Digital contracts have proven really adept — at losing people’s money
With blockchain technology giving hackers the greenlight to empty accounts, institutionalised banking may be around for a while
Smart contracts were supposed to revolutionise finance. So far, however, they have proven adept mainly at helping people lose their money.
The digital contracts make use of blockchain technology to get around trusted intermediaries like banks. Let’s say you want to send your landlord $2,000 every month. You can go to your bank, set up a recurring payment and rely on the inherently flawed humans at the bank to follow through.
Or you can publish a bit of software on the internet that instructs a global network of computers to make the transfer automatically, according to whatever conditions you stipulate. In principle, you can do the same with all kinds of agreements, from insurance to derivatives.
Problem is, one platform designed to host such contracts — Ethereum — has so far turned out to be a lot less trustworthy than a bank. Consider what happened with so-called multi-signature wallets, which are supposed to open only with the permission of two or more individuals — like a joint bank account.
All the wallets relied on a single, centralised bit of code to do their job ... When a hacker destroyed that bit of code, hundreds of wallets stopped working, trapping the users’ funds inside
Last week, more than $150m worth of ether, the platform’s currency, ended up stuck in the wallets — forever — after a botched hacking attempt. Only a few months earlier, a bug in an earlier version of the same wallet allowed hackers to run off with $32m. Shortly before that, a Canadian exchange accidentally trapped $13m in its own broken smart contract.
Such issues are difficult to resolve thanks to a fundamental feature of the blockchain: all changes are immutable, which makes them tamper-resistant but also means that they can’t be reversed if something goes awry. Although there’s an ongoing proposal to recompense users who lost money through self-inflicted error, it has remained open for more than a year because people keep chiming in with new stories of how they lost money in yet another unanticipated way.
It shouldn’t be so difficult to create a smart contract that doesn’t end in disaster. A multi-signature wallet, for example, is about the most simple application you can build. In this case, however, the creators complicated the design to reduce transaction fees: all the wallets relied on a single, centralised bit of code to do their job, instead of having each wallet owner control an independent copy of the software. When a hacker destroyed that bit of code, hundreds of wallets stopped working, trapping the users’ funds inside.
Applications involving money are like magnets for hackers all around the world: it’s almost certain that any substantial balance will face attempted theft. Yet Ethereum users seem intent on repeating past mistakes
The blockchain is littered with smart contracts gone bad. Last year, Ethereum users programmed a decentralised, autonomous organisation in the form of a smart contract to manage a $160m investment fund. Before the fund could make a single investment, an unknown attacker exploited a bug in the software and siphoned a large portion of the money away. The heist affected so many users that Ethereum’s leaders decided to erase the losses by creating an entirely new version of the platform and abandoning the old one.
Applications involving money are like magnets for hackers all around the world: it’s almost certain that any substantial balance will face attempted theft. Yet Ethereum users seem intent on repeating past mistakes. Even after a string of high-value losses, participants still chose to entrust hundreds of millions of dollars to a vulnerable wallet app. It seems that the friendly interface and accessibility that made Ethereum popular can also lull users into a false sense of security.
Empowering users to manage their own rights and obligations — without trusted intermediaries or a court of law — is a big responsibility, and it’s not as easy as it looks. Modern institutions work well because they’re built on centuries of accumulated knowledge. Decentralised blockchain applications are in their infancy, guided mainly by trial and error. A lot of money has poured into the technology, but just because something is technically feasible, that doesn’t mean it’s a good idea just yet.
It’s plausible that smart contracts might improve to the point where users can’t hurt themselves so easily. After all, engineers successfully developed mission-critical flight control software that navigated humans into orbit and back. But this was an onerous, slow-moving process, one that’s not congruent with this year’s steep run-up in the price of crypto-currencies. It will likely be a long time before smart contracts can make a serious bid at upending the financial status quo.
• Ou is a blockchain engineer at Global Financial Access in San Francisco. This column does not necessarily reflect the opinion of the editorial board and/or Bloomberg and its owners.