ISACA

TECH BRIEF

Smart Contracts

Smart Contracts: What are they?
Smart contracts are computer code—software that
automatically executes transactions (e.g., exchange of
money, property, shares or anything of value) and/or
enforces agreements based on the fulfillment of the
terms of an agreement.
Smart contracts perform this function by leveraging a
platform that uses public validation to ensure correct and
reliable performance according to agreed rules, utilizing a
decentralized ledger technology. Constant public review
ensures that smart contracts resist manipulation and hacking,
thus eliminating the need for third-party intermediaries (and
associated fees). Smart contracts create their own audit trail
by storing all contract transactions in chronological order, if
later review is needed.
Smart contract rules are defined by if/then language:
If this (e.g., receipt of payment) happens, then that
(e.g., shipment of a product) happens.
If this sounds somewhat familiar, it may be due to the
recent investment frenzy over Bitcoin, the cryptocurrency
with the largest market capitalization in the world. Smart
contracts are built on similar technology to that which
enables the use of Bitcoin: blockchain. Blockchain automates
the 5,000-year-old concept of using ledgers to record the
ownership and transfer of value, providing a secure, single
source of truth while adding the benefits of a decentralized
infrastructure, anonymous transactions and elimination of
third-party attestation.
Blockchain should not be mistaken for a database, which
can be altered by anyone with access; instead, blockchain
enables transactions that are immutable and irrevocable.
Although transferring cryptocurrency is the primary use of
blockchain today, the technology’s ability to automatically
implement the terms of multiparty agreements opens the
door for widespread use of smart contracts.
While Bitcoin dominates the blockchain market today, it is
not alone. Ethereum®, which has its own currency (ether) is
another such currency: one which holds greater possibilities
for smart contracts as well as cryptocurrency. Ethereum
functions similarly to Bitcoin in relying on a public blockchain

“The cryptographic keys are a weak link. So far, attacks have not centered on the blockchain, but on the keys. The
individual who controls the keys can do anything within the contract, including making false claims for payment.”
RON HALE, PRINCIPAL RESEARCHER, COORACLARE INSTITUTE

1

and a consensus approach to validation, while boasting
advanced functionality for coding and processing smart
contracts without the need of a trusted third party. Meaning,
in addition to the tamper-resistant transactional data
structures and ledger such as those that underpinning other
cryptocurrencies, Ethereum also provides a framework for
the execution of software.
The goal of a smart contract system is to implement
and operate a “Turing complete” instruction set as part of
the currency itself; for example, one that operates as
part of the mining and ledgering process. This means that
it can execute arbitrary software logic in a similar way to
a computer or a programming language can. Ethereum
is not alone in seeking to implement this capability.
“This is an interesting time to start the conversation about smart contracts. We are migrating from the birth of
blockchain as a technology, moving through the process of funding and developing platforms that will support
applications that will make smart contracts readily available to the average user.”
AMY KEMP, OWNER, KEMP CPA PLLC
What is the potential impact for business?
Smart contracts are well suited for business activities that
involve purchase or exchange of goods, services and rights,
especially when frequent transactions occur among a
network of parties and manual or duplicative tasks are
performed by counterparties for each transaction. This
application is a match for many financial services transactions
(e.g., simplifying automatic dividend payments, stock splits
and cryptographic signatures on stock certificates; enforcing
standard transactional rules for derivatives; streamlining
over-the-counter agreements). It also describes many supply
chain, manufacturing and retail transactions. However, the
technology is still in its infancy, so most use cases of smart
contracts today consist of the transfer of cryptocurrency and
recording/changing ownership of land or other assets.
Nevertheless, additional possibilities for future use abound,
such as:
2
ISACA Tech Brief | Smart Contracts
Several other platforms, such as EOS® and Tezos®, with
interesting new twists on smart contract execution,
are under development as well.
Early proponents of smart contracts point to their
ability to automate functions that can otherwise be slow
and error-ridden, thus reducing cost and the time to
settlement. Critics note that the code can contain errors
and the self-executing instructions enable limited or
no legal accountability, unlike contracts executed in the
“real world”—in other words, they argue that smart contracts
are neither “smart” nor “contracts.” Despite the naysayers,
interest and investment in the development of smart
contracts are likely to accelerate over the next three
to five years.
• Agriculture—IoT sensors reading the environment and
automatically initiating activities such as irrigation or deploy-
ment of insecticide, based on programmed trigger values
• Real estate—Automatically locking a house (through
an Internet-enabled lock) upon a tenant’s nonpayment of
rent and then unlocking it when payment is submitted
• General business and personal management—Replacing
intermediaries that handle processing and payments for a
fee (e.g., eBay and Airbnb) with peer-to-peer transactions,
automating compliance with records’ “destroy by” dates,
and managing users’ multiple digital identities and preferred
release of personal data
• Health care—Securing access to personal health records,
enabling doctors to provide insurers proof of completed
surgeries, supervising drugs and other supplies, and
enabling secure and timely sharing of patient information
for clinical trials and research
 ISACA Tech Brief | Smart Contracts

What are the risk, threats and controls?

