Smart Contract Security Field Guide(scsfg.io) |
Smart Contract Security Field Guide(scsfg.io) |
What is anyone doing with them that they find really handy?
I've never been able to understand how it gets used / why you would use smart contracts. I've googled and read... still don't grok it.
I've seen so many "benefits" listed, but none make sense to me as far as the process you go through and how it works out in the end. Often it's described as a magic thing that eliminates the use of "intermediaries" and so on. I suppose that is true but you only get to that by going through all the complexity of from making sure someone writes a good contract / getting folks from the outside to review and validate it and so on. I'm not sure that saved a lot in the end.
Much like a most things blockchain I find these ideas (not bad ones) and then the practical usage ... much less than ideal.
I'm a reasonably intelligent person. My job requires me to learn complex technical details about a bunch of different domains - it may take me a while to grok it all, but I usually can once I do my research.
The thing that is striking to me whenever smart contracts come up is how extremely rare it is to be just presented with a simple, understandable, real-world use case that is an improvement over existing alternatives. Instead, so often you get:
1. Long missives about how the technology is really cool, but that completely sidestep the original question: show me a simple example of what a smart contract is used for.
2. Lots of examples that are only relevant to crypto in the first place (i.e. just speculating on valuation movements in crypto). What I mean by this is that the purpose of finance (at least the intended purpose) should be to provide capital for real goods and services. Pretty much all of the smart contract examples I've seen are just, for example, triggers related to the prices of a bunch of different tokens.
I would honestly be thrilled if someone could just give a simple example of someone actually using this stuff in the real world.
OK, please commence all the "HN just always hates on crypto" non-responses... (this last sentence is sarcasm but also born out of frustration of getting straightforward answers in this domain).
This does seem solvable, right? Because there's only a few APIs (bank transfers, title queries) that are involved in a fully automatic escrow. Such escrow could be provided as a free service by the government, or it might be pay-per-use (and simply cost less than markup from dealerships/realtors).
They are also used extensively in the crypto sub-genre called DeFi, or decentralized finance. One of the most popular implementations is called Aave, which allows one to take loans out (i.e. give the contract Ether as collateral, receive an amount of USD stablecoin in return) on a given set of assets.
Of course every NFT you ever heard of is essentially its own smart contract (specifically one that implements the ERC-721 standard of functions and public variables), though I'm not sure that qualifies as a 'good' use case. ;)
Provide collateral and take out a loan against that collateral. It allows people to act as their own bank. No longer do you have to go to a bank, ask for permission and then get approved for a loan. Now, you can do that yourself, instantly, without any trouble at all. Amazing really.
What are those loans used for today? Well, mostly it is about interest rate arbitrage and providing liquidity. As a super basic example, you can borrow funds at 2% and then lend them out again at 3% and make 1%. It is essentially risk free (assuming the contract doesn't have bugs/exploits).
The larger picture will be to enable people to be their own Kiva's. Crypto often is pushed to 'bank the unbanked', but it is more than just holding money. It is enabling people to borrow against their existing holdings, effectively allowing anyone, globally, to put their savings to work for them, without having to rely on a centralized banking system to do so. This might not be interesting for USA people, but it is especially valuable in countries that don't have a stable banking system.
In ethereum address appear like 0x233eb...042, ENS let's you associate a human readable name like nick.eth with that address.
Works similar to DNS, turning IP addresses into something we humans recognize.
What's the pro of using a smart contract? (DNS works without one).
With a smart contract you can have immutable data store (assuming ethereum continues) that can give you ownership over your name, like nick.eth.
What's the con?
It's immutable which means people can own names they shouldn't with no mediation process possible.
Like a lot of things in life the system is good as long the system works for you, but not everyone is lucky enough to exist in a system that works well enough.
Crypto* is trying to make things better.
edit: *some people are others are not
I knew vaguely about ENS (primarily just by seeing .eth addresses), but your comment led me to dig in to how it works. I think the bit of "eureka" moment I had is that smart contracts are really only useful for shuffling around ownership of "pure data", and then it's up to everyone else to interpret what that data actually means.
That is, for an eth name, it's really just storing an association of the name with another piece of data, and putting a mechanism in place for who gets to control that association (i.e. how bidding for a name works). It's then up to other people to decide how (or whether) they want to "interpret" that association. In my mind it's quite similar to NFTs. All NFTs really store is an association that says "this person 'owns' this other piece of data called X, and that other piece of data X actually refers to this shitty digital image of a bored ape." But, of course anyone else can copy the bits of that shitty digital image and do whatever they want with it - it's only if enough people agree that "yes, that NFT really does mean that shitty digital image" for it to be worth anything.
