Good afternoon, Cyber Saturday readers.
In honor of “blockchain week,” which is kicking off in New York City, I’ve been thinking about the security of smart contracts, self-executing computer programs designed to encode business relationships. A smart contract might codify, for example, an agreement like this: If Justify, a racehorse, wins the Kentucky Derby, pay $10 in Bitcoin to some lucky fellow’s digital wallet. The code eliminates the need for a bookie.
Now imagine a future in which such contracts automate tasks once relegated to lawyers, pencil-pushers, and other intermediary parties. Blockchain boosters dream of a day when they can route around middlemen with these sorts of self-driving computer programs, thereby making markets more efficient, so the thinking goes. There’s a snag though: Smart contracts are software applications, and software applications have bugs.
Sometimes, as with The DAO, an ill-fated, decentralized venture capital fund built on Ethereum, a popular cryptocurrency network, those bugs can be ruinous. Hackers stole $50 million in cryptocurrency from the project in 2016 thanks to a simple “reentrancy” flaw. The bug allowed an attacker, or group of attackers, to continually withdraw money from the smart contract-powered organization until its coffers had been thoroughly pilfered.
Similar flubs abound in the field of cryptocurrency. Chris Wysopal, cofounder and chief technologist at Veracode, an application security shop bought by CA Technologies for $614 million in cash last year, gave a keynote talk at Collision conference in New Orleans earlier this month in which he provided an overview of the security challenges posed by smart contracts. “The blockchain is really secure, but the things that have to interact with it, those things aren’t secure,” Wysopal told the audience. “It’s probably one of the toughest problems right now” in security, he said.
Although I did not catch Wysopal’s talk in person (you can watch it here), I chatted with him afterward at B.B. King Blues Club and Grill and in between jazz sets at various bars along Frenchman Street. He said that if he were a thief, smart contracts are where he would focus the majority of his attention and energy today. Target the youngest projects with the worst quality assurance processes, the highest valuations, and the weakest defenses. It’s a recipe for success; in this world, baddies no longer have to worry about monetizing the data they steal. They can steal (virtual) money itself.
If you happen to be in New York for blockchain week, temper your enthusiasm with that alarum. It’s what the smartest folks will do.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.