• United States




Just how smart are Smart Contracts?

Nov 10, 20174 mins
Network SecuritySecurityVulnerabilities

The use of Smart Contracts is on a meteoric rise. How safe and secure are they though?

leader contract vendor deal teamwork handshake
Credit: Thinkstock

If you haven’t yet heard of a Smart Contract, just wait. You will.

Using blockchain technology – a secure, decentralized digital ledger, introduced in 2008 as the technology underpinning Bitcoin – Smart Contracts enable the exchange of money, property, shares or anything of value, in a transparent, conflict-free way while avoiding the services of a middleman. The most popular of the cryptocurrencies associated with Smart Contracts is Ethereum. It allows developers to write their own contracts which detail the responsibilities of each party and the self-executing payments that should be made based on fulfillment of these.

In any real world situation where two parties form an agreement that becomes a contract, there is always potential for one party to enter that contract at a disadvantage. A Smart Contract solves this. It is coded and built on the Ethereum blockchain, completely decentralized as a third-party entity and self-executes as it is programmed to do. Its self-executing and self-enforcing nature creates a fair environment for both parties involved, and therefore there is little room for conflict and costly litigation down the road.

Sounds almost perfect

With the technology expected to see an increasing number of use cases, it’s not unlikely that you might soon find yourself in a situation where a service, client or partner requests to use one. It’s therefore worth asking the question now: where’s the rub?

Just how secure are they? The short answer is, currently, not very

While the blockchain is inherently secure, Smart Contracts suffer through the code used to create them being prone to bugs. In June 2016, a hacker made off with over 50 million dollars of cryptocurrency by exploiting a bug in Smart Contract code and, even more recently, in July 2017 another bug was exploited in the code of a well-known Ethereum wallet to the tune of over 30 million dollars of cryptocurrency.

The level of bounty available offers an extremely lucrative incentive for hackers to invest the time and resources needed to find bugs and loopholes in Smart Contract codes.

Holy growth, Batman!

Although the technology remains in its infancy, the rate of adoption has been increasing at a rapid rate. Between June 2017 and October 2017, the number of Smart Contracts grew from 500,000 to over 2,000,000 with expectations that this could grow to around 10 million within another year. It is clear, therefore, that although this is currently a niche issue in the world of network security, Smart Contracts have the potential to become a far bigger consideration in the not too distant future.

Big pile, small shovel

Current efforts to validate Smart Contracts are inadequate. To adequately audit one, an organization would need to engage a network security consulting company and enlist experts in blockchain and Smart Contract coding. If this sounds impractical, that’s because it is. The process involves a host of specialist resources, is expensive and would still be prone to the “human element,” i.e. simple human error mistakes, bad actors or a simple lack of trust in the motivations of those auditing.

The growth in Smart Contract use and limited specialists able to properly vet such large amounts of code means that currently organizations can struggle to properly protect themselves. Case in point, the Guardian recently reported that more than $300 million of cryptocurrency (in the form of Ether, the tradable currency that fuels Ethereum) has been lost accidentally due to changes in code from a developer.

A solution for every problem

For every growing tech problem, there are those who will look to create solutions and for Smart Contracts, one such solution seems to have taken a lead – the Quantstamp protocol. Self-described as “the first scalable security-audit protocol designed to find vulnerabilities in Ethereum smart contracts,” it uses a balance of automated and crowdsourcing methods and has the potential to provide security experts a cheap, inexpensive method of finding exploits and bugs in Smart Contract codes. The protocol is itself built on the Ethereum blockchain and provides token incentives for the contribution of verification software (submitted by security experts), for validating requests (processed by nodes on the blockchain) and for finding bugs that break Smart Contract codes.

The result is a system able to audit any Smart Contract submitted to it in a much more time and cost-effective way.

The good news?

At the time of writing, an estimated $3.2 billion is locked in Smart Contracts and this figure will obviously rise exponentially in line with increasing adoption. As these locked-in values continue to grow, the potential cost of vulnerabilities and attractiveness to hackers grows with it. The good news? For every motivated hacker, there is an equally motivated developer working to create solutions able to secure the latest innovation in the world of blockchain.


Andrew Douthwaite is the Vice President of Managed Services at cybersecurity firm, VirtualArmour. In his role, Andrew has ultimate responsibility over the successful delivery of the company’s Managed Services offerings within its UK and U.S. operations. As part of the executive leadership team he also plays a vital role in formulating and implementing company strategy.

Mr. Douthwaite has over 15 years of experience in the Information Technology industry, including eight years with VirtualArmour in senior engineering roles. Before joining VirtualArmour, he held security-centric application positions within leading software and telecommunications providers. In 2002, Mr. Douthwaite obtained a BSc in Computer Science (Software Engineering 2:1), graduating with honors.

Outside of work, Andrew enjoys an active lifestyle as a junior soccer coach and fan and likes to blow off steam with early morning Crossfit sessions!

The opinions expressed in this blog are those of Andrew Douthwaite and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.