Smart contracts are expected to revolutionise business over the next ten years, by providing safe, fast, and efficient ways to conduct business.

The purpose of this blog post is to explain what smart contracts are, the advantages of smart contracts, and a few of the risks and controls, to be considered by risk managers and auditors.

This blog post assumes you understand the basics of blockchain technology.

What is a smart contract?

A smart contract is a computer application deployed on a blockchain such as Ethereum.  It will execute if a correct set of instructions is sent to it.  It can receive, store, or send that blockchain’s funds; it can store data and send instructions to other smart contracts.  Smart contracts are the building blocks for decentralised applications.

Some simple examples could be:

  • A smart contract that receives some cryptocurrency from a digital wallet and distributes the currency to five other defined wallet addresses.
  • A smart contract that receives crypto currency from subscribers and pays out when an uncertain outside event happens. This event could be literally any outside event Ie. If the temperature in an area goes over a certain level, or when a share’s price gets to a certain level, or if a team wins a sporting event.

Top real-world use cases:

Currently, the top 3 real-world use cases are tokens and swap systems.

  • Fungible tokens: This allows the creation of a simple digital currency.  This currency is basically a pool of money that can be transferred from one wallet to another.
  • Non-fungible tokens: These smart contracts allow for the ownership of digital assets.  Digital assets could be pictures, or music/video files etc.
  • Token swaps: A smart contract that allows users to swap one token for another.

Smart contracts are often integrated with websites.  They can be executed via a website to make the user interface better.  For instance, the website of app.uniswap.org is used to perform the cryptocurrency swap referred to above.

To prevent smart contracts from being deployed “willy nilly” blockchains charge a fee to deploy them.  Also, each time a smart contract is executed, a cost is calculated per operation in the code of the contract and charged to the wallet initiating the process.

Some advantages of using smart contracts in business:

  • Immutability: Once a smart contract is deployed on a blockchain it can never be changed. This assures users of the smart contract that it will continuously do as it is programmed.
  • Availability: Once deployed on a blockchain, a smart contract can be accessed by anyone with an internet connection. The decentralised nature of blockchains allows continuous availability.
  • Openness: The code of the smart contract is usually available to be viewed, to check its integrity. One can generally not ask financial services companies for their code to ensure their calculations are correct.

Some risks in smart contracts:

  • Bugs: By far the biggest risk in smart contracts is if there are bugs in a deployed contract, bugs cannot be fixed as smart contracts are immutable. This is well illustrated by the DAO hack which resulted in $50 million in Ethereum being drained from a smart contract of a very popular cloud funding platform.
  • “Infrastructure” problems: Issues with the underlying blockchain or programming language.

Controls:

Of critical importance is that smart contracts are deployed without bugs.  Various control measures are available to limit this exposure when developing or using smart contracts, these include the following:

  • Code reviews: Contracts should be reviewed by competent independent parties. Smart contracts already deployed can also be reviewed, prior to being used.
  • Change control and testing: Testing performed by competent and pedantic testers may also assist in detecting bugs, with the relevant approvals before deploying code to production.
  • Use of code standards: There is freely available code available for several of the most common smart contract use cases including ERC-20 tokens and NFTs ERC-721 tokens.  This code can be obtained from trusted websites such as openzeppelin.com.
  • Security audits: There are several security audit companies providing audits of smart contracts. These audit reports are often available for review.

So that’s smart contracts hopefully explained, with some risks and controls for risk managers and auditors to think about when encountering this new technology.  We strongly believe in this technology and will be posting further blog posts covering some of the major blockchains and decentralised applications.

Acusyne Consulting is a team of audit, risk, governance, and technical security consultants. We constantly seek better ways of doing our work, using research, industry best practices, and automation.  We are currently researching Blockchain technology and automating assurance.