Does this article need to be translated?
Contribute to the Help Center
Submit translations, corrections, and suggestions on GitHub, or reach out on our Community forums.
Smart contracts are the computer programs that run on the Ethereum Virtual Machine (EVM) and similar blockchains. Their name is somewhat misleading: when you interact with them, you're not signing up to a contract, but simply triggering a program to run.
The virtually endless possibilities for smart contract functions are what makes Ethereum and web3 so powerful. Accessibility is also a key feature: since web3 is meant to be decentralized and usable by everyone, smart contracts can be created and deployed by anyone who wants to. Inevitably, some try and exploit this freedom to take advantage of other users.
This is why you should learn how to identify fraudulent smart contracts and stop yourself falling victim to their scams.
For clarity, smart contracts could represent:
- A token, such as ERC-20 tokens, which are defined and managed by smart contracts, or even an NFT collection
- A function within a dapp, such as a program which oversees a token swap, or even a DAO's governance mechanisms.
Connecting vs. approving
When using MetaMask in the big wide world, you'll often be prompted to connect your wallet. You'll also reasonably often be asked to approve certain operations. In this context, it's approvals (also referred to as allowances) you need to focus on: the distinction is important!
- Connecting your wallet to a site doesn't allow it to do anything with your funds unless you specifically consent. So whilst this connection will enable a dapp to propose certain transactions or actions to you, nothing will happen to your funds unless you approve the suggested transactions. Read more on connecting your wallet here.
- Approvals, meanwhile, involve giving a smart contract the ability to interact with a certain token, in a certain quantity, as and when they require. You should always stop and think when being asking to approve something, as it generally involves handing over control of your assets to a computer program that could have been written by anyone. Read more here.
Checking if a smart contract is trustworthy
Let's go through some things to look for when evaluating whether you should trust a smart contract:
Is it asking you to approve access to your tokens?
- Other than social engineering to get hold of your Secret Recovery Phrase (learn how to stay safe), token approval scams are one of the most common attack vectors in web3. This is why we explained them in brief above. If you consent to a dapp's token approval, you're handing it control of whatever token (and quantity of that token) that you approve. This alone should make you think twice.
- Does the token to which the dapp is requesting access make sense? Is it relevant to the dapp functionality you intended to use?
- Does the quantity of token being requested make sense? Bear in mind that many popular apps request access to an essentially infinite amount of the token to prevent you having to sign (and pay for) numerous transactions in future. Read more under here.
Look up the address on the relevant block explorer. All smart contracts have an address. Any reputable dapp, NFT collection, or other party should make this address readily available; either directly on their main site or in docs. MetaMask will also show you the smart contract's address before you sign any transaction.
Input the address into a block explorer's search bar. Many of these, including Etherscan, will tell you if the code is verified or not, as highlighted below. You can also check to see if the contract has a name — if it doesn't it could be either very new or untrustworthy.
You could also check the comments section on the block explorer for an indication of user sentiment. Though take this with a pinch of salt, as it could be influenced by fraudulent actors themselves.
Use coin/token listing sites to investigate a token. Go to Coingecko, for example, and input the token's name or address. You should be able to see relevant details about the token, such as the project's website and their socials. Here you could check whether the dapp/token/project has a genuine, active community that isn't just full of bots, or look for a white paper on their website that demonstrates that it isn't just a rugpull-in-waiting. Our guide to Token safety practices is also very useful in this context.
Check recent contract activity. Look at the recent transactions listed on the smart contract's page on the block explorer. Whilst block explorers can be overwhelming, just try and focus on spotting patterns, and then asking why that pattern might exist. A common fraudulent practice, for example, is to prevent token buyers and holders from selling a token — so if you don't see any sell transactions, you may be looking at a honeypot scam, or similar.
Unfortunately, there is no way to be 100% sure of a smart contract's legitimacy, short of spending many hours familiarising yourself with Solidity and related coding languages so that you can audit them yourself.
So it bears repeating: always act with caution on web3. If you're not sure about a specific site or have any further questions, get in touch with us via the'start a Conversation' button on the homepage of this site.
FAQs
Look up the address on the relevant block explorer.
How are smart contracts safe? ›
What makes smart contracts secure? Most smart contract security measures take place during the development process. Unlike traditional systems, smart contracts are nearly impossible to patch once deployed. For this reason, it's essential that developers understand a few basic smart contract security principles.
