PYMNTS-MonitorEdge-May-2024

EU Data Law Proposal Could Radically Change Blockchain Smart Contracts

A draft of the European Union Data Act would require a smart contract kill switch that could have a profound effect on the use, and even usefulness, of commercial blockchain technology.

Smart contracts are self-executing agreements that, once created, are effectively unchangeable and unstoppable. They’re written onto an immutable blockchain, notably Ethereum, in an “if-X-then-Y” language, and they generally have any cryptocurrency to be used for payment locked into the contract when written.

This makes them “trustless” in industry parlance — meaning the parties can make transactions without having to trust each other or a third party like a bank because the trust is written into an immutable contract, the payment has been made, and the terms under which it will be turned over have already specified.

That means no chargebacks, refusals to pay, failure to turn over the goods or services in question or attempts to change the terms in the middle of the transaction. This also allows the contract to be made and carried out between anonymous parties.

Many smart contracts are starting to use “oracles” — blockchain-based information sources that are agreed in advance to be trustworthy. For example, a bet on a football game could use ESPN scores, or a farm crop insurance policy could tap into the National Weather Service’s temperature reports.

However, the new Data Act proposal would require that the parties be able to cancel the contract or change its terms, which would undercut the exact reason they are valuable as a commerce tool.

After all, there’s not much point in using blockchain if you take away the “trustless” nature of the transactions. All you’re really left with is an agreement written on a decentralized database as opposed to one controlled by a bank, law firm or corporation.

But How?

Law professor Thibault Schrepel, a blockchain expert who teaches at Stanford University, Sciences Po Paris and the Sorbonne and advises the World Economic Forum, called the data law proposal “absolutely huge” as well as “controversial” on Twitter Friday (Feb. 25).

“It imposes smart contracts (that make data available) to be stoppable,” he tweeted. “So, basically, all oracles shall be redesigned (but how?) or else they will infringe the law.”

Schrepel added, “To be clear, the data act (if confirmed as such) outlaws millions of smart contracts — that cannot be redesigned.”

Specifically, Article 30 of the EU’s proposed Data Act says that smart contracts must have “a mechanism exists to terminate the continued execution of transactions: the smart contract shall include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions.”

It also mandates that smart contracts have a “a very high degree of robustness” to prevent such error.

Not Unreasonable

There’s a good reason for the EU’s actions in that poorly written contracts can have unintended consequences.

There’s a growing field of specialization in both the blockchain development and legal communities aimed at ensuring the terms really say what the parties think they do, as so-called smart contracts aren’t actually that smart and are written in programming language, not legalese. A logic flaw could make a contract incompletable, potentially locking the prepaid funds away forever, or allow one party to deliver something other than what was intended.

Many are written with expirations dates for the contract’s terms to be fulfilled for exactly this reason — and many of the major decentralized finance (DeFi) hacks have been based on poorly written smart contracts.

The $326 million theft from blockchain transaction bridge Wormhole Feb. 2 was the result of a smart contracts language flaw.

Read more: Another Day, Another Nine-Figure Crypto Hack

The theft was a result of a language flaw that let the attacker create fake tokens on one chain (Solana) and trade them for real ones on the other (Ethereum). It was the fourth-largest crypto theft of all time, according to leading blockchain intelligence firm Elliptic. While Wormhole’s backers repaid users’ losses, many such attacks take place after control has been turned over to a decentralized autonomous organization (DAO) with no central controller to turn to — or to sue.

See more: Unpacking DeFi and DAO

The $120 million BadgerDAO hack in December fell into this category. And seeing as the only way to update the code of a DAO-run blockchain project is with a vote that can require a week or more to conclude, some holes cannot be patched even after they are found and publicized.

And it’s worth noting that virtually all blockchain decentralized applications (DApps) are built on very complex smart contracts — all programming languages use an “if-then” format — meaning everything from decentralized exchanges to blockchain games, supply chain management platforms, and even metaverses could be impacted.

The only way to change any information on a blockchain is to add new information. That would apply to smart contracts, but with a twist. Those already in force would have to run their course as there is no other way to get the payment funds locked into them out.

But the existing contracts themselves could be illegal and unenforceable if the EU’s Data Act goes into force as written.

PYMNTS-MonitorEdge-May-2024