It also helped me because with most contracts people think about how "things in the real world" need to be verified in order to determine contract performance (did the price of wheat go up, was the vacation rental as advertised), but smart contracts really are quite useless in those examples. But there are some examples where you're just storing pieces of data and you do not care about what happens "in the real world". Thus, I still feel smart contracts are often greatly oversold (and often misunderstood) by their boosters, but there are specific "data-mapping" use cases where they make sense. I also appreciate that you pointed out the downsides of not having a mediation process, which I think many crypto boosters think of as a feature but many people feel is a bug in the real world.
Anyway, you really helped me think about this more clearly, and I appreciate it.
There’s technically no limit to what you can implement, but there’s no killer app yet, and it’s questionable if there ever will be. For me, it’s mostly an interesting piece of tech to learn about.
I thought that was a decently novel use case.
In summary, what PoolTogether (https://pooltogether.com/) does is basically act like a normal savings account, except instead of you getting 4% interest a year or whatever, that interest is all pooled and then given out in big chunks at random - most people get nothing, but "winners" will get what is essentially everyone else's interest. Some notes:
1. I'm not clear what activity they're engaging in that actually generates interest (e.g. who they're lending to in order to generate a spread), but in fairness I didn't spend much going into the details. That said, if they really are generating income by lending, then I'm very curious how they can't suffer from some of the same negative edge-cases inherent in fractional reserve banking, like a run on the bank. If they are not generating real income from lending, I'm very suspect about how they can really be generating interest. Again, I didn't look much into this, so totally admit I could just not be understanding the details here.
2. I see absolutely no real benefit that comes from doing this as a smart contract vs. just doing this as any other kind of normal software (e.g. what core banking software provides), despite what their blurbs on the website say.
So still just dumbfounded by the lack of real utility in any of these smart contract examples I've seen.
Why does the website have a starting sentence that includes:
"a passion project I hold dear to my heart."
What is it about lotteries or smart contracts that have people that saying "dear to my heart". The only thing "dear to my heart" is probably my wife and family. I don't know how something related to money could be. And I have a hard time trusting a person that has a passion project dear to their heart related to lossless lottery systems.
One of those issues is of course that people will need to find someone who can read the contract for them, and hope they get it right.
Still, good example that is easy to get, seems like easy to code and work.
You can use a smart contract to eliminate the trust in the intermediary bank, so eliminating that counter party risk
bankC creates a secret number, hashes it and sends it to bankA. bankA sends money to bankB locked to hash. bankB can't get money until they have that secret number. bankB sends money to bankC locked to hash. bankC reveals secret number to bankB to unlock that money. bankB does the same with bankA.
Tada, we eliminated the risk of bankB running away with money. This is the lightning network
It is like if there were a detailed blog post about rusts type system and I was to comment “Why would anyone use rust when they could use X instead?”
Please stop upvoting this comment.
You will have to read papers, and think about what works and doesn't, over years to understand what is going on. And to be ahead of the curve -- you'll also have to do your own experiments that 9/10 won't yield any interesting results. In the blockchain and 'crypto' industry we also have the problem that entry is easy while skilled execution is not. Consequently: many fuck-ups have happened. It's easy to point to them and say that 'this is the industry' but its really not. Those are a few bad eggs.
There are some exceptions of course -- one example is "memristors", an very specialized EE concept that claims to revolutionize computing for least 20 years and yet never does. And if you look at its HN discussions, you'll see mostly skepticism and negativity, kinda like for blockchains.
if you are unable to easily explain it to a human who isn't your profession, it's snake oil.
what's a tooth filling? it's a bio-safe, quick setting, similar plasticity to your teeth enamel.
what's shipping logistics software? it's not wasting an idle or half empty truck.
what's S3? durable object storage.
what's the TLS certificate transparency chain? an append only, low power proof of what the CA's issued. No blockchains or smart contracts involved because it's less expensive and less absurd.
what's sigstore? an append only, low power signing proof of binaries, docker images, git commits, etc. No blockchains or smart contracts involved because it's less expensive and less absurd.
Too many blockchains and smart contracts and such seek to be "the engine" that everything runs on. They want web 3.0 because they want a do-over to be kingmakers.
what's HTTP/HTML? a simple way to exchange data between webservers & web browsers, the universal engine.
The blockchain is less like these and more like Astrology and Palm Reading.
I can not think of a single usable problem that blockchain solves.
https://medium.com/valorize-dao/how-we-are-developing-a-smar...
Because of these properties you can create entirely open market infrastructure that anyone can use, which means reduced compliance costs (measured in opportunity and not money) and regulations for the participants.
On the flip side, the issue is that most people are stupid, don't know shit about what they are doing, and the tech itself is vulnerable to all sorts of race conditions because of flaws in Solidity language and the EVM itself which can enable hacks.
