Smart contracts are programs that run on a blockchain and allow custom functionality to be implemented on an existing blockchain (that supports smart contracts). The term “self-executing” contracts and the claim that smart contracts can enforce contracts on their own are very misleading, as this independent execution is limited to the blockchain on which they run. Smart contracts are not to be regarded as “contracts” or even as a concept understandable to the normal end user, but as a technical term.
Dangers in Handling
Dealing with smart contracts without a relatively broad understanding of the underlying technology (or a faulty understanding of the security promises of smart contracts and/or blockchains) can lead to the loss of the value in one’s wallet.
Typically, the end user interacts with one or more smart contracts through a dApp. This dApp can usually be seen as the user interface for the smart contract. If the user wants to perform an action with the dApp that requires access to their own wallet, the dApp generates a “transaction” which, if cryptographically signed by the holder of the wallet, can be transmitted to the blockchain’s p2p network and immortalized in the blockchain. Often, the dApp can be accessed as a normal website on the Internet, but in order to carry out actions on the blockchain with their own wallet, the user has to install a special add-on such as MetaMask.
Typically, the user interface is controlled and updated by a central authority. Should an update be malicious, it can generate transactions that perform different actions on the blockchain than the user believes.
Since the code of the smart contracts themselves is incomprehensible to the layman, there is no inherent guarantee that the smart contract will do what it is supposed to do. However, if the code of the smart contract is immutable, it can be verified by third parties. Immutability is not always really given in practice, even on blockchains on which smart contracts are basically immutable.
There is no guarantee that a smart contract that implements a particular API will comply with the requirements for how the API works. So, for example, it is possible to implement a token that appears to be a normal ERC20 token, but if the method of transfer is invoked, instead of making a transfer, it will steal all the value that the calling wallet has, not only units of the token itself, but all other values as well.