Who runs the Web3 world? Smart contracts. Controllers of decentralized finance (DeFi), they are revolutionizing the way we interact with digital assets and enabling decentralized governance. Despite handling assets worth millions to billions of dollars every day, smart contracts — despite their "smart" label — can be quite dumb. That's why, for the future of Web3 and blockchain-based applications, smart contracts must be written securely! We must protect our users against hacks, rug pulls, and dumb code.
Smart contracts are self-executing lines of code that live on a blockchain and run automatically when predetermined conditions are met without the requirement of human intervention. The majority of blockchain transactions are facilitated by a smart contract. If you have ever minted an NFT, swapped memecoins on a DEX, or voted on a DAO proposal you have interacted with a smart contract.
In short, smart contracts have democratized the digital world, reducing reliance on intermediaries and empowering individuals to interact in a transparent, secure, and automated way. They are the not-so-secret sauce that makes the blockchain world more than just a collection of transactions, transforming it into a vibrant, programmable, and trustless ecosystem.
Smart contracts have a wide array of potential applications in the real world and will disrupt industries for years to come. From trade, finance, and insurance to car sales and legal processes, these automated contracts could reduce friction, increase efficiency, and open up new better ways of doing business. For example, they have already enabled fractional ownership of real world assets, the buying and selling of real estate, verifiably digital asset ownership, and much more.
However we still have a long way to go until the world is run by smart contracts on decentralized, permissionless blockchains. Like any program written by humans, or even AI these days, smart contracts have known vulnerabilities and are susceptible to hacks. In May 2023 alone, there were several large-scale DeFi hacks and 'rug pulls' involving smart contracts.
One major exploit involved Deus DAO, where an error in the ordering of arguments in the smart contract's burnFromfunction enabled an attacker to drain about $6.5 million from users' wallets. The Jimbos protocol was another victim, suffering a flashloan attack that saw an estimated $7.5 million stolen due to a lack of slippage protections. The Level Finance project and Swap-LP also lost $1.1 million and $1 million respectively due to smart contract vulnerabilities.
In another high-profile case, an attacker exploited the governance system of Tornado Cash, a popular DeFi protocol. By submitting a malicious proposal, the attacker was able to drain approximately $2,173,500 from governance vaults.
May 2023 also saw several high-value rug pulls and exit scams. The BSC-based Fintoch platform, for example, turned out to be a Ponzi scheme, resulting in a $31.6 million loss after user funds were locked in the protocol. Similarly, the founders of Swaprum used a backdoor function in its smart contract to drain about $3 million from the project, and the Arbitrum-based XITRAM project executed a rug pull to the tune of $3.5 million.
As we can see, smart contracts can still have dumb code. Moving forward security will be of utmost importance as adoption of this technology grows. While there is immense potential for disruption and value creation, it's crucial to understand the risks involved and to learn from the past mistakes, rug pulls, and hacks. This will include thorough code audits, understanding contract functionality, and being cautious of projects that lack transparency or have not been audited. With a mindful approach to security, the future of smart contracts looks promising. Please follow me down this rabbit hole of smart contract security as I will continue to write about common vulnerabilities, best practices for writing smart contracts, and dive into previous hacks and rugpulls.