Probabilistic Framework For Loss Distribution Of Smart Contract Risk
aa r X i v : . [ c s . D M ] J a n Probabilistic Framework For Loss DistributionOf Smart Contract Risk ∗ Petar Jevti´c and Nicolas Lanchier
Abstract:
Smart contract risk can be defined as a financial risk of loss due to cyber attackson or contagious failures of smart contracts. Its quantification is of paramount importanceto technology platform providers as well as companies and individuals when considering thedeployment of this new technology. That is why, as our primary contribution, we proposea structural framework of aggregate loss distribution for smart contract risk under the as-sumption of a tree-stars graph topology representing the network of interactions among smartcontracts and their users. Up to our knowledge, there exist no theoretical frameworks or mod-els of an aggregate loss distribution for smart contracts in this setting. To achieve our goal,we contextualize the problem in the probabilistic graph-theoretical framework using bondpercolation models. We assume that the smart contract network topology is represented bya random tree graph of finite size, and that each smart contract is the center of a randomstar graph whose leaves represent the users of the smart contract. We allow for heterogeneousloss topology superimposed on this smart contract and user topology and provide analyticalresults and instructive numerical examples.
1. IntroductionTechnology.
In its core, blockchain technology represents an open but distributed ledger wheretransactions between parties are recorded in verifiable and immutable ways [8]. Blockchains emergedin global public spheres in 2008 with the advent of Bitcoin digital currency, and was conceptuallyand analytically founded by the now legendary work of [16].Prescient when voiced and skillfully phrased by [23], smart contracts are first defined as “aset of promises, specified in digital form, including protocols within which the parties perform onthese promises”. From a software engineering perspective, smart contracts can be described as self-executing scripts running on blockchain platforms that can be both private, public or consortiumand semi-private blockchains.
Present and future.
Today, the penetration of blockchain technology is a wide spread phe-nomenon across industries and its use is accelerating [9]. The largest public blockchain platformthat offers smart contract capabilities is Ethereum. The digital currency of the Etherium platformis Ether (ETH) which has market capitalization around 27 billion USD, with 24h volume of tradearound 9 billion USD. The number of platform hosted smart contracts, i.e., blockchain storedscripts that can be coded in Solidity language, has recently reached almost 2 million. ∗ The numerical results presented in this work are produced by the joint invention of the authors. The invention ispatent pending under the heading “Systems and methods for a simulation program of percolation model for the lossdistribution of smart contracts caused by a cyber attack or contagious failure”.
AMS 2000 subject classifications:
Primary 60K35.
Keywords and phrases: smart contracts, cyber risk, operational risk, loss modeling, random graphs, insurance. See https://coinmarketcap.com/currencies/ethereum/ . See https://cointelegraph.com/news/ethereum-smart-contracts-up-75-to-almost-2m-in-march .1 Petar Jevti´c and Nicolas Lanchier
The promises of increased efficiencies of economic transactions and automated interactions be-tween economical agents, novel ways of resource utilization and monetization, data integrity andprivacy [21], etc. are tantalizing (see [22] or [25]). Blockchain enabled technologies, which includessmart contract technology, are estimated to produce business value-add growth by 2025 rangingin 176 billion USD . Most strikingly, the World Economic Forum [20] survey of 800 information andcommunications executives and experts reveals belief that around ten percent of global GDP wouldbe found on blockchain systems by year 2027. Therefore, it is increasingly being recognized that,associated with digital assets, in conjunction with smart contracts, blockchain technology offersnovel ways of organizing the economy and even the society across myriad of everyday interactions. Risk.