How do you interact with a smart contract function? ›
Interacting with Smart Contracts using Etherscan
- Step 1: Go to the Etherscan Sepolia Block Explorer.
- Step 2: Go to the contract page by searching the contract address. ...
- Step 3: On the contract's page, navigate to the Contract tab and click on Read Contract.
The recommended way for a smart contract to test if an address is a smart contract is to measure the size of its bytecode. If an address has bytecode, then it is a smart contract.
How do I verify a smart contract deployed? ›
The way smart contracts are verified is by simply uploading the source code and contract address to services such as Etherscan.
How do I know if my smart contract is safe? ›
Input the address into a block explorer's search bar. Many of these, including Etherscan, will tell you if the code is verified or not, as highlighted below. You can also check to see if the contract has a name — if it doesn't it could be either very new or untrustworthy.
What are the security risks of smart contract? ›
A reentrancy attack exploits the vulnerability in smart contracts when a function makes an external call to another contract before updating its own state. This allows the external contract, possibly malicious, to reenter the original function and repeat certain actions, like withdrawals, using the same state.
How do wallets interact with smart contracts? ›
Understanding Smart Contract Wallet
These wallets leverage the capabilities of blockchain technology to create self-executing contracts with predefined conditions. Unlike traditional wallets, which rely on private keys to access funds, smart contract wallets use programmable scripts to manage and control transactions.
How do I interact with smart contract after deployment? ›
Interact with deployed smart contracts
- Perform a read operation To perform a read operation, you need the address that the contract was deployed to and the contract's ABI. ...
- Perform a write operation To perform a write operation, send a transaction to update the stored value. ...
- Verify an updated value
Example of a Smart Contract Process
Contract Trigger: The buyer triggers the contract by making a payment. This payment is made directly to the contract, not to the seller. Contract Execution: The contract automatically executes when the payment is made.
What are the five requirements of a valid contract?
- The offer (terms of the offer) One party must make an offer to another. ...
- Acceptance of an offer. ...
- The capacity of the parties involved. ...
- Some form of consideration. ...
- All parties intend to enter the agreement.
To unit test a Solidity smart contract using Hardhat, set up a project structure, add a Faucet. sol contract file, and create a test file structure. Use describe and it functions to define the test suite and targets. Test withdraw() , destroyFaucet() , and withdrawAll() functions.
Should I verify my smart contract? ›
Smart contract testing and verification are essential to the Web3 development lifecycle. It ensures the trustless, transparent nature of blockchain making source code verifiable and reducing vulnerability risks.
What happens when a smart contract is deployed? ›
When a smart contract is deployed, it creates an instance (contract account) on the network. One can create multiple instances of a smart contract on the network or multiple networks. Deployment of a smart contract is done by sending a transaction to the network with bytecode.
Can you read a smart contract? ›
Deciphering a smart contract
An individual can see the transaction record for a smart contract that occurred on the blockchain by looking at a block explorer. In the figures below, we discuss the information available for smart contracts on the Ethereum Blockchain as shown on numerous websites such as www.etherscan.io.
Can you change smart contract once deployed? ›
What Are Upgradeable Smart Contracts? Typically, smart contracts are unchangeable once deployed. This immutability builds trust among DeFi parties since even the contract's creator can't alter it.
Can smart contracts be hacked? ›
Because smart contracts are stored on-chain, hackers can examine the public codebase for vulnerabilities, such as reentrancy or missing checks, and then conduct their attacks.
Can a smart contract be breached? ›
So, to achieve rectification, a court may order a party to enter into an amended contract onto the ledger. From a legal perspective, if a smart contract is solely in code, it could be particularly difficult to establish a breach of contract, due to the interpretive constraints outlined above.
What is the reliability of smart contracts? ›
This predictability ensures reliability in contractual agreements. While the execution of smart contracts is automated, it is not free. Each action on the blockchain incurs a cost, known as a gas fee, which compensates the network nodes for the computational resources used during the execution.
Are smart contract wallets safe? ›
Better security
To prevent asset theft or unauthorized access, smart contract wallets use encryption methods and blockchain technology. The wallet securely stores and encrypts the user's private key, making it much more difficult for hackers to access the user's funds.