I am personally very sympathetic to the crypto efforts and not as sympathetic with the skeptics, because I find the centralisation of the web by some American players to be more dangerous than some individuals losing their life savings playing on web3.
It's one thing to make a promise to someone. It's another to marry your business procedures directly to immutable code which guarantees to users, employees and partners that the business operates in the intended and described way.
Most of these benefits require your company to be digital in nature, but many asset-based economic systems can benefit from it.
For example, automatic, trustless guarantee of both quality of transport and payment for shipping goods. Sensors in a transport vehicle continually update a decentralized semi-private blockchain, proving that an item never left a refrigeration state, or was not tampered with.
Automatic payment could be achieved by placing the item inside a locked stationary container at point of delivery and validating through this blockchain that all requirements were met.
A system like this could go even further to make guarantees to the end customer, who could verify at point of sale that their food item remained fresh.
I am very, very skeptical your example would work purely with smart co tracts for this.
I can think of a bunch of ways where real world interactions would cause all sorts of problems that would have to be sorted out by regular contract law.
When architected correctly (as with pretty much all software), it allows for a service to live (effectively) forever, independent from the creators of the service.
Example: I create a smart contract where everyone can post an IPFS hash to it, with added functionality to be able to post on someone's behalf if they give a signature to do so.
(This simple example is deliberately chosen to be a starting point. More complex functions & services can be derived from this starting point alone.)
If I were to kick the bucket, or if I'm not capable of contributing to its development, the service is still accessible to everyone else. If someone else wants to keep developing the service, they can do so via the contacts defined endpoints.
To me, the positives of this starting point outweigh the technical complexities involved with its development & maintenance. It varies wildly for others, but for me, this is the anchor point from which I can build something that can last long after me.
Smart contracts can be used to build voting systems, multi-signature agreement systems, escrow systems, exchanges etc. But all of these rely on data being in the crypto world e.g. on blockchain.
The most powerful emerging use case for smart contracts is verifying zero knowledge proofs. Using groth16 or PLONK you can compress any amount of information or computation into a constant size proof (constant in both size and verification complexity [1]). This leads to the question, what is the use case for zero knowledge proofs?
TLS notarization: a user can prove they received data from a website by proving the signature in the TLS session. So e.g. i could prove how many twitter (sorry, X) followers i have by proving an element in the HTML that is signed by twitter, or prove that i have a dm with individual X (not the company, a variable meant to indicate some person). This can be extended to proving e.g. bank account balances using TLS signatures. The idea is such a TLS proof can be ingested on the blockchain so anything on the internet can be used as a logical condition for a smart contract. https://tlsnotary.org/
^ a similar case exists for email data verification using RSA
Private user data: companies can track information about users without knowing what information belongs to what user. The idea is, the user data is stored inside a ZK proof and the user manipulates the data in ZK, then provides a proof to the web application that they manipulated it in a way that follows the rules defined by the application. A simple example might be ZKFlix. Each time a user watches a movie they add an entry to their data indicating `moviedId: true`. The web application can store the user state without knowing which user watched which movie. Put more simply, each change to user data is attributed to an anonymous actor. Theoretically it should be possible to build websites with the same functionality of existing websites, but where the website is non-custodial of the user data (this isn't strictly blockchain related). This type of system allows users to make proofs about their application user data and submit them to the blockchain.
^ the more general case is building a state system that exists entirely in ZK and putting a state root on the blockchain. Then anything about the state system can proven onchain
These are the examples I have off the top of my head (though i do work in this space). I think smart contracts by themselves lack functionality and resort to hacky things like permissioned oracles. Combined with ZK though smart contracts become a financial system that is trustlessly bound to the internet. The hard part is making the internet provable as sequences of polynomials.
Hard agree that the current user experience sucks though. I'm of the opinion that in the future users won't directly interact with the blockchain the same way a user doesn't interact directly with e.g. postgreSQL. If to make an account on a website you had to write an SQL query inserting the row that would be a similarly bad experience to managing your own private key xd
[1]: The scaling isn't strictly constant, but small enough to be considered for practical purposes constant
That’s a pretty obvious killer feature of the internet
The problem is at least in ecosystems such as Ethereum you have a single line of defense, your smart contract code. And that code is written in a poor language with very little security features.
Worst if something go wrong you can maybe pause, suicide your contract before your money is gone (what goes again the very principle of the platform) or if you are lucky & worked very hard on this you might have the chance to upgrade your contract.
The result is any contract being used seriously need to go through a long & very expensive by one of the few serious company is this field.
For now the Ethereum project have been very focused on solving the scalability & decentralization problem but my guess is without big progresses on the smart contract security & developer experience front no serious actor will ever consider adopting the platform.
I expect the low-hanging fruit has gone now. And setting up spearfishing attacks to scam teenagers out of their NFTs doesn't seem as noble (or as profitable).