As any novel technology, the smart contract technology comes with its own risks [17] thatexpose its users to potentially unforeseen liabilities. Contagious losses can originate from manysources starting with coding errors [1], malicious cyber attacks [14] or even under-optimized smartcontracts [3]. Notwithstanding the smaller ones, the losses can be of considerable size, and thenow infamous 2016 Ethereum DAO attack [15], where over 50 million USD worth of Ethereumwere misappropriated, looms large as an example of a potential liability. Another example is the2017 parity multi-signature wallet attack where around 30 million USD then equivalent value ofEthers was stolen and subsequently due to exploited code vulnerability the equivalent of around 150million USD permanently rendered inaccessible. Also, in 2018, MyEtherWallet had its about 17million USD worth in Ether stolen. Sadly, the future does not appear without clouds as the currentresearch suggests. The recent findings [17] show that at least around 30,000 current Ethereum smartcontracts are at risk due to their particular characteristics.That is why in this work, we define a smart contract risk as a risk of financial loss due to cyberattacks or contagious failures of smart contracts . The risk can originate from the smart contractunder consideration, or its users, or other smart contracts the smart contract under considerationcommunicates with during the course of its execution, or their users. The losses may be the resultof misappropriation or misallocation of funds belonging to wallets of users or smart contracts underconsideration. Consequently, from management perspective, if liability is left poorly understood,the risks arising from application of this novel technology may jeopardize platform providers orstifle decisions for their faster adoption. Challenge.
The characterization of loss distribution is widely used approach for quantificationof the frequency and severity distributions of operational risk losses (see [19]). In practice, theempirical loss distribution becomes available after sufficient time has passed so that sufficientlylarge number of loss observations can be collected. Unfortunately, in the case of smart contractrisk, due to the lack of data, there exist no empirical loss distributions in proper sense . Whatis currently available is a handful of recorded losses spread across smart contract platforms andpartially recorded as anecdotes in the academic literature. In particular, there is insufficient infor-mation for the creation of empirical loss distributions and thus characterization of the risk froma statistical/empirical perspective. Sadly, in short term, the future offers no hope here. In fact,this situation suggests a different approach, namely the creation of structural models for the lossdistribution, which this work addresses. To our knowledge, this is the first work that is concernedwith the characterization of smart contract risks from probabilistic perspective and develops cred- See Lovelock, J. and Furlonger, D., 2017. Three Things CIOs Need to Know About the Blockchain Business ValueForecast. Published by Gartner. See https://cointelegraph.com/news/parity-multisig-wallet-hacked-or-how-come See . ercolation framework for the loss distribution of smart contract risks ible and practical structural models for the loss distribution. As such, this work paves the way forinsurers to price smart contract risks, which is highly relevant in decisions for creating new smartcontract risk related insurance product lines. Mathematical Conceptualization.
Conceptually, we envision the smart contract under con-sideration as the root vertex of a random tree call graph [5, 18]. Call graphs are comprised ofvertices that are smart contracts interacting directly or indirectly with the smart contract underconsideration during its execution. These smart contracts can be seen as offspring of the root smartcontract in an undirected tree graph. For their proper performance, these smart contracts mightrely on the execution of some other smart contracts which they call. Those would be, in turn, theiroffspring and so on up to some distance from the root smart contract. Here, random graphs areused to conceptualize the dynamical nature of call graphs. At any given time, the smart contractunder consideration can have different patterns of communication with some (or none) offspringsmart contracts which, in turn, might have smart contracts they communicate with in temporallyinhomogeneous ways. The authors of [5] investigated nearly 200,000 smart contracts on Etheriumplatform and, among those that call other smart contracts, which was a majority, they found thatonly a small number of call graphs had loops. This motivates the use of tree graphs, i.e., graphs withno loop, to model the network of smart contracts. Each of the smart contracts in this structure mayin principle have users it interacts with. Assuming that the users are not shared among differentsmart contracts, the random tree-stars graph structure naturally emerges.We use a two-parameter bond percolation model to describe the contagion process among smartcontracts and their users. Bond percolation was introduced in [2]. For a pedagogical and thoroughintroduction to percolation, we refer the reader to [6], while a brief overview of the main results isavailable in [13, chapter 13]. There is a wide variety of contagion processes one can choose from as