What is a Smart Contract?
A smart contract is a program deployed on a blockchain that automatically executes predefined rules when specific conditions are met. Think of it as a vending machine: you put in money, select an item, and the machine dispenses it — no human intervention required.
Smart contracts are the building blocks of all DeFi protocols, NFT platforms, DAOs, and Web3 applications. Every swap on Uniswap, every loan on Aave, every NFT mint — all executed by smart contracts.
The concept was first proposed by cryptographer Nick Szabo in 1994, long before blockchain existed. Ethereum, launched in 2015, was the first blockchain designed specifically to run arbitrary smart contracts. Today, virtually every major blockchain supports them.
How Smart Contracts Work
Deployment
- Write the contract in a high-level language (Solidity, Vyper, Rust, Move)
- Compile it to bytecode (the format the blockchain understands)
- Deploy it by sending a special transaction with the bytecode
- Receive an address — the contract now lives on-chain at a permanent address
Once deployed, the contract’s code is immutable — it cannot be modified. This is both a strength (trustless execution) and a weakness (bugs can’t be patched directly).
Execution
Anyone can call a smart contract by sending a transaction to its address:
- Transaction: User sends a transaction specifying the contract address + function + parameters
- EVM: The Ethereum Virtual Machine executes the contract code
- State change: The contract modifies on-chain storage (balances, ownership, etc.)
- Events: The contract emits events that applications can listen to
- Gas: The caller pays gas for every computational operation
Example: A Simple Token Transfer
A basic ERC-20 token contract stores a mapping of addresses to balances:
contract MyToken {
mapping(address => uint256) public balances;
function transfer(address to, uint256 amount) public {
require(balances[msg.sender] >= amount, "Insufficient balance");
balances[msg.sender] -= amount;
balances[to] += amount;
emit Transfer(msg.sender, to, amount);
}
}When you call transfer(), the EVM checks the sender’s balance, deducts it, credits the receiver, and logs the event — all automatically.
Smart Contract Languages
| Language | Chain | Style | Use Case |
|---|---|---|---|
| Solidity | EVM (Ethereum, L2s) | JavaScript-like | Most DeFi, NFTs, DAOs |
| Vyper | EVM | Python-like | Security-focused (Curve uses it) |
| Rust | Solana, Near | Systems-level | High-performance dApps |
| Move | Aptos, Sui | Resource-oriented | Asset safety focus |
| Cairo | Starknet | Custom | ZK-rollup programs |
Key Properties
Immutability
Once deployed, the code cannot change. This means:
- Trust: Users know the rules can’t be secretly modified
- Risk: Bugs are permanent unless mitigated by upgrade patterns
Composability
Smart contracts can call other smart contracts. This “money lego” property enables:
- Aave to use Chainlink oracles
- Yearn to auto-compound Uniswap LP positions
- Complex DeFi strategies to be built by composing primitives
Determinism
Given the same inputs, a smart contract always produces the same output. This is essential for consensus — every node must agree on the result.
Transparency
All contract code and state is publicly visible on the blockchain. Anyone can verify what a contract does (though reading bytecode requires decompilation unless source is verified).
Upgrade Patterns
Because smart contracts are immutable, developers use patterns to enable upgrades:
Proxy Pattern
- Implementation contract: Contains the actual logic (can be replaced)
- Proxy contract: Holds the state and delegates all calls to the implementation
- Admin: Authorized to upgrade the proxy to point to a new implementation
This is used by major protocols (Aave, Uniswap V3, Compound) but introduces centralization risk — the admin key holder can change the protocol’s logic at any time.
Diamond Pattern (EIP-2535)
A more complex upgrade pattern that allows multiple “facets” (modules) to be upgraded independently.
Common Vulnerabilities
Reentrancy
The infamous bug that caused The DAO hack (2016), leading to Ethereum’s hard fork:
// VULNERABLE: External call before state update
function withdraw() public {
uint balance = balances[msg.sender];
(bool ok, ) = msg.sender.call{value: balance}("");
balances[msg.sender] = 0; // Too late! Attacker re-entered above
}Fix: Always update state before external calls (Checks-Effects-Interactions pattern) or use ReentrancyGuard.
Integer Overflow/Underflow
Solidity 0.8+ has built-in overflow checks, but older contracts are vulnerable. A token with totalSupply that overflows could create unlimited tokens.
Access Control
Forgetting to restrict who can call certain functions. Many hacks involve public functions that should have been onlyOwner.
Front-running
Transactions in the mempool are visible. Attackers can see your pending transaction and front-run it (MEV).
Auditing and Security
Given the stakes (bugs can cost millions), smart contract security is paramount:
- Audits: Firms like OpenZeppelin, Trail of Bits, and Certik review code for vulnerabilities ($15,000-$100,000+ per audit)
- Formal verification: Mathematical proofs that code behaves correctly (used by Certora)
- Bug bounties: Protocols pay up to $1,000,000 for critical vulnerability reports
- Testnets: Contracts are deployed on test networks first to catch issues
- Multi-sig: Protocol upgrades require multiple signatures, reducing single-key risk
Frequently Asked Questions
Q: Are smart contracts legally binding? A: It’s a gray area. Smart contracts technically execute automatically, but their legal enforceability depends on jurisdiction and whether they map to traditional contract elements (offer, acceptance, consideration).
Q: What happens if a smart contract has a bug? A: Unlike traditional software, you can’t just push a fix. Options include: deploying a new contract and migrating users, using an upgrade proxy (if designed for it), or social consensus to fork the chain (extremely rare, only happened once with The DAO).
Q: Can smart contracts access the internet? A: Not directly. They need oracles (like Chainlink) to fetch external data. This is a security feature — direct internet access would break determinism.