Meanwhile there are still hundreds of millions of dollars of bounties available for white-hats who responsibly disclose.
The dark-hat hackers who aren't held responsible are likely in either Russia or North Korea
Add to that the fact that many of the hacks are largely legal consequence free due to crypto's famous lack of regulation (by design, lol), the economics are far more skewed towards the black hats over the white hats.
For example, here [1] the thesis is that when TVL rises, the probability of being hacked also rises which means that at some point there is not budget that can scale to protect your TVL.
[1] https://bittrap.com/resources/defis-growing-pains:-as-tvl-ra...
Services like code4rena (https://code4rena.com/) and sherlock (https://www.sherlock.xyz/) make audits a public and competitive process with leaderboards that track the best of the best. Naturally those that rise to the top of these leaderboards tend to end up offering boutique auditing services due to projects wanting audits from the best of the best in the business.
Trust (a pseudo-anonymous auditor's handle) launching Trust Security (https://www.trust-security.xyz/) is a perfect example of someone who turned public contest success into a highly sought after auditing firm. There are other examples, but overall smart contract security is undeniably improving over time.
What is ballpark what a company would pay to have a security audit of their website or network for example. So I would guess Ethereum has become an "Enterprise" technology because of the prohibitive cost of security of its applications?
From what understood originally, blockchain & Ethereum aimed removing those actors like banks who can afford high cost of licenses, compliance & security of complex systems.
Meaning you could write and execute your will without a lawyer and a court system, or write a smart contract to manage a condominium and its treasury with the other landlords (a $100k audit is out of the question for those use cases).
We are hearing less and less about those use cases and talk more and more about "Enterprise Ethereum" (https://ethereum.org/en/enterprise/) as we find out that developing for the platform will be as complex & expensive as for a big corporation.
Do any of the audits ever come back clean i.e. no detected defects?
Are those audits actually serious and representative of the resources available to a profitable attack? Many smart contracts manage millions, tens of millions, hundreds of millions and up in value. Do they actually do multi-year audits with a team of 5 that come back clean?
Do they seriously believe and publicly state their design processes are better than the best IT systems by Google, Apple, Amazon, NSA, FBI, etc.? Because those organizations can not get clean audits against red teams with multiple people and a few years to work.
That would be a extraordinary claim, do they have the extraordinary evidence to back up that claim? Do they even have any verifiable evidence at all to back up that claim other than more marketing drivel?
If the answer to all of that is not yes, then it all sounds like a house of cards and just more “security” bullshit to me.
These challenges are very interesting https://ethernaut.openzeppelin.com/. The thing is, almost none of these hacks could be possible, if Solidity would be better
Wasn't Ethereum centralized after switching to Proof-of-Stake?
To talk about the more specialized use-cases: there are some truly novel things that can only be done with the blockchain. To give you a direct example -- 'provably fair' gambling enables someone to place bets and know for certain that the result will be fair. This is accomplished by having outcomes enforced for a network of computers instead of trusting some shady website to stay fair. It's basically fully transparent. I know there will be people saying that this grasping at straws but the list of use-cases is quite long. I don't have time to research and list all the interesting ones here. But if anyone is interested in the subject I promise you that learning more about it won't be a disappointment.
It's just not easy to explain in short-form posts.
Whereas if you want to get those conventional licenses you have to go through mandatory licensing. This means there is unlikely to be a regulatory capture that would introduce licensing terms that would prohibit new players from coming in.
That is objectively a good thing.
It would be hard to compare the smart contract auditing ecosystem with audits of internal processes at those entities you mentioned, because the problem being solved is fundamentally different. Google, Amazon, et. al. are protecting access to information stored in data centers, whereas smart contracts are at most a few thousand lines of code that needs to work as intended, without clever hackers finding a way to exploit them.
Looking at the leaderboard [1] it looks like the pay out is a few thousand dollars for a “steal all the money” defect. These companys literally want to manage millions of dollars, yet it regularly costs only a few thousand dollars in developer time to steal all the money. And these are the good companys doing audits.
What a joke. It is worse than XP, but at least Microsoft knew they were a laughing stock.
>but why would anyone want to own a personal computer?
Both you and I can effortlessly come up with a dozen or two concrete answers (reality, not hypotheticals) to this question with no preparation whatsoever. Can you come up with just one single example for smart contracts? Reality, not hypotheticals. Heck, I'd settle for hypotheticals that are at least well on their way to reality.
