Smart Contracts: The Code That Runs Crypto

What a Smart Contract Is

A smart contract is a program stored on a blockchain. It has an address, just like a wallet. Users can interact with it by sending transactions that call its functions. The blockchain runs the code. All nodes execute the same code on the same inputs and get the same outputs. The resulting state change becomes part of the blockchain.

The defining property is that execution is automatic and deterministic. Once deployed, the contract does exactly what its code specifies, every time, without any human operator. "Smart" is marketing; contracts aren't intelligent. What they are is self-executing. If a loan contract says "liquidate if collateral value drops below 150%", then when the price feed shows that condition, the liquidation runs. No manager has to approve it. That price feed has to come from somewhere off-chain, which is the job of oracles: contracts can't reach the outside world on their own.

This programmability is what enables DeFi, stablecoins, DAOs, and every other on-chain application. Bitcoin's scripting language is deliberately limited. Ethereum's expanded the design space dramatically by making contracts Turing-complete.

How Smart Contracts Run

The Ethereum Virtual Machine (EVM)

Ethereum introduced the EVM as a sandboxed execution environment that runs on every Ethereum node. Contracts are compiled to EVM bytecode and deployed to the chain. When a transaction calls a contract function, every node executes the bytecode and validates the result.

The EVM is deterministic. Given the same state and the same input, every execution produces the same output. This is essential for consensus. Nodes must agree on what happened.

Gas

Every EVM operation costs gas. Gas is a unit of computational work. Complex operations (storage writes, loops, cryptographic checks) cost more gas than simple ones. Users pay for gas in ETH (on Ethereum) or the native token of whichever EVM chain they're using.

Gas exists to prevent denial-of-service attacks. Without it, anyone could submit infinite-loop contracts that would halt the network. With gas, any execution is bounded by the gas limit set in the transaction.

Our guide to Ethereum gas fees covers the gas market in more detail.

State and Storage

Smart contracts maintain state: variable values that persist between transactions. The contract's state is part of the blockchain. Reading state is free (full nodes have it locally). Writing state costs significant gas.

Storage is expensive specifically because every node has to store every contract's state. Chains with aggressive storage pricing (Ethereum historically) force developers to optimize. Chains with cheaper storage (Solana) allow more on-chain data but impose higher validator hardware requirements.

EVM vs Non-EVM Chains

EVM dominance exists because Ethereum came first and built the largest developer ecosystem. Most DeFi protocols launched on Ethereum; most Ethereum L2s chose EVM compatibility to inherit those protocols; most alt-L1s that wanted DeFi adoption also chose EVM compatibility.

Non-EVM chains argue their VMs are more efficient (Solana) or safer by default (Move-based chains). These chains have growing ecosystems but fewer total applications than EVM.

What Smart Contracts Enable

Decentralized Finance (DeFi)

Lending protocols (Aave, Compound), decentralized exchanges (Uniswap, Curve, Balancer), derivatives platforms (GMX, dYdX, Hyperliquid), and yield strategies are all smart contracts. Users interact with code rather than custodians. Our guide to DeFi TVL covers the scale of on-chain finance.

Stablecoins

USDC, USDT, and DAI are all smart contracts. Circle mints USDC by calling a contract function. DAI is minted entirely by Sky's Maker contracts. Stablecoin freezing, pausing, and upgrade mechanics are contract-level features.

NFTs

The ERC-721 standard (and newer variants) defines how non-fungible tokens work on Ethereum. A Bored Ape is a token ID in a specific contract. Ownership, transfers, and metadata all live in that contract. ERC-721 is one of several token standards that let any wallet or marketplace interact with a contract without custom code.

Governance

DAO governance happens through voting contracts. Token holders vote on proposals; passed proposals execute automatically through governance-controlled smart contracts. Uniswap, Aave, and Maker all run this way.

Cross-Chain Bridges

Bridges lock assets on one chain and mint representations on another. The lock/unlock logic is smart contract. Bridge hacks are the largest category of crypto theft.

The Immutability Problem

Once a contract is deployed, its code cannot be changed. This is a security feature (no one can maliciously alter the contract) but also a liability (bugs are permanent).

Protocols typically work around this through proxy contracts: a lightweight contract that forwards calls to an implementation contract. Upgrading means pointing the proxy at a new implementation. This requires careful governance or admin controls and creates a different attack surface (whoever controls the upgrade can change the contract behavior).

The tradeoff between immutability and upgradeability is fundamental. Truly immutable contracts (no proxy, no admin) are safest against insider risk but can never be fixed. Upgradeable contracts are flexible but carry governance risk.

Smart Contract Security

Smart contracts are notoriously hard to secure. They are:

• Public: anyone can read the code
• Valuable: often holding millions in user funds
• Composable: interacting with other contracts in ways developers didn't anticipate
• Immutable: bugs cannot be patched

Major exploit categories:

• Reentrancy: a contract calls another contract, which calls back before the first finishes updating state. Classic exploit pattern (DAO hack, 2016).
• Oracle manipulation: attacker manipulates a price feed the contract relies on, then exploits the contract at the manipulated price. Decentralized oracle networks like Chainlink exist to harden contracts against exactly this attack.
• Flash loan attacks: attacker borrows millions of uncollateralized tokens for one transaction, uses them to manipulate markets or governance, repays within the same transaction.
• Access control bugs: functions that should be admin-only but aren't, allowing anyone to drain the contract.
• Logic errors: math mistakes, unit mismatches, edge cases developers missed.

Aggregate crypto losses to smart contract exploits exceed $7 billion cumulatively across bridges, lending protocols, and DeFi platforms.

Audits and Verification

Mitigations include:

• Professional audits: firms like Trail of Bits, OpenZeppelin, Spearbit, ConsenSys Diligence review code before deployment. Good audits cost $50K-$500K+ and don't guarantee safety. Multiple audits catch more bugs than single audits.
• Formal verification: mathematical proof that the code matches a specification. Expensive but increasingly used for high-value protocols.
• Bug bounties: protocols pay for responsibly disclosed vulnerabilities. Major bounties reach $10M+ at Immunefi for critical bugs in systems holding billions.
• Timelocks and monitoring: admin actions pass through delays, giving community time to review before execution.
• Insurance: Nexus Mutual, Sherlock, and others offer coverage against specific contract risks.