I’m still the kind of person that buys $500 worth of Dogecoin, and one day later, panic sells with a 30% loss. That’s why, I’ve developed Ethereum smart contracts that make speculating on cryptocurrencies less stressful. Locker smart contracts allow me to freeze crypto assets and only release them when enough time has passed or the price has reached a predefined value. This approach sacrifices liquidity for peace of mind, and for me, that’s a perfect tradeoff! In this article, I’ll describe this project and the risks associated with using it or basically any Smart Contract.
Disclaimer: The information provided in this blog post is for educational purposes only and should not be treated as investment advice.
The crypto scene is ripe with scams and exploits siphoning billions in user funds. Despite that, I kind of see it as the only tech that can be “trusted”. Ethereum Smart Contracts are literally the only existing technology guaranteed to work as programmed.
Of all the popular smart contract technologies, Ethereum is the only one that enables a standard user to run a full node. On the other hand, all the “Ethereum killers” network nodes are either centralized or require processing power and dev ops expertise accessible only to well-funded entities. As a result, the network consensus is governed by a few centralized actors rather than the decentralized community. You can check this tutorial for more info on how to run your own Ethereum full node.
Obviously, “I’m in it for the technology”. I’ve become attracted to crypto as a tech rather then casino after getting all my bank funds repeatedly locked. It is enough to send one transfer to Revolut, too many to trigger a complete lockdown of all my accounts and credit cards. “Risky transaction…“ they said. Getting my funds unfrozen usually takes ~30min on a bank support line. But the idea that all my finances can be locked at a whim of a single centralized entity is disturbing…
You’ve probably heard about Canadian anti-vax trucker supporters getting their accounts frozen without any judicial order. In Poland, we’ve also had our taste of a digital prison. People protesting against anti-abortion laws got their bank accounts blocked for “breaking the pandemic sanitary regulations”. Or the case of Ukrainian refugees seeing their EUR account balances automatically converted to UAH with a special exchange rate spread “because war”.
Diversifying a part of funds in a layer that’s unreachable by a state-level 3rd party seems like a reasonable idea. Since this revelation, I’ve started seeing the crypto price ups and downs as a “tax for safety” rather than a chance for speculation.
So much for the digression. Let’s move on to the risks of using the Locker or basically any smart contract.
Can you trust Smart Contracts?
Different layers of trust could be broken and cause the loss of tokens you deposit into smart contracts.
Bugs and deliberate scams
To start with, the contract author could be a scammer or an clumsy blockchain dev. So the Locker source code could contain a sneaky loophole or bug causing the loss of your funds. The open-source nature of Ethereum Smart Contracts is the best remedy for these risks.
Before you deploy the contract or interact with an already live instance, you can always analyze the source code. But currently, it requires a significant dose of expertise. Locker smart contracts are relatively simple, maxing out at 200 LOC with minimal external dependencies. But, most Defi projects are endless blobs of code that are impossible to analyze single-handedly. A potential revolution in the safety of Smart Contracts could be the advent of AI. ChatGPT seems to be proficient in analyzing security issues of Ethereum smart contracts. An AI-based service listing potential risks of any smart contract interaction (maybe even integrated into your wallet!) could be just around the corner.
The contract’s external dependencies and logic introduce another risk factor. In the case of Locker, it “trusts” the provided ChainLink oracles to report the correct price of the target token. The user selects an oracle address himself when configuring the deposit. The only risk is that oracles could be abandoned and not update the price correctly. In that case, your tokens would be released only after the lockup period.
In the case of more complex smart contracts, external risk factors are often significant. For example, the creator of an ERC20 token could grant himself the power to print unlimited units and tank the price at your cost. Given the complexity of Defi smart contracts spotting similar risks is non-trivial. Hopefully, AI will be able to help standard users make more sense of these issues.
Another layer of trust is how one can interact with the contract instance. Locker does not offer any front-end UI. You have to interact with it directly on Etherscan or use programmatic API. Interacting with any Defi project featuring custom frontend is a risk factor. Exploits targeting frontend layer of the smart contracts stack could alter where your funds are sent. Or malicious browser extension can change the frontend code of an otherwise trustworthy web3 domain.
The best way to reduce the risk of interacting with any smart contracts is to use minimum ERC20 approval limits. Metamask has recently improved its UX by allowing users to input approval limits manually. Before that, the approval limits were implicitly unlimited, allowing attackers to withdraw all your assets.
A government could, in theory, censor any smart contract address. So far, the most famous case of government sanctioning a piece of autonomous software was Tornado Cash. Apparently, you can also go to jail for writing open-source code.
The fight against decentralized finance may intensify. For example, the EU is currently brewing new restrictions for Smart Contracts. But, despite sanctions from the US government, the Tornado Cash smart contracts are still regularly used. It shows that cryptocurrencies excel at their core value proposition of being uncensorable even by government-level actors.
All the centralized elements of Tornado Cash like frontend interface, domain, and GitHub repos were succesfully taken down. But it’s still possible to access Tornado Cash immutable smart contracts using proprietary Ethereum full node or censorship-resistant relay providers.
Any smart contract interaction is risky. There’s no edit/undo button for incorrect transactions. Ask the guy who burned 500k USD by incorrectly unwrapping WETH. If you misuse Smart Contract and lose funds, even Metamask Twitter Support will be unable to help you.
Now that we’ve briefly covered the risks, let’s move on to the Locker smart contracts.
Locker smart contracts
There are four different flavours:
Locker can be used to freeze any ERC20 token and is accessible by any account. Your funds will be deposited into the same contract address as other users. But, each user can only withdraw his tokens. The benefit is that you don’t have to deploy the contract instance yourself. ETH can be held by this contract only in its ERC20 format, i.e., as WETH. To use price conditions for release, you must provide a correct ChainLink price oracle address.
[Warning] Do not transfer ERC20 tokens directly to this contract instance or they will be lost! You have to use a dedicated
deposit method. Also, do not use this contract for storing rebasing tokens like stETH or rETH. Stored token balance is determined once when depositing the token. It means that rebased reward will get stuck in the contract forever.
LockerETH works the same as
Locker but only for standard ETH instead of ERC20 tokens. It uses a predefined ChainLink ETH/USD price oracle. It’s also publicly accessible.
LockerPriv works as your private vault for ERC20 tokens. Only the deployer account can interact and deposit funds into it. The downside is that you have to pay the costs of releasing it. With Mainnet gas prices at 20 gwei and the price of ETH hovering around $2000 it costs ~$100. Alternatively, you can use one of the L2 layers to reduce the deployment cost. For example, on Arbitrum L2 it costs ~$5 to deploy an instance of this Smart Contract.
As you can probably guess
LockerETHPriv, is a private vault for storing a standard ETH. Just like in the case of
LockerPriv you have to deploy it yourself.
I hope the post has helped highlight the risks of using Smart Contracts. Please remember that crypto and Defi is risky, and you can easily lose all your funds.
But cryptocurrencies are here to stay. UX and general appeal is only about to improve. The worst-case scenario is that hostile governments might slow adoption for a few years until there’s a shift in power. So safely stashing your coins could be a strategy to wait out turbulent times.