- provably fair gambling, lotteries, etc (otherwise vulnerable to selective scamming)
- p2p asset exchange without centralised deposits (otherwise vulnerable to theft)
- micro-payments and offchain payments (they help to scale the tech)
- flash loans (instant access to unlimited capital)
- escrow (setting up N-of-M access to funds -- this would require a lawyer in real life and still be unreliable)
- streamable pay rolls (when you sign an employment contract -- you get paid after the first week(s/s/s/s) -- you can stream money to employees over time with smart contracts -- this is genuinely novel)
- automated vesting payouts (again -- most employees have to trust their boss to send whatever vested shares theyre owed. you can setup a smart contract to do this to minimise trust and ensure you will be paid.)
- provably backed derivative contracts of many different types (conventional financial contracts require the assumption that the exchange can actually back up contract values -- with blockchain smart contracts you can setup 100 - N% fully collateralised positions -- 100% transparent. Recall what happened with game stop recently. Robin hood couldn't do shit if it were a DEX.)
there is one final killer use case for the tech and by itself its enough to justify it: decentralised markets. most of you remember silk road as a drug market. But believe it or not silk road was about more than just drugs. it was about having the freedom to trade as you saw fit. taking the good and bad as it came. the website sold books, hosting, and many legitimate products and services. of course -- no one ever gives ulbricht credit for that. silk road was the reason bitcoin had any value in the beginning. today there are many more use-cases though.
https://www.truckinginfo.com/10183205/blockchain-once-overhy...
https://www.fedex.com/en-us/about/policy/technology-innovati...
https://www.supplychain247.com/company/blockchain_in_truckin...
A common misconception is that smart contract enthusiasts believe it replaces existing contract law. It doesn't, though in some cases it removes the need for relying on it with digital services. It is meant to enhance the letter of law by adding additional guarantees.
Now, the real kicker, what is the effective cost when _all_ fees are included, because someone has to pay for it and when combining the interest of non-traditional lenders and such fees I highly doubt it'll be cheaper.
Who? Anyone who wants to provide liquidity. Is this different from existing solutions? Yes and no, the difference is that there is no human intervention here... you don't have to ask for permission. You're also dealing with a global pool of funds using open source technology, instead of just a single bank or service.
The only additional "fees" above the interest rate are the cost of a transaction on the block chain. There are certainly a lot fewer hands in the pot and overhead.
Learn more at one of the largest and oldest sites: https://aave.com
You see there is still a whole bunch of steps left out.
This isn't a real risk with correspondent banks. Instead, it's counterparty risk: bankB failing while it holds the funds in transfer. That risk can be mitigated with smart contracts, but it's not eliminated. (Correspondent banks also take a portion of the client bank's fraud and AML risk.)
Bank failing in this context would be the bridge (EDIT: contract) gets hacked. Hence mitigated, but not eliminated.
Cast your mind back to 2008 and hopefully this means that one bank falling over doesn't bring down the whole system.
And they'll get smaller as demand increases?
Don't worry I already know the answer to both is "No".
Ffs....
The most likely way houses and other real world assets will exist is via a 2/3 multisig on the tokens. The 3 participants being: Government, Management Company, User.
If you lose your keys or get hacked you can go to the government + company responsible for the assets and get them back. If the company screws up the users can work with the government to get their assets back.
The advantage of this over a traditional government database is transfers can be made much more efficient because the government doesn't have to be involved in every transfer, they only step in if things go wrong.
The idea that something needs to be simple to be legitimate is not a good one. Some things simply are complex and to say otherwise is to over-simplify them. Or reductionist. Much of the ground work requires questioning assumptions that people are already familiar with and accepted as true. Like the trust assumption in banking.
I can tell you first hand that when I pitched my blockchain startup back in 2013 the very first stumbling block I had was even getting people to understand Bitcoin. So go ahead and tell me that a large, in-depth field must mean its invalid. I think that's a silly idea.
Note that internal operation does not really matter, only applications do; I might have no idea how CRISP/CAS works, but I can totally understand some of its applications and why people call it revolutionary.
Medicine
Higher level mathematics
Material science
Chemical engineering
...
There are specialized journals for blockchain tech now.
Maybe 'diverse' would be a better word than 'complex' for blockchain tech because projects aren't all financial. The OP made the claim that he couldn't think of use-cases for smart contracts. The problem isn't that there are no use-cases but that there are too many. What use-cases are there for a language for structuring trust when it can touch so many areas?
Every time we have these threads ignoramuses wander in and expect those in the industry to justify their whole field and area of expertise. Even though from their questions the only thing they know about the industry comes from news headlines and memes. Yet this is what passes for discussion around here. They expect to be spoon fed an entire area of knowledge they know nothing about. And when failing to instantly grasp the years of knowledge people have in this area they declare that it doesn't exist.
I'm over it. Pick up a book.
Every, single, one.