Because smart contracts are still evolving, there is limited
view into all their potential threats. Risk areas already
generating concern relate to the scalability of blockchain
platforms, the trustworthiness of the data services that
provide information to the blockchain, the privacy of the code
within the contracts, the changing and evolving technology
supporting smart contracts (will it all work together?), and the
potential for collusion among those building the blockchain.
Questions also persist about:
• Immutability—Smart contracts adhere strictly to their
code and are uncontrollable after deployment.
• Irrevocability—Smart contracts cannot be revoked,
only replaced by new contracts.
As with any service that depends entirely on software
programming, the primary risk lies in the fallibility and
security of the code. Two examples help to illustrate the
ramifications of such errors and breaches:
• A hacker exploited a vulnerability in the Ethereum block-
chain used by a decentralized autonomous organization
(DAO). The result was a fatal flaw in the smart contract
running on the platform (though not in the blockchain
itself). The hacker took at least US $50 million from the
DAO; the DAO’s investors could lose their entire $150
million investment.1
• A coding error prevented a smart contract from properly
processing incoming amounts of ether cryptocurrency;
the error caused a US $14 million loss in QuadrigaCX’s
holdings. In the few days that it took to discover the
error, all ether sent to the company’s exchange was
trapped in the smart contract, unable to be used even
though it was technically in the company’s possession.2
Smart contracts’ viability is based on the resiliency of the
software implementing the smart contracts and the secure
development/coding involved, so certain controls will be
needed to assure their viability. Use of software development
life cycle (SDLC) practices and change controls in the
creation of the applications will help ensure that the files
containing the smart contract attributes are not corrupted.
Controlling the cryptographic keys (the locking/unlocking
mechanisms for transactions) will be critical. Testing and
certifying smart contracts, as well as legal reviews of the
terms—services already offered in the marketplace—will be
integral to the contracts’ widespread use.

Statistics

2,367 % $
400 $
116
MILLION
MILLION

Ethereum’s trading price has increased
by 2,367 percent in 2017, an increase
attributed to support from corporations
wishing to use the technology for smart
contract applications.3
Expectations for spending on capital
markets applications of blockchain:
US $400 million and a 52-percent
compound annual growth rate
through 2019 4
Smart contract venture capital-related
deals totaled US $116 million in Q1 of
2016, more than twice as much as the
prior three quarters combined and 86%
of total blockchain venture funding.5

3
 ISACA Tech Brief | Smart Contracts

“The use of smart contracts will not eliminate legal reviews; if anything, it will elevate them to an indispensable
position. The equivalent of user acceptance testing will need to be completed for these contracts to ensure there
are no errors between what the attorneys want and the way that is represented in code.”
JACK FREUND, PH.D., SR. MANAGER, CYBER RISK, TIAA

Finally, there is the traditional “safety net”—insurance. What’s next?

However, before counting on insurance for indemnification,
a thorough review of existing policies should be conducted
to see if ample coverage exists to mitigate smart contract-
related risks and losses. Insurance, notably errors and
omissions coverage, will have to evolve to cover new risk
brought on by smart contracts. It is doubtful that reliance
can be placed on traditional policies for commercial property,
business income, liability or business crime. The vast majority
of coding errors do not arise from intentional wrongdoing or a
catastrophic event, and they may not result in any injury to a
third party—the conditions that precipitate coverage by these
traditional insurance policies.
So far, governments have made minimal inroads into
how regulation or taxation will apply to smart contracts.
However, once those rules are codified, the risk of
noncompliance will exist, just as it does with other
regulations or legislation.
Any enterprise evaluating the use of smart contracts needs
to do a bit of homework before proceeding. Here are some
things to consider:
• Be sure to have a good understanding of the processing
costs associated with smart contracts (which will be
tied to the cost of the cryptocurrency).
• Even if your enterprise is not ready to tackle smart
contracts today, start selecting and documenting contracts
that lend themselves most readily to automation
(e.g., ledger-type transactions).
• Read the documentation for any system being considered
for use. Understand how it is designed, what governance
is built in and what currency is used.
• Partner with firms working on similar projects that can be
addressed through smart contracts.
• Wait until the technology is proven. Learn from the
experiences of others who are first adopters.

1 Siegel, D.; “Understanding the DAO Attack,” CoinDesk, 25 June 2016, https://www.coindesk.com/understanding-dao-hack-journalists/

2 Butcher, Jared R.; “My smart contract just ate $14 million—now what? Re-thinking indemnification for smart contract risks,” Lexology, 12 June 2017,
https://www.lexology.com/library/detail.aspx?g=c3e967ea-92a2-495b-a54a-0f46143f6833

3 Kharpal, A.; “Bitcoin may have more than doubled this year, but rival Ethereum is up 2,000 percent. Here’s why,” CNBC, 24 May 2017,
https://www.cnbc.com/2017/05/24/ethereum-price-bitcoin-rally.html

4 BI Intelligence, The Blockchain Report, May 2016, https://www.businessinsider.com/intelligence/research-store?IR=T&utm_source=businessinsider&utm_medium=content_marketing&utm_ter-

m=content_marketing_store_text_link_smart-contracts-pose-enforceability-issues-2016-11&utm_content=report_store_content_marketing_text_link&utm_campaign=content_marketing_store_
link&vertical=fintech#!/The-Blockchain-Report/p/66035425/

5 CFO Journal, “Getting Smart About Smart Contracts,” Wall Street Journal, June 23 2016, http://deloitte.wsj.com/cfo/2016/06/23/getting-smart-about-smart-contracts/

For more information, go to:

www.isaca.org/SmartContracts
Reservation of Rights
4
© 2017 ISACA. All rights reserved.