End-user Comprehension of Transfer Risks in Smart Contracts

TL;DR

This study reveals that end-users poorly understand transfer risks in popular Ethereum smart contracts, with significant prevalence of these risks in top ERC-20 tokens, highlighting the need for better explanations and UI clarity.

Contribution

It provides empirical evidence of end-user misunderstandings and the prevalence of transfer risks in top ERC-20 contracts, emphasizing the importance of improved transparency and UI design.

Findings

Most users misjudge the severity of transfer risks.

Risks are present in up to 19.2% of top ERC-20 contracts.

Users find it easier to identify successful outcomes than risky ones.

Abstract

Smart contracts are increasingly used in critical use cases (e.g., financial transactions). Thus, it is pertinent to ensure that end-users understand the transfer risks in smart contracts. To address this, we investigate end-user comprehension of risks in the most popular Ethereum smart contract (i.e., USD Tether (USDT)) and their prevalence in the top ERC-20 smart contracts. We focus on five transfer risks with severe impact on transfer outcomes and user objectives, including users being blacklisted, contract being paused, and contract being arbitrarily upgraded. Firstly, we conducted a user study investigating end-user comprehension of smart contract transfer risks with 110 participants and USDT/MetaMask. Secondly, we performed manual and automated source code analysis of the next top (78) ERC-20 smart contracts (after USDT) to identify the prevalence of these risks. Results show that end-users do not comprehend real risks: most (up to 71.8% of) users believe contract upgrade and blacklisting are highly severe/surprising. More importantly, twice as many users find it easier to discover successful outcomes than risky outcomes using the USDT/MetaMask UI flow. These results hold regardless of the self-rated programming and Web3 proficiency of participants. Furthermore, our source code analysis demonstrates that the examined risks are prevalent in up to 19.2% of the top ERC-20 contracts. Additionally, we discovered (three) other risks with up to 25.6% prevalence in these contracts. This study informs the need to provide explainable smart contracts, understandable UI and relevant information for risky outcomes.