amodel component in framework building. However, to our knowledge, there is no extensive empiricalstudy of contagions in smart contracts (certainly a valuable research question to be addressed inthe future) so the choice of contagion process is left to the modelers. That is why, given the lackof an empirical study, it is natural to assume that the way smart contracts interact is stronglyinfluenced by random factors and the topology of the call graph. All considered, in our frameworkwe use bond percolation as a starting model of contagion among the models that account for bothstochasticity and network structure, and leave other choices to future research.As a final modeling choice in our proposed framework, we also include a configuration of monetaryassets on the network, i.e., we attach a monetary asset with a certain dynamic value to each nodeof the network, either of user type or of smart contract type. Simply put, we assume that usersand smart contracts, in their wallets, hold some assets that have a monetary value at any giventime. This arrangement of monetary values across the network constitutes a cost topology. Thecompromise of a node in the network (due to a cyber attack, an operational failure, etc.) entailsthe loss of the monetary asset and its value. To account for the dynamical nature of these assetsacross time and over the evolving network, we assume that the asset values are represented byrandom variables. The percolation model then defines the contagion process stemming from theevent of a node being compromised given a particular temporal instance of the tree-stars networktopology. Finally, the sum of all the losses, given the particular first node being compromisedand the realization of the associated contagion process, characterizes one observation point in theaggregate loss distribution due to cyber attacks or operational failures of smart contracts.In this setting, we give analytical and numerical results related to the mean and the varianceof the aggregate loss distribution. We emphasize that our results hold for arbitrarily large random
Petar Jevti´c and Nicolas Lanchier tree-stars graphs, and for all possible choices of the parameters of the bond percolation model andthe distribution of the asset values.The rest of this paper is organized as follows. In Section 2, the mathematical framework to model lossdue to cyber attacks and/or operational failures is developed. Section 3 presents the main analyticaland numerical results about the mean and variance of the loss distribution. The remaining sectioncontains the proofs of the analytical results.
2. Framework for the aggregate loss
We model the aggregate loss up to time t using a continuous-time Markov chain ( L t ) that consistsof the combination of a Poisson process representing the times at which contagions strike, the ran-dom graph representing the evolving connections among smart contracts and users, a percolationprocess on this random graph modeling the spread of the contagion, and a collection of independentrandom variables on the vertex set representing the evolving monetary assets. For the purpose ofunderstanding the main characteristics of loss distribution and risk pricing, the main objective isto study the mean and the variance of the random variable L t .From a probabilistic perspective, random graphs relevant for our problem consist of the compo-sition of a random tree and a collection of random stars. The former models the connections amongthe smart contracts whereas the latter models the connections between smart contracts and users.Because the network consists of a two layers, it is natural to include two percolation parameters:one parameter representing the probability that the contagion spreads across an edge connectingtwo smart contracts and another parameter representing the probability that the contagion spreadsacross an edge connecting a smart contract and a user. Similarly, we consider two different distribu-tions for the local costs (monetary assets), one modeling the loss resulting from a smart contract’swallet being compromised, and another one modeling the loss resulting from a user’s wallet beingcompromised. More precisely, the process is constructed using the following components: • A Poisson process ( N t ) with intensity λ . • A random graph G = ( V, E ) consisting of the combination of a random rooted tree withradius R and offspring distribution described by a random variable X + , and random starswith degree described by a random variable X − , with probability mass functions P ( X + = k ) = p k and P ( X − = k ) = q k for all k ∈ N . • Two percolation parameters p, q ∈ (0 , • A random variable b C + describing the loss due to a smart contract being compromised. • A random variable b C − describing the loss due to a user being compromised.The process evolves as follows. At the arrival times T i = inf { t : N t = i } , i > , of the Poisson process, we let G i = ( V i , E i ) be a realization of the random graph modeling theconnections among smart contracts and users at the time T i of the i th contagion.To construct this random graph, we draw X + edges starting from a root 0, meaning k edges with ercolation framework for the loss distribution of smart contract risks probability p k , and additional edges starting from each of the subsequent vertices using the sameprobability distribution. The construction stops after R steps, which results in T iR = ( V i + , E i + ) = random tree with radius at most R, where V i + represents the set of smart contracts. Then, from each smart contract x ∈ V i + , weindependently draw X − edges, meaning k edges with probability q k , thus creating S i ( x ) = ( V i − ( x ) , E i − ( x )) = random star with center x for all x ∈ V i + . The leaves of the star represent the users connected to smart contract x , and we assume that eachuser is connected to only one smart contract. Letting V i − be the set of all users, and E i − be the setof all edges connecting a user to a smart contract, the construction results in a random graph G i = ( V i , E i ) where V i = V i + ∪ V i − and E i = E i + ∪ E i − . See the top-left panel of Figure 1 for a picture where the squares represent the smart contracts andthe circles represent the users.To quantify the financial loss, we attach a random local cost b C iy to each vertex y ∈ V i representingthe loss resulting from vertex y being compromised. More precisely, we let b C iy = b C + in distribution for all y ∈ V i + b C iy = b C − in distribution for all y ∈ V i − be independent. Considering two different distributions for the local costs is motivated by the factthat the loss due to a smart contract being compromised in principle may be significantly differentfrom the loss due to a user being compromised. See the top-right panel of Figure 1 for a picture.To model the contagion itself, we use the framework of percolation theory, and more precisely,bond percolation (percolation on the edges). That is, we let ξ i ( e ) = Bernoulli ( p ) for all e ∈ E i + ξ i ( e ) = Bernoulli ( q ) for all e ∈ E i − be independent. Following the terminology of percolation theory, edges with ξ i ( e ) = 1 are said tobe open. See the bottom-left panel of Figure 1 for a picture where the solid edges are open and thedashed edges are closed. Given that the contagion starts at vertex O i , which we call from now onthe origin of the contagion, the set of vertices that get compromised is C i ( O i ) = { y ∈ V i : there is a path of open edges connecting O i and y } , called the open cluster starting at O i . See the bottom-right panel of Figure 1 for a picture wherethe open cluster starting at the root is represented in red.For the purpose of loss modeling, we are only interested in the vertices being compromisedand their cost in certain subsets depending on the origin of the contagion. Therefore, instead ofjust considering the total size and the total cost of the contagion, we define more generally twocollections of random variables as follows. For every subset A i ⊂ V i , we let S i ( A i ) be the numberof vertices in A i that are compromised at time T i . In equation, this can be written as S i ( A i ) = card ( C i ( O i ) ∩ A i ) for all A i ⊂ V i . Petar Jevti´c and Nicolas Lanchier
1. Generate the random graph 4. Add the costs of infected vertices3. Choose the open edges at random 2. Choose the local costs at randomC CC
C CCC CC CCC CCC CC CC C C C CC CCC CCC CC CC C C C C CC C
Figure 1 . Illustration of the random process generating a single contagion and the associated costs. The squaresrepresent the smart contracts while the circles represent the users of the smart contracts. In each picture, the squarewith a frame is the smart contract under consideration whose loss distribution is considered. The pictures are forscenario 1 but the process is the same for the other scenarios except to compute the cost. First, we generate therandom tree of smart contracts and add the random stars of users. Second, we choose local costs at random for all thevertices. Third, we use independent coin flips to determine the open edges. Fourth, we add the costs of all the verticesthat are compromised (connected to the origin by a path of open edges) and circled in dashed lines in Figure 2.
Similarly, we define the financial loss restricted to subset A i ⊂ V i as C i ( A i ) = X y ∈ S i ( A i ) b C iy for all A i ⊂ V i , the sum of the local costs of all the vertices that are in subset A i and that are compromised, i.e.,in the open cluster starting at the origin O i of the contagion.To complete the mathematical description of the loss resulting from a single contagion, we stillneed to explain how the origin O i and the subset A i are chosen. There are four distinct risk scenarios,and we assume that scenario j occurs with probability Q j at each arrival time of the Poisson processindependently of everything else. The four scenarios are as follows.1. The contagion is due to the smart contract at the root being compromised. In this case, the ercolation framework for the loss distribution of smart contract risks Scenario 1 Scenario 2Scenario 3 Scenario 4
Figure 2 . Pictures of the four scenarios. In each picture, the red vertex indicates the possible origin of the contagionand the black vertices (if any) the other vertices from which the contagion can start. The four resulting subsets ofred and black vertices form a partition of the vertex set: only the smart contract at the root, only the users of thesmart contract at the root, all the smart contracts except the root, and all the users except the users of the root. Ineach scenario, the relevant cost from the point of view of the smart contract at the root is the loss restricted to thesubset of vertices circled in dashed lines. origin of the contagion is the root and the loss is the total loss over all the network so O i = 0 and A i = V i .
