Blockchain networks are a new technology with the potential to change the way we organize work, manage trust and risk, and guard value. Smart Contracts and DApps are the software programs and interfaces that enable these fascinating possibilities, which extend far beyond “cryptocurrency”. As with any pioneering technology, there are both compelling benefits and potential risks.
What exactly are DApps?
DApps (Decentralized Applications) are computer software programs that combine User Interfaces with blockchain Smart Contracts to facilitate a wide variety of uses. Just like apps on your phone, or programs on your computer: these too are just software programs with a pretty face. Smart Contracts themselves are software; to “Run” a Smart Contract, you typically need “physical” access to the blockchain. DApps abstract that access to the blockchain, giving you an interface on your phone or computer browser, which can connect to blockchain access points on remote servers to execute the “Smart Contract” part of the program.
Benefits of DApps
Because DApps are just interfaces to Smart Contracts running on blockchain networks, they can inherit many of the benefits of blockchain technology:
Most public blockchain networks rely on many people in many different locations having the same data and independently verifying each other's work. Therefore, compromising one or more servers is not enough to threaten the data, or the system.
Smart Contracts, transaction records, and identity or achievement records - the parts of DApps that hold the most value - can be outsourced to the blockchain for storage and/or computation. As a company, you can rely on the security and operation of the public blockchain network instead of private servers and personnel.
Faster Decision Making
Many decisions can be codified into Smart Contracts that self-execute when conditions are met. Users can trigger executions without the need for intermediaries, pre-approvals, or long turnaround times.
Moving investments and currency has historically been laborious, with many obstacles. With the blockchain you can move millions of dollars within seconds to almost anywhere in the world.
Just because these potential benefits exist does not mean they are necessarily inherited by any DApp. It will depend on the type of program it is, on the skill of the programmers that build it, and on the standards and traits of the specific blockchain network they are using.
Risks & Misconceptions about DApps
As with any new technology, sometimes the hype blows up before the products have fully matured. This isn’t inherently bad, but it’s good to be aware of the risks so that you can take advantage of new opportunities - without being taken advantage of yourself!
Is it really decentralized?
A current issue with blockchain networks is scarcity. Blockchain networks can be slow; the amount of data that can be stored is limited; they can be quite expensive to use. Cost, speed, capacity are all parameters that also contribute to the security of these networks. If you are going to clone data around the world everytime new information is added, physics dictates that it will take time for that piece of data to travel all the way around the world. Because of this, DApps will sometimes leverage a child network that is attached to the main public network. The industry term for this is “Side chain”. The idea is that lots of activities can happen on the smaller side network, faster. Then, at determined intervals, those activities are compressed and synced with the parent network. When a DApp relies on a Side Chain, it is no longer “protected” by the main chain’s decentralization - at least until that synchronization interval. This is something to know when a DApp claims to be decentralized, but is using a Side Chain.
Is it definitely safe?
The mere fact that something is a Dapp or is backed by a Smart Contract does not mean it is safe. Smart Contracts are just software; they can have bugs that cause errors or allow them to be hacked. When investigating the safety of a DApp, a good guiding question is “What trust assumptions did the DApp make?”
Software bugs themselves are a result of programmers assuming that the user will interact with the software in a particular way. Hackers are able to hack by skirting those assumptions so that the program responds in a way not predicted by the programmer.
One of Bitcoin’s chief security mechanisms is based on the assumption that 51% of the the companies and individuals running Bitcoin servers are not going to hold a convention and agree to hack the system. There have been hacks where companies only had 9 different operators running their “Side Chain” - with the assumption that it would be difficult for 5 to collude. This led to one of the biggest hacks in 2022 where one hacker used social engineering to get the keys from 5 of the parties and stole over 600 Million U.S. Dollars worth of funds from the system.
Does it actually provide trust and transparency?
While Smart Contracts themselves provide a high level of transparency, much of a DAapp is “regular” software, running on opaque, centralized, traditional infrastructure: the UI, and the remote servers that receive user requests and submit them to the blockchain.
More importantly, Smart Contracts can have keys and backdoors that allow for “admin” level privileges, there is not always transparency or standardization around this.
Last but not least, Smart Contracts are highly specialized pieces of software. Very few people yet know how to read and understand them. There is a socially enforced practice of having Smart Contracts looked over by a third party. However, there are no official standards for what should be addressed in such an audit to ensure its soundness. Simply having a Smart Contract is a good first step toward transparency, but it is not the finish line.
Trust in God but buckle your seatbelt
A transparent DApp should go out of it's way to communicate:
- How data is handled between your browser and the blockchain: Is some data being stored on central servers? Are companies mining that data as an additional source of revenue? The important thing here is communication, so that users can make their own decisions accordingly.
- What are the inputs and outputs of their Smart Contracts: “if this, then, else” statements may describe the logic of the contract. Ideally, there would be transparent disclosure of any admin privileges.
- Trust assumptions: What is the likelihood of 51% attack? What is the efficacy of incentives (or disincentives) that are part of the system?
- How change can be introduced: What are the contract parameters (ie: fees, event thresholds) and how can they be changed?
- How decentralized it is: a “good” DApp should be decentralized across multiple dimensions: geographic, socioeconomic, and value system, to name a few. Participation at any level should not be gated by a few.
- If the DApp is leveraging a side-chain: who is running it, how many network operators there are and where they are located. Whether anyone can be an operator, or if there are limits of some kind. The “right” answers to these questions will depend on context and on your own preferences.
- On Cardano, Smart Contracts can do anything a person can do - like vote, stake their ADA, or engage with other Smart Contracts. Voting and Staking are important actions that have big consequences for the security of the system and how community treasury funds are spent. It would be very important to communicate about whether Smart Contracts that hold ADA will be participating in staking or voting on the network.
At this point in time there are no industry standards that a DApp can specifically aspire to, or use to “prove” its safety or compliance. Furthermore, given the decentralized nature of these systems, it’s not a situation where we should expect “official” guidelines to come from regulatory bodies. Instead, the guidelines will arise from an informed public user base, who are aware of the risks, and savvy enough to demand high standards. This is a subject of discussion at IOG, dcSpark and teams most active in the development of Cardano core infrastructure. You can also start to think about these things as you encounter the first wave of DApps entering the world today.