Seems legit and claims to have made one million in 14 months in bug bounties, although he was #1 on some leaderboard. Based on his blog I think he’s probably one of the best in the world at smart contract security so it’s probably not a realistic goal for most people , but assuming the blogger is honest I think you underestimate the potential for top white hats. Certainly the big black hat hacks are far bigger money but a million is nothing to sneeze at especially for no legal or moral risk.
As noted above the firms like chainalysis will continue to uncover and attribute all of the nodes in the graph. If you are taking 100s of thousands or more through fraud the incentives are aligned to see your crimes prosecuted.
However, actors other than law enforcement can also perform chain analysis, and you’d probably prefer to stay anonymous if you engage in such practices…
The goal of the transaction is for the Spanish bank to have access to USD. In the example given, the Spanish bank would then have to take the crypto it got and trust an exchange to give it USD in exchange for the crypto.
How do you get USD to the Spanish bank without trusting a third party?
Maybe the Fed themselves will issue tokens in this way. It's also entirely possible to construct a permissioned, yet decentralized exchange of tokens among whitelisted parties.
Either way USD is never sent trustlessly.
The sender and receiver still benefit from a permissionless, automated, international, instant transfer of funds with a cryptographically certified audit trail. The blockchain runs 24/7 and has no downtime. A token can be fully programmed and fine tuned for whatever parameters need to be checked to authorize a transfer. Those rules are transparent and auditable to everyone involved.
The transfer goes through within seconds and the cost of the transfer does not scale with the value of the transfer.
You have tokens, they sit in a wallet that you control. Let's say you own 10 ETH. Then that is in your wallet. Those ETH are mathematically provable to be in your wallet.
In the case of AAVE, you send your tokens to their contract, they give you back a receipt token which represents how much they owe you. Once your tokens are in their contract, you are free to borrow against the value that is locked up. If you get liquidated due to not maintaining your loan ratio, AAVE just keeps your tokens and your receipt tokens are then invalid.
There aren't any steps left out. It is really on you to read the documentation and bring some understanding around how all this works. I'll point you here: https://docs.aave.com/hub/
I googled and found another good article for you: https://www.leewayhertz.com/how-defi-lending-works/
"proves the collateral exists" means who validates the asset doesn't have a standard run of the mill contract/lien/etc?
Just answer that, and _actually_ answer it (the site sure doesn't in any reasonable nor concise manner) and we'll go from there.
Are you asking about an off-chain asset that is brought on-chain? For that, you are correct you need to rely on a socially trusted institution that attests that the off-chain asset isn't actually owned by someone else.
There are some off-chain assets that are tokenized and are very trustworthy, IMO, such as USDC. And then there are a number of purely on-chain assets, such as ETH, MATIC (Polygon), and coins that power protocols like Uniswap and Aave and give the owner of those coins a right to dividends. The blockchain proves ownership of purely on-chain assets directly through cryptography.
I do want to add, you are being pretty combative here towards someone that was genuinely answering your questions.
Oh, I see, you just want a hostile battle and don't want to do any sort of actual conversation around knowledge you refuse to learn on your own.
> "proves the collateral exists" means who validates the asset doesn't have a standard run of the mill contract/lien/etc?
I don't understand this line at all.
So, to start, going to be clear I'm using your specific example of "escrowing funds on purchase of a piece of real estate (and I mean actual, real, real estate)". Simple enough. But, at the end of the day, who is to say "the keys you gave me are really the keys to the house you said you sold me"? That is, there needs to be some way to import to the smart contract ecosystem "yes, these are the keys to the house he sold me, and yes, the seller is the unencumbered title holder of this house". There is no real way to do that without some sort of oracle, and then you've just moved the problem back a step (i.e. you need to trust the oracle).
I happen to think title insurance is vastly overpriced in many states, but that's not the same thing as thinking that title companies (who normally do escrow in the US) don't serve a very important purpose. Most importantly, they ensure the seller is the actual title holder. And I can hear the crypto fans saying "Well, if you just held that title on a blockchain, there would be no ambiguity about who owns it." But that just pretends that all the real world examples don't exist, like a contractor who puts a lien on a house because he claims he wasn't paid. Also, in the real world, if someone steals the key to your house, it's not usually that hard to evict them and change your locks. In the crypto world it's "sorry, finders keepers".
So again, this simple example just falls apart on further inspection. Very happy to hear why any of the rationale I've given above is not correct.
Correct, but in its place is a new systemic risk with a real-world nonzero probability: the contract itself getting hacked. There isn't analogy for this in modern banking since the equivalent issue would either (a) get rolled back or (b) fold into the bank failing envelope. (There is analogy in pre-modern banking, though it largely revolved around debasement and invasion.)
Are these ACTUALLY the keys to this house? Are they the only set? The original set? Were the locks changed, and this set in the contract is no longer valid?
