4 hours ago
1
As the trend toward tokenization accelerates, smart contracts are going to unlock, control, and move untold trillions in value.
They’ve already done so, but as BlackRock (NASDAQ: BLK), JPM (NASDAQ: JPM), the Bank for International Settlements (BIS), and major companies across the world embrace blockchain and tokenization, the stakes are about to get higher.
In a tokenized world, it’s not enough to repeat the “Code is law” mantra and hope for the best; security and resilience must be built into the stack. And yes, whether the ideologues in the industry like it or not, that involves legal compliance and Digital Asset Recovery.
Common vulnerabilities in smart contracts
“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.” – Former U.S. Secretary of Defense Donald Rumsfeld
When he said the above, Former U.S. Secretary of Defense Donald Rumsfeld was talking about the War on Terror. However, the principle could just as easily apply to any type of security, including blockchain-based smart contracts.
While the unknown unknowns will become apparent in time, we can focus on the things we do know for now. These perfectly demonstrate why alignment with the law and a harmonized approach to smart contract security are needed.
Reentrancy – Imagine the smart contract as a digital vending machine—you put a coin in, press the button, and it’s supposed to send you tokens and update the relevant balances. However, a clever hacker finds a way of pressing the button again, before the balances have been tallied, allowing them to withdraw multiple times.
This is reentrancy in layman’s terms. It’s not a hypothetical risk; this is what happened when the Ethereum DAO was hacked in 2016. Back then, the solution was to roll the blockchain back, but that’s not going to fly in a world where trillions in tokenized value lives on the blockchain.
While Ethereum developers implemented reentrancy safeguards in the wake of the DAO hack, a simpler solution would be to use UTXO blockchains. Reentrancy bugs can only occur on state-based blockchains where all balances and variables live in a shared global state.
Integer Over/Underflows – In a world where trillions in value move on blockchain daily, tiny math errors in smart contracts could have huge consequences.
To explain this bug simply, understand that computers store numbers in fixed-size containers, and each container has minimum and maximum values it can hold. Think of them as the old-style odometers in vehicles.
In previous versions of Solidity, if a smart contract went beyond those limits, it wouldn’t give an error but would wrap around, e.g., from 99999 to 00000. That’s integer overflow (too high) or underflow (too low), and it’s not difficult to imagine how it could be a cascading disaster with trillions worth of tokens in the mix.
The solution here is to use math-safe libraries and languages that auto-revert when overflows happen. Better yet, blockchains should have built-in mechanisms for Digital Asset Recovery, because when the tokenization of everything happens, there will likely be serious legal consequences if these errors cause significant losses.
There are also several other well-understood vulnerabilities with smart contracts:
Centralized Control of Keys – If a so-called decentralized protocol is controlled by one wallet or set of keys, it’s not decentralized at all.
Some potential solutions include minimizing admin functions, utilizing multisig transactions, and implementing time-locked governance, preferably some combination of these.
Oracle Manipulation – Misinformation is already a problem on the Internet, but when it could be weaponized to game oracle feeds and cause smart contracts to make false assumptions, the consequences could be dire.
Aggregating multiple data sources, using trusted oracle feeds, and relying on on-chain data can go some way to mitigating this risk.
We’ve seen several real-world examples of the disastrous consequences of these vulnerabilities: the Ethereum DAO hack in 2016, the $600M Poly Network theft in 2021, and the Curve Finance exploit in 2023 all show how bugs and errors can be exploited.
So, these are the known knowns and the known unknowns. The unknown unknowns will inevitably pop up later, and we must prepare in advance.
The need for legal compliance and Digital Asset Recovery
As mentioned previously, blockchain rollbacks are possible, and tracking/tracing stolen funds is feasible on public blockchains. But that won’t be enough if the biggest banks, financial institutions, and even sovereign states are storing and moving value in blockchain-based smart contracts.
As the panelists of the ‘Stablecoins – Hype vs Truth’ panel at the London Blockchain Conference 2025 agreed, the largest banks and financial institutions on earth aren’t running blockchain pilots for the sake of it; they’re preparing for a tokenized, blockchain-based world. This is happening now, and we need to be ready.
As well as using proper risk management, open-source libraries and tools, peer-review, bug bounties, and independent audits, public blockchains must be designed to comply with common-law-derived legal systems.
They must also have mechanisms for Digital Asset Recovery, because while the former can help with the known risks, the latter will allow us to respond when the unknown unknowns inevitably make an appearance.
While it’s not widely believed yet, Digital Asset Recovery is possible on all blockchains. For these mechanisms to be effective, miners and validators must be known so they can be issued with legal notices and can reassign tokens by appending the ledgers they control via consensus.
It is a combination of technical and legal safeguards that help blockchain tech remain credible. Should we fail to prepare, and should a serious, irrecoverable loss occur as a result, the entire blockchain experiment may be shelved, and the window of opportunity may close for good.
Watch: Layer 2 blockchain premise is built on a lie—here’s why
English (US) · 