End-user Comprehension of Transfer Risks in Smart Contracts

Yustynn Panicker,Ezekiel Soremekun,Sumei Sun,Sudipta Chattopadhyay
2024-07-16
Abstract:Smart contracts are increasingly used in critical use cases (e.g., financial transactions). Thus, it is pertinent to ensure that end-users understand the transfer risks in smart contracts. To address this, we investigate end-user comprehension of risks in the most popular Ethereum smart contract (i.e., USD Tether (USDT)) and their prevalence in the top ERC-20 smart contracts. We focus on five transfer risks with severe impact on transfer outcomes and user objectives, including users being blacklisted, contract being paused, and contract being arbitrarily upgraded. Firstly, we conducted a user study investigating end-user comprehension of smart contract transfer risks with 110 participants and USDT/MetaMask. Secondly, we performed manual and automated source code analysis of the next top (78) ERC-20 smart contracts (after USDT) to identify the prevalence of these risks. Results show that end-users do not comprehend real risks: most (up to 71.8% of) users believe contract upgrade and blacklisting are highly severe/surprising. More importantly, twice as many users find it easier to discover successful outcomes than risky outcomes using the USDT/MetaMask UI flow. These results hold regardless of the self-rated programming and Web3 proficiency of participants. Furthermore, our source code analysis demonstrates that the examined risks are prevalent in up to 19.2% of the top ERC-20 contracts. Additionally, we discovered (three) other risks with up to 25.6% prevalence in these contracts. This study informs the need to provide explainable smart contracts, understandable UI and relevant information for risky outcomes.
Software Engineering
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: to ensure that end - users of smart contracts (especially ERC - 20 token contracts on Ethereum, such as USDT) can understand the risks related to transfers. Specifically, the researchers focus on the following points: 1. **End - user perception problems**: Can most users identify and understand the potential risks in smart contracts? For example, being blacklisted, contract suspension or arbitrary upgrade, etc. 2. **User interface usability problems**: Can the user interfaces provided by light wallets such as MetaMask effectively inform users of possible transfer results and the reasons behind them? 3. **Universality of risks**: Are these risks普遍存在 in other popular ERC - 20 smart contracts? ### Research methods To answer these questions, the researchers adopted two main research methods: 1. **User research**: - Through a user study involving 110 participants, the researchers investigated the users' awareness of five specific transfer risks in USDT smart contracts. - Participants used USDT and MetaMask for experiments to evaluate their views on the awareness, surprise level and severity of different risks. 2. **Source code analysis**: - The researchers conducted manual and automated source code analysis on the next 78 most commonly used ERC - 20 smart contracts to determine the universality of these risks in other contracts. ### Main findings 1. **Insufficient user awareness**: - Most users (up to 71.8%) consider contract upgrade and blacklisting as the most serious and most surprising risks. - Users are more likely to find successful transfer results rather than risk results. Only about 35.8% of users think that MetaMask's user interface is sufficient to help them understand these risks. 2. **Risks are widespread**: - Source code analysis shows that these risks are普遍存在 in up to 19.2% of the top - level ERC - 20 contracts. In addition, three other new potential risks were also found, with an existence rate of up to 25.6%. 3. **Impact of user background**: - Statistical analysis shows that users' self - rated programming ability and Web3 proficiency have no significant impact on their awareness of risks. ### Conclusions and recommendations The research results show that the current user interfaces and information presentation methods of smart contracts are not sufficient to help users fully understand the potential risks. Therefore, the researchers recommend: - Develop more transparent and interpretable smart contracts. - Improve the user interface design to make it easier to understand and convey risk information. - Provide more educational and training resources to help users better understand the working principles and potential risks of smart contracts. These improvement measures will help improve user security and trust and promote the wide application of smart contract technology.