Then putting aside all of that... How do you ENFORCE a "smart contract"? Probably through... Existing contract law. Because that's what it's there for. Smart contracts are just more convoluted paper, and we can do that already with DocuSign or any number of other digital contract options - all of which provide, so far as I can tell, precisely the same level of verification that a smart contract does. The only "advantage" of a smart contract over those platforms is that the history of the "document" is more or less baked into the chain, instead of trusting that the third party platform hasn't modified it... Which they will never have any motivation to do...
People have been initialing pages to mark them as read/accepted for more years than I've been alive. In the event of a contract dispute, smart contract or not, it's going to be up to a third party (mediator, judge, etc.) to decide on resolution anyway... At which point even the exact wording of the contract may well be discarded as being unenforceable because _contracts are not above the law_.
In a legal system this vague, smart contracts simply do not have a niche.
Responding to you but this applies to lots of stuff in this thread. Quoting wikipedia, "a smart contract is a computer program or a transaction protocol that is intended to automatically execute, control or document events and actions according to the terms of a contract or an agreement. The objectives of smart contracts are the reduction of need for trusted intermediators, arbitration costs, and fraud losses, as well as the reduction of malicious and accidental exceptions."
How can anyone possibly object to this technology as if it were a) impossible or b) useless? In the next sentence we get into "commonly associated with cryptocurrencies", but I think the main idea is already there in the opening. There is no strict requirement for whatever implementation details that you love to hate (blockchain, digital goods, digital titles, web3, etc).
Sure, and of course this is desirable. The "oracle" is a trusted external API (the bank, the DMV, the municipality, whatever). Some people may not like that these institutions are the arbiter of ownership or whatever, but of course we expect to be able to trust these institutions more so than strangers from craigslist.
I haven't mentioned anything about "digital keys" to the house, or "titles on blockchain", or the US specifically, you brought up all that and then argued against it. Honestly, I'm not really a crypto-bro, just a guy who's had trouble with exactly this kind of transaction. And I'm not personally invested in ideals like radical decentralization, or implementation details like super pure smart-contract ecosystems that disallow external oracles. I just want less friction AND less risk when I'm trying to buy a motorcycle on craigslist, or a house in an arbitrary (i.e. potentially non-US) jurisdiction.
But the fundamental raison d'être of smart contracts (i.e. that they are "trustless", that "code is law", there is no intermediary) do not really support the use case that you are describing.
There will be use cases where people simply prefer blockchain over the legacy alternatives because it's cheaper, faster or better and there will be "whole new world" use cases.
It is very easy for me to explain and understand the benefit of ordering over Amazon vs. going to a physical store. When Amazon first showed up, I didn't think "Gosh, what is this really for?" or "Can somebody explain to me, simply, what Amazon is for?" No, I went to amazon.com, browsed a giant selection of books, ordered one and it showed up at my house a couple days later. "Wow, that's awesome" I thought.
If you say "There will be use cases where people simply prefer blockchain over the legacy alternatives because it's cheaper, faster or better and there will be "whole new world" use cases." then why is it so difficult for anyone to say what those use cases actually are?? You say it will be "cheaper, better, faster", but are able to offer no concrete examples or rationale as to why.
In the real world, there can be disputes after the sale. The property might have some horrible undisclosed effect. You might have stolen it. Or something else along those lines.
Securely swapping a bag of cash for some keys is solving the trivial part of the problem, and ignoring the rest.
The blockchain will do its thing and give you the title to a house infested from top to bottom with termites, but everything went according to the smart contract, so as far the blockchain is concerned there's no problem to be solved.
These are human problems.
It really is a solution in search of a problem.
This is an interesting point. The way I think about this is, if we can ignore for a second the bitcoin-related baggage of smart-contracts as a concept, then there's still a lot of overlap with related concepts like open government and automated legal reasoning. So I'm curious if you think of those things as also intractable. Also, blockchain isn't some magic wand that replaces the need for other datastructures. Why should partial or even doubtful ownership be impossible to model and do secure/verifiable/conditional compute on?
That is not necessarily true. Often, one or more of the closing documents addresses this very issue, attesting that there are no such known claims and/or assigning any unknown ones to you as the new owner. Liability is part of ownership, after all, and all ownership is "just a legal filing" unless it's backed by force. While it's true that a real estate transaction is not the same as a transfer of a physical thing, dismissing such transactions as fictional is a bit sophist.
And the fact you don't understand that line is the proof you don't know enough about traditional contracts to be able to compare them to smart contracts.
Seriously.... you've just done more to prove to me that you crypto folks are generally just ignorant of real world issues.
I didn't know I was supposed to "prove" anything to you or handhold you on reading even the basics of the available documentation. All I have to say is your loss for not making the effort on your own and being so negative and combative. Good luck sir.
https://www.lawinsider.com/dictionary/encumbrance
Educate yourself.
