Audits might change, but the need for assurance will not.
Today’s financial systems can use blockchain networks to streamline trade and contract execution, while maintaining a permanent record of their transactions and the rules that govern them — if there is trust in the system.
“While blockchain networks and the use of smart contracts can drastically improve the level of assurance and reduce fraud risks, that is only true when they operate with effectively designed governance contracts, a specific type of ‘smart contract’ that has had insufficient focus up to now," said Grant Thornton Strategic Risk and Operations Principal Yvette Connor.
A smart contract is coded to automatically execute the terms of an agreement between two or more parties on a blockchain-based network. Smart contracts execute these terms and share information in a secure way, which is one reason they have so much potential business value. Because of the embedded paradigm of the blockchain, it is easy to think of smart contracts as hardened programs insulated from any potential threat.
“That assumption can be disastrous, though, and we’ve seen this play out with hackers circumventing smart contract weaknesses,” Connor said. It is not uncommon for smart contracts to experience transaction ordering dependencies, where a user makes assumptions based on assurance that might not exist when a qualified transaction is processed.
“What we’ve discovered is an underlying failure to understand how smart contracts need to be engineered and executed in the first place, such as the governance rules that solve for these types of potential risk issues.”
This issue goes deeper than trying to find and isolate predictable vulnerabilities; in many ways, that’s an impossible task. However, blockchain gives us the power to address risk if governance is properly structured. “What we’ve discovered is an underlying failure to understand how smart contracts need to be engineered and executed in the first place, such as the governance rules that solve for these types of potential risk issues,” Connor said.
In fact, “the emphasis in the market has been on contract design for execution, and less focused on designing effective governance rules,” warned Grant Thornton Risk Advisory Services Principal and Banking Sector Lead Graham Tasman. “This is where we see a huge opportunity to better leverage the power of blockchain — to incorporate effective governance contracts into the design.”
The governance layer
Blockchain developers need to consider governance that manages contract requirements or other higher-level rules governing scalability and adaptation
. That includes naming the roles and authorities who have a say in those governance rules, especially around definitions and changes to design.
Governance can form a layer on top of the transactions:
- Financial system layer: non-blockchain technology provides the user interface and other functions
- Blockchain governance layer: blockchain authenticates contract or change requirements
- Blockchain transaction layer: blockchain authenticates transactions
Smart contracts and governance rules can have complex risk factors. Connor said, “We hear a lot of programmers talking about risk, as they put their CRO hats on,” but they often lack a comprehensive understanding of business and market risk. The programmers might be ready to answer questions like “How many nodes are required for approval?” but they might not consider questions like “What if more than 50% of the nodes are in locations with geopolitical challenges? What are other factors that contribute to risk?”
Auditors understand that every use case has unique risks and requires governance models to provide assurance. “That, ultimately, is what auditors will need to evaluate,” Connor said.
Auditors need to review the risk of the governance, and cybersecurity specialists need to review the security of the core transactional system, to determine the assurance of leveraging smart contracts on a blockchain network for a specific purpose.
Fixing the plane in flight
When blockchain governance is not properly designed up front, the risk of smart contract failure downstream can be significant. That’s particularly true when blockchain networks are exposed to external inputs.
Initially, the rules of a smart contract are determined by the contract’s creator where embedded assumptions about the inputs run native on the blockchain network. If the environment changes or bad actors are introduced, it can expose serious weaknesses and a loss of trust in the system.
“There is a perception of inherent risk, from recent events where smart contract execution has failed in practice. The problem is, once a deployed smart contract is active in the blockchain, you can’t simply reel it back in.”
“Since the entire adoption of blockchain is ultimately built around reliability and trust, it is critically important to eliminate the perceived risk of the unknown,” Tasman said. “There is a perception of inherent risk, from recent events where smart contract execution has failed in practice. The problem is, once a deployed smart contract is active in the blockchain, you can’t simply reel it back in.” It can be difficult to update change control for the rules on a smart contract after you discover a problem. That’s why knowledgeable design and testing are essential up front.
“There’s not sufficient attention given to the pretesting that is required to determine every permutation on an algorithm or business rule that goes into smart contracts,” Tasman said. Traditional computer-based algorithms and code undergo extensive testing, auditing and change control in advance of deployment. Likewise, a smart contract requires sufficient auditing and testing, with appropriate governance and control before release. The more rigorous the testing and auditing regimen applied during design, the better assurance of hardened operability when deployed.
Connor explained, “It’s like an airliner on autopilot, where you don’t need a detailed understanding of the aerodynamics involved or the failure points of the control system to fly the plane. That autopilot assurance is finite, so it’s not an entirely reliable or safe option.”
Vulnerabilities that are exposed in a deployed smart contract can be a serious problem for the contract’s participants. That’s because the inherent blockchain rules leave limited recourse on events that have already occurred. So, securing contracts before they are deployed can be the best way to drive assurance, even if it requires more work in development.
Fixing a deployed smart contract is like fixing a plane in flight — it’s not ideal, but we’d better be ready to do it. To address blockchain changes after a system’s release, developers need change control rules defined in on-chain governance. “There should be a whole set of change controls around editing or modifying smart contract business rules,” Tasman said.
A governance contract that attaches to the smart contract can establish who’s allowed to modify the contract rules and when. This is typically someone in leadership at the contract creator. “But then, let’s go a step further and ask, ‘Why can’t a regulator be named as a participant in that governance contract?’” Tasman said. “There are all kinds of possibilities to enable governance contracts to be operated as failsafe controls, but so few are spending time on them relative to the rules for smart contract execution.”
“It’s up to us in the business of managing risk to bring attention to this, emphasizing the appropriate focus on control to ensure a trusted and reliable network for all,” Tasman said.
A new context with familiar concerns
“From an audit perspective, it’s about change management. It’s about security administration. It’s about governance.”
“From an audit perspective, it’s about change management. It’s about security administration. It’s about governance,” said Grant Thornton Internal Audit Cybersecurity Practice Partner Scott Peyton.
“These are not new topics, and good hygiene for systems development still applies,” Peyton said. “The code and the system that we’re stepping into is much more complex, but a lot of the basic principles are still necessary.”
Blockchain technology casts these concerns in a new light, but it also gives us new means for control and assurance. “When you build controllability into the process design, you don’t have to put as much rigor into after-the-fact checking,” Tasman said. “If you design the business rules with a component that is about the control, then you’re going to make the whole transaction much more reliable and efficient — but we need more emphasis on that point.”
Strategic Risk and Operations Principal
+1 316 636 6525
Risk Advisory Services Principal, Banking Sector Lead
+1 215 376 6080
Internal Audit Cybersecurity Practice
+1 303 813 3971