
A smart contract enforces the negotiation of an agreement without the need of a middle-men, like a lawyer. Settled negotiations (transactions) are stored on the blockchain. The most well-known smart contract platform is Ethereum. Key benefits:
While smart contracts are largely used to transfer cryptocurrencies, they are more and more used to transfer value in general. A few examples:
Security tokens are digital securities that can be bought and sold via smart contracts. For example, the "RVW Token" lets movie enthusiasts easily get a share of the profits generated by the upcoming movie "Roe v. Wade".
No late wage payments: Let's say an employer keeps all the company money inside a smart contract. The contract is programmed to send a specified amount of money to each employee per month. The contract is also programmed to not be able to withdraw all the money available. Employees now have the digital verifiable security, that they will get their money each month without any complications.
The DAO hack - The decentralized autonomous organization (DAO) aimed to be a type of investment fund. An anonymous DAO user applied a variant of the reentrancy bug and fraudulently withdrew large amounts of the cryptocurrency Ethereum from that investment fund.
The parity hack - The use of libraries during programming is a common practice. If the code of the library is flawed, the code using the library may be flawed too. An anonymous person gained control over a flawed library and allegedly called the "kill" function, which destroyed the library. At this point in time, lots of wallets containing 513.774 Ether (~154 million USD) in total used this library. After the library was destroyed, the funds were unreachable and hence lost.
"Finding The Greedy, Prodigal, and Suicidal Contracts at Scale" - In a report from 2018, five researchers published that about 34,200 Ethereum smart contracts worth $4.4 million in Ether contain identified flaws. Over the years, Ethereum got more complex, not less. This means that likely there are more vulnerable contracts than ever before.
Smart contract security technically works via the same concepts as the security of any software. Coding, testing, insuring. Specialized it security insurances exist and due to the young crypto market, smart contract failure insurance companies only emerge.
Writing secure code: The very first step of a secure application starts from within - The code itself. If the code is not created with best programming practices, it widens the attack surface of a potential attacker. Especially if it's accessible on the internet (like smart contracts). Ethereum knows this and has published guidelines, which assist to create smart contracts securely.
Testing the code: Code tests are another piece of the puzzle. They are essential for secure software. Here, the runtime execution is tested. This can be done on your own, but it's best to consider experienced companies like CertiK.
Insuring the code: This is a quite interesting angle to smart contracts - Smart contract failure insurances. An upcoming solution is Bridgemutual. They could have covered the previously mentioned harvest finance hack, according to their pitchdeck. Insurances are known to be used in various areas like health, automobiles or work. Clients get insured to have a level of safety about their time spent in those areas. With smart contract use rising, smart contract failure insurances may become more important - Especially for companies with larger pockets.
The possible use of smart contracts is discovered every day by now. Dhedge enables everyone in the world to become an investment manager. This is partly possible due to the fact, that the smart contracts are using data feeds. The interesting thing about that is that the data feeds could be anything - The Virustotal API or the population count of America. So in theory, there could be a malware investment manager, that specializes on the amount of new malware coming up the next day. And the people could invest in their favorite one!
With that being said, smart contracts remain a relatively new technology. As new technology tends to have flaws, so do smart contracts. Smart contracts are most secure, if the programmer is knowledgeable in this field.
In the end, we see public open source blockchains as net positive, largely because flaws are eliminated faster versus private blockchains.