You do see the glaring issue there right?
As for combative, I am beyond tired of the games played by crypto folks when it comes to answering basic questions they should already have the answers for.
If they don't answer the simple questions with clear and simple answers, then why should I act as though they are acting in good faith, let alone actually educated on the topics they claim the tech solves to know whether it solves a problem at all? Because from my perspective they sure as hell aren't.
Ed: oh I forgot to include the other major issue that undermines even on chain encumberance, that is the fact that a preceding off chain encumbrance takes precedent in court and thus even if the SC executes properly the funds may be taken by the courts as a consequence of preexisting encumbrance and thereby undermine the entire value proposition of the SC.
Because it doesn't work, nor do I believe it ever really can work, at least as it's largely advertised. I mean, you just read the description from Wikipedia and are basically saying "How can people object to this idea?" That's like reading about all the great things flying cars can do and then saying "How can anyone object to flying cars?"
The point is that I (and many others, but I'll only speak for myself) do not believe that the utility the crypto boosters like to tout about smart contracts is technically feasible, at all, for most of the things we use contracts for in the real world.
We could debate whether this is a cheaper/easier/safer approach than trusting a law firm/banks/clergy/clerks to execute things on your behalf. But it's absurd to say that this is not possible (because every part of this is already done), or that it is not useful (it has exactly the same use-case as a classic will, but moves trust from a law firm to a cloud provider).
What you are describing is simple API automation. Nobody describes what IFTTT or Zapier can do as a smart contract, yet that is literally exactly what you have described.
I'll end my replies here. This is a circular non-productive 'conversation'. It is clear reading your past comments here that everything is negative from you, which is really strange to me. Seriously, have a great day, but I'm done.
The definition for the word encumbrance is literally the opening line and is the exact issue at hand that you refuse to address.
To quote it:
"Encumbrance means any charge, claim, community property interest, pledge, condition, equitable interest, lien (statutory or other), option, security interest, mortgage, easement, encroachment, right of way, right of first refusal, or restriction of any kind, including any restriction on use, voting, transfer, receipt of income or exercise of any other attribute of ownership."
How does AAVE or any other smart contracts ensure there are no outside encumbrances?
It has to use human third parties and pay those fees, on top of the SC fees.
Really, you're just proving to me that folks promoting this garbage are childish, ignorant and baseleslly arrogant.
And BTW, You are the one running in circles. I've been asking you the same question without getting an answer for several comments now...
No, it doesn't. This can be codified into contracts and automated. Voting in the DAO ensures no single point of failure.
Shrug. So now we've moved through your criticisms of "it's not possible" and "it's not useful", and we're splitting hairs about whether it's in the right category. It seems like you want to have a conversation where "smart contracts" means exactly/only Ethereum as it exists today. If you're asking about the use-cases of abstract technology, and then pivot to insist that discussion revolves around existing brands/implementations, it feels like you're moving the goal-posts. You're of course free to insist that smart-contracts ARE ethereum and vice versa, but ironically when you do that you're a clear victim of marketing, and you're essentially endorsing the branding that you claim to dislike!
If "mere API automation" is disqualified as "smart contracts" according to your definitions because it isn't blockchainy enough, and if everything that IS blockchainy is disqualified as stupid or a scam, then I guess you win debates before they start. But that's just not a very interesting conversation for any one else.
FWIW, ethereum does have a concept of oracles ( https://ethereum.org/en/developers/docs/oracles/ ). I wonder if ethereum and zapier did have a lovechild, would you call it a smart-contract then? Do we need the contract AND the decision-data AND the assets to be blockchained, or can we blockchain a subset and still call it a smart-contract?
A mix between zapier, plus something like ethereum, together with legislation that requires open-APIs for critical services is probably exactly what we need to satisfy tons of practical real world use-cases. That's what you claimed to be interested in, right?
Feel free to call a giraffe a dog and then get upset when people point out that nobody else calls that thing a dog.
And that's without even addressing actually checking for encumberance of the asset, which then makes the whole thing no different than traditional contracts except for much higher costs, an inability to readily modify without significant expense (if at all), and more.
Without checking for encumberance Off chain the entire value proposition of an SC is a joke, as what the code says doesn't matter when a preexisting encumberance applies. (Ed: This applies to on chain assets as well)
And if you're going to say it's not for off chain assets then all your saying is that one essentially can only use existing crypto to secure a crypto loan, which undermine the point of the loan ever being obtained.
Pretty sure my loans are perfectly not undermined.
All you're doing now is acting childish afaict, which just reinforces the view you've given of your position being based in immaturity, ignorance and idiocy.
Reread the thread and address the issue explicitly stated or just stop and accept your position is a failed one.