A Canadian digital currency exchange (QuadrigaCX) reported recently that a malfunction in a smart contract is responsible for a $14 million dollar loss of the cryptocurrency ether. You can read more about the company’s technical explanation here, but the upshot is that a software upgrade performed by the company had an error in the code that prevented the smart contract from properly processing incoming amounts of the cryptocurrency Ether. The error was not caught for a few days, and during that time, Ether sent to the company’s exchange was “trapped” in the smart contract. Based on Ether’s current price, the amount of “trapped” Ether is valued at approximately $14 million. It may go without saying, but the risk of currency becoming trapped inside a contract—and therefore rendered unusable, even though it technically remains in the possession of the owner—is not a risk traditionally associated with commercial transactions. As the QuadrigaCX situation illustrates, smart contracts introduce novel risks that may increase exposure to financial losses. In this post, we suggest that these risks and losses may be mitigated through proper indemnification; however, a review of existing insurance policies should be undertaken to determine if they provide coverage or, alternatively, if additional coverage should be procured.
Most anyone familiar with blockchain technology has heard of blockchain applications for the insurance industry. We even wrote about them here in a series of posts emphasizing efficiency gains and the potential applications to life insurance, final expense insurance, and parametric insurance. But less attention has been given to the reverse scenario—i.e., insurance applications for the blockchain industry, particularly for risks and losses that may arise when blockchain applications are put into commercial use. Such applications offer myriad benefits, but they also raise questions regarding what protections are available if they malfunction.
In the case of QuadrigaCX, the malfunction was a coding error (basically a typo) that caused a multi-million dollar loss in the company’s cryptocurrency holdings. The situation differed from a traditional contract mistake that typically could be corrected by the parties before any real harm was done—instead, the impact of the “typo” was felt immediately and (apparently) irrevocably. This is just one example of the potentially significant loss scenarios that may arise from smart contract errors. Others include coding errors that may cause a miscalculation of a payment amount (or a series of payment amounts), sensitive data that may be accidentally corrupted or deleted, or a transaction that may be improperly executed because of incorrect data fed into the smart contract.
The consequences flowing from these scenarios may range from mild to extreme: A payment error might be caught during an audit and corrected by the parties to the contract. Lost data, on other hand, may be quite valuable and not recoverable.
The potential for new risks and severe consequences arising from smart contracts (compared to traditional contracts) suggests that a re-consideration of indemnification strategies is warranted. Risks arising from coding errors or other human errors are not the product of intentional wrongdoing or a catastrophic event and may not involve any injury to a third party. Consequently, these risks and the potential losses may not be covered by traditional insurance policies such as commercial property insurance (typically requires damage by an event like a fire or a storm), business income insurance (same requirement), liability insurance (injury must be to a third party), and business crime insurance (typically covers intentional wrongdoing).
In coming posts, we will discuss the potential use of other indemnification options, such as cybersecurity insurance policies, indemnification agreements with outside vendors, and “make whole” agreements among the smart contract parties themselves. However useful these tools may be, the issue of insurance for smart contract risks is novel in some respects, dependent on a host of factors, and influenced by rapid technological developments and industry responsiveness to the issue. We do not profess to have all the answers, but we do believe anyone implementing a smart contract would be wise to assess whether there are new risks and whether additional indemnification is necessary as a result.