2. The contagion is due to a user of the smart contract at the root compromising this smartcontract. In this case, the origin is chosen uniformly at random from the set of users of theroot, and the loss that is of interest is the total loss except for the user which originates thecompromising activity, so O i = Uniform ( V i − (0) \ { } ) and A i = V i \ {O i } .
3. The contagion is due to one of the smart contracts excluding the root being compromised.In this case, the origin of the contagion is chosen at random from the set of smart contracts
Petar Jevti´c and Nicolas Lanchier other than the root and, from the perspective of the smart contract at the root, the loss whichis of interest is the loss restricted to the smart contract at the root and its users so O i = Uniform ( V i + \ { } ) and A i = V i − (0) .
4. The contagion is due to a user of one of the smart contracts other than the root compromisingthis smart contract. In this case, the origin is chosen uniformly at random from the set ofusers of the smart contracts other than the root, and the loss which is of interest is again theloss restricted to the smart contract at the root and its users so O i = Uniform ( V i − \ V i − (0)) and A i = V i − (0) . See Figure 2 for a picture of the four scenarios. Note that the four sets representing the possibleorigins of the contagion in the four scenarios form a partition of the network, therefore our modeland analysis cover all possibilities.Finally, the random variable L t is defined as the aggregate financial loss caused by all the con-tagions that occur between time zero and time t . In equation, L t = N t X i =1 C i ( A i ) = N t X i =1 X y ∈ S i ( A i ) b C iy . For the purpose of loss distribution characterization and risk pricing, the main objective is tocompute the expected value and the variance of the aggregate loss L t . Since the financial lossesresulting from different contagions are independent, and because the losses resulting from contagionsof the same type j are identically distributed, the mean and variance of the aggregate loss L t canbe deduced from the mean and variance of the loss resulting from a single contagion. In particular,we first focus on the loss resulting from a single contagion of type j , and drop all the superscripts i referring to the number of the contagion to avoid cumbersome notations.
3. Main results
This section presents our analytical and numerical results about the loss distribution.
Analytical results.
As previously mentioned, we first study the loss resulting from a single con-tagion in the context of scenario j , for 1 ≤ j ≤
4. To keep the notation short, we write S ( V ) = S, S ( V ± ) = S ± , S ( V − ( x )) = S x , S ( V − ( x ) \ { x } ) = S ∗ x for all x ∈ V + , and similar notation for the cost. Also, the conditional probability of an event A given the distribution of the origin O are written as P x ( A ) = P ( A | O = x ) P − x ( A ) = P ( A | O = Uniform ( V − ( x ) \ { x } )) P + ( A ) = P ( A | O = Uniform ( V + \ { } )) P − ( A ) = P ( A | O = Uniform ( V − \ V − (0)))and similar notation for the conditional mean, variance and covariance. The superscript + em-phasizes that the contagion starts from a smart contract, while the superscript − emphasizes that ercolation framework for the loss distribution of smart contract risks the contagion starts from a user. The mean and variance of the loss resulting from a contagion inscenario j are written µ j and σ j , respectively. In particular, µ = E ( C ) , µ = E − ( C − C ( {O} )) , µ = E + ( C ) , µ = E − ( C )and similarly for the variance. We first recall a result from [10] that will be useful later to studythe mean and variance in scenarios 1 and 2. In the absence of users, i.e., X − = 0 and G = T R = ( V + , E + ) , in which case the parameter q and the distribution b C − are unimportant, the mean and the varianceof the size of the contagion have already been studied in detail by the authors in [10]. Using thenotation above, their result gives exact expressions of the mean and the variance of the size S + given that the contagion starts from the root of the graph. To state this result, let µ + = E ( X + ) = ∞ X k =0 kp k and σ = Var( X + ) = ∞ X k =0 ( k − µ + ) p k be the mean and the variance of the number of edges starting from each smart contract andconnecting two smart contracts. Comparing the size of the contagion with the number of individualsup to generation R in a certain branching process gives the following result from [10]. Theorem 1 – For a contagion starting at the root, E ( S + ) = 1 − ( µ + p ) R +1 − µ + p Var ( S + ) = p (1 − p ) µ + + p σ (1 − µ + p ) (cid:18) − ( µ + p ) R +1 − µ + p − (2 R + 1)( µ + p ) R (cid:19) . Our first result below shows how the conditional mean and variance of the total loss C relate tothe conditional mean and variance of the size S + given that the contagion starts from a smartcontract x ∈ V + . This can be used in combination with Theorem 1 to obtain the conditional meanand variance in scenario 1. To state our result, as we did for X + , we let µ − = E ( X − ) = ∞ X k =0 kq k and σ − = Var( X − ) = ∞ X k =0 ( k − µ − ) q k be the mean and the variance of the number of users connected to a given smart contract. Byconditioning on the size S + , one can express the conditional mean and variance of the loss as afunction of the conditional mean and variance of S + as follows. Theorem 2 – For all x ∈ V + , E x ( C ) = E x ( S + ) E ( C )Var x ( C ) = E x ( S + ) Var ( C ) + Var x ( S + )( E ( C )) where the mean and variance of C are E ( C ) = E ( b C + ) + qµ − E ( b C − )Var ( C ) = Var( b C + ) + ( σ − − µ − )( qE ( b C − )) + qµ − E (( b C − ) ) . Petar Jevti´c and Nicolas Lanchier
Taking x = 0 in the theorem gives the mean and variance of the total loss as a function of the meanand variance of S + which, in turn, are given in Theorem 1. In particular, combining Theorems 1and 2 directly gives the mean and variance in the first scenario. Even though the result is an obviouscorollary of the first two theorems, we state it as a theorem for completeness. Theorem 3 (scenario 1) – For all X + and X − , µ = E ( S + ) E ( C ) σ = E ( S + ) Var ( C ) + Var ( S + )( E ( C )) where the mean and variance of S + and C are given in Theorems 1 and 2. Recall that, in scenario 2, the contagion starts from one of the users of the root contract chosenuniformly at random. This user tries to compromise the network and the relevant loss consists ofthe cumulative cost of all the compromised vertices except for the originator. The key idea to studythis scenario is to condition on the state of edge (0 , x ), where x is a user of the root contract, inorder to express the conditional mean and variance of the loss given that the contagion starts from x as a function of the mean and variance given that the contagion starts from the root. Because thelatter is known from Theorem 3, this leads to an explicit expression for the mean and variance inscenario 2. More precisely, we have the following theorem. Theorem 4 (scenario 2) – For all X + and X − , µ = q ( µ − qE ( b C − )) σ = qσ + q (1 − q )(( µ − qE ( b C − )) − qE ( b C − )) ) where µ and σ are given in Theorem 3. In the last two scenarios, the objective is to study the loss C restricted to the root contract andits users when the contagion starts from outside this set. This is more difficult than the first twoscenarios, but we can derive exact expressions in the context of deterministic graphs. Note howeverthat the contagion process is still stochastic. More precisely, we assume that P ( X + = d + ) = P ( X − = d − ) = 1 for some d + , d − ∈ N ∗ . In this case, µ − = d − and σ − = 0, therefore Theorem 2 gives E ( C ) = E ( b C + ) + qd − E ( b C − )Var ( C ) = Var( b C + ) − d − ( qE ( b C − )) + qd − E (( b C − ) ) . (1)Because in scenarios 3 and 4 the loss C is strictly positive if and only if the root gets compromised,it can be proved that the mean and variance when the contagion starts from outside V − (0) areconnected to the mean and variance in (1) through the probability of the event A = the root is compromised = { ∈ C ( O ) } . The probability of this event and how the mean and variance in scenarios 3 and 4 are related to (1)above are given in the following theorem. ercolation framework for the loss distribution of smart contract risks Theorem 5 (scenarios 3 and 4) – For X + = d + and X − = d − , P + ( A ) = p (cid:18) − ( d + p ) R − d + p (cid:19)(cid:18) − d + − d R + (cid:19) and P − ( A ) = qP + ( A ) . In scenarios 3 and 4, the mean and variance are then given by µ = P + ( A ) E ( C ) , σ = P + ( A )[ P + ( A c )( E ( C )) + Var ( C )] µ = P − ( A ) E ( C ) , σ = P − ( A )[ P − ( A c )( E ( C )) + Var ( C )] where E ( C ) and Var ( C ) are given in (1) . Our last task is to combining Theorems 3–5 to deduce the mean and variance of the aggregatefinancial loss up to time t . Recall that scenario j occurs with probability Q j at each arrival time ofthe Poisson process ( N t ) independently of everything else, and let N jt = number of occurrences of a type j contagion by time tL jt = aggregate financial loss due to type j contagions by time t. By the thinning property of Poisson processes, the processes ( N jt ) are independent Poisson processeswith intensity λQ j , from which it follows that E ( N jt ) = Var( N jt ) = λtQ j for 1 ≤ j ≤ . In particular, conditioning on N jt , we get E ( L t ) = X j =1 E ( L jt ) = X j =1 E ( E ( L jt | N jt )) = X j =1 λtQ j µ j . (2)Using also that the contagions at different times (and therefore the loss resulting from these con-tagions) are independent, and applying the law of total variance,Var( L t ) = X j =1 ( E (Var( L jt | N jt )) + Var( E ( L jt | N jt ))) = X j =1 λtQ j ( σ j + µ j ) . (3)Combining (2) and (3) with all our theorems gives explicit expressions for the mean and the varianceof the random variable L t , as desired for the purpose of insurance pricing. Numerical results.
Under various parameter settings, we investigate the expectation E [ L t ] andvariance Var[ L t ] of loss distribution of smart contract risk given the developed model.Without loss of generality we assume t = 1 and have the profit loading factor δ = 0 .
1. Further,we assume λ = 1, thus the attacks occur at rate one per unit of time . For illustrative purposes,two choices of probability mass function [ p , p , p ] for random smart contract tree edge formation The characterization of E [ L t ] and Var[ L t ] allow for straight forward calculation of actuarial fair risk, expectationprinciple based as well as standard deviation principle based risk premium for smart contract risk ([4] and [11]). In practice, for parameter λ , a platform provider would use it’s internal statistics related to attack rates.2 Petar Jevti´c and Nicolas Lanchier are considered. First, the smart contract tree with probabilistic formation of edges under consid-eration is characterized by the probability mass function [0 , . , . p with this choice is equal to zero. The probabilityof one offspring of a smart contract is p = 0 . p = 0 .
6. Thus, a given smart contract will, with probability 0.4, have one offspringsmart contract it communicates with and, with probability 0.6, two offspring smart contracts itcommunicates with. Second, we consider a deterministic smart contract tree characterized by theprobability mass function of edge formation [0 , , R . Across all experiments the common radius of the trees is chosen to be R = 3.Under the assumption of log-normal distributions for both b C + and b C − , we allow for three costtopologies (see Table 1). These costs materialize when smart contract and user wallets are com-promised. The cost topologies under consideration are characterized by three cases of means andstandard deviations. The choice of expectation of cost for the smart contracts (see second columnin the table) is stylized, kept to 10,000 monetary units, and made consistent across all cost cases.Similarly, the choice of expectation of cost for the users (see fourth column) is stylized, kept to 1,000monetary units, and made consistent across all cost cases as well. The standard deviation of costfor the smart contracts (see third column) in a stylized fashion is allowed to change across cases,alternating between 0 and 5,000. Similarly, the standard deviation of cost for the users (see fifthcolumn) is also allowed to change across cases, alternating between 0 and 500. