Many contracts are going digital, with some online asset transactions already using blockchain-based software as their primary mode of contractual agreement. In this article we explore the risks that come with this technology and whether legal teams are ready for it.
It’s helpful to think of a vending machine when understanding how smart contracts work. Using a self-executing mechanism, these machines are pre-programmed to release a specific item when a customer puts in the correct money and makes a selection.
Smart contracts are also self-executing. Using pre-determined, programmed parameters, they regulate a party’s adherence to the contract’s terms. They may even perform certain actions in case of a breach, such as automatically charging a late payment fee for a missed deadline. No third-party intermediary is required because the terms are written directly into lines of code held across a distributed, decentralised blockchain network.
Currently, the average consumer would correctly assume that smart contracts are commonly used to regulate blockchain transactions, such as dealings in digital assets like non-fungible tokens (NFTs) and cryptocurrency. However, they can also be used in any transactions where automation is possible, for example:
- in a real-estate deal in which the buy and sell obligations can be automated once the buyer pays the seller the property value
- in trade finance to effect cross-border payments and implement automated escrow accounts
- to help governments improve departmental transparency and efficiency
- by banks for liability payments, digital identification, automatic payments, and stock splits and dividends dealings.
In commercial and M&A sectors smart contracts can even be used to configure entire corporate structures.
Can hackers take advantage of smart contracts?
Unlike traditional legal contracts, smart contracts are written in code using decentralised software that is hosted on multiple connected servers. While this code is visible to outside parties, its complexity provides some protection by being inaccessible to most. For code-competent hackers however, it is an exploitable vulnerability.
The sophistication and capability of hackers and cyber-criminals appears to be on the rise. Just last year, one of Europe’s largest insurers predicted in the Financial Times that cyber-hacking would soon replace natural catastrophes as an uninsurable occurrence.
Weak spots in smart contracts are already being exposed. In 2021, a hacker took advantage of flaws in a cryptocurrency platform’s suite of smart contracts to steal more than £500m in digital tokens (which they later returned).
It is not just professional, organised cyber-crime networks that are behind such incidents. According to US penetration testing researchers, 51% of attacks on decentralised finance took advantage of smart contract vulnerabilities, with most of these attacks described as “unsophisticated”.
What risk do Oracles and automation present?
A smart contract’s visible code is not its only vulnerability. In fact, elements of risk exist outside the contract in entities known as Oracles. Many contracts rely on these third parties to provide external sources of information relevant to a particular transaction. Cryptocurrency transactions, for example, may use Oracles to update the price of Bitcoin. Oracles are susceptible to manipulation by hackers who, once inside the system, can alter the behaviour of the smart contract with which the Oracle is linked.
Risks are also present which are unrelated to cybercrime, particularly in relation to contract management and dispute resolution. The absence of a trusted third party, such as an intermediary or regulator, makes allocating liability and determining jurisdiction difficult if an issue were to arise.
Automation also presents challenges for transactions involving any element of subjective evaluation. This includes the assessment of items of artistic value, where the opinion of an industry expert may be required to decide issues such as authenticity or ownership, either prior to the artwork’s sale on the blockchain or subsequently as part of a claimant or defendant’s legal case during a court or arbitration proceeding.
Of course, certain eventualities could theoretically be written into the code, as one would do for specific clauses in traditional contracts. However, it is not always possible to predict every conceivable contingency.
Smart contracts, as with many other automated processes, offer very little room for subjective decision-making. For example, a party may choose to excuse a breach of contract (such as a late payment) in the interest of preserving a long-term commercial relationship. However, if the smart contract has pre-programmed late payment penalties, a charge may be applied to the customer’s account automatically, regardless of the leeway parties might otherwise have accorded to each other.
How can we ensure a digitally secure future?
The risks outlined above are not the only ones presented by smart contracts. More will inevitably arise as the sector matures and expands. As such, there is both a need and an opportunity for lawyers with skills in both coding and contracts to support software development companies and individual clients.
With careful development, it might be possible for legal representatives to formulate embedded terms and conditions as part of a ‘next generation’ type of smart contract that would protect clients from lawsuits by foreseeing solutions or allocating liability after a breach.
“As a programmer, I would not want to be held liable for creating smart contract software that was not tailored to the client’s specific needs or that later developed a fault outside of my control,” says Sayf Jawad, founder of Netherlands-based software development company MultiCode. “Lawyers can assist here by working with developers to agree an hourly rate that can then provide the client with a bespoke smart contract, of which they retain full ownership.”
Looking towards a digital, secure future
Smart contracts are still relatively new. As a result, the number of experienced developers capable of putting functional smart contracts in place is small. In contrast there is an alarmingly high percentage of unsophisticated programmers responsible for coding contracts which govern some of the world’s highest value, or most significant, digital transactions.
As this field develops and specialist assistance becomes more readily available, programmers of all specialisms will hopefully gain a clearer understanding of their jurisdiction’s laws covering smart contract risks, such as data protection, compliance and regulatory issues, and theft.
With a combined talent pool of programmers and lawyers, it is to be hoped that the industry, aided by expert legal counsel, will minimise the potential security risks of smart contracts and establish best practices. This will create greater trust in the digital industry and, by extension, the smart contracts that govern it.
Written by Noor Kadhim, a consultant at Gateley Legal, and reworked from the original article in Open Access Government
Gateley Plc is authorised and regulated by the SRA (Solicitors' Regulation Authority). Please visit the SRA website for details of the professional conduct rules which Gateley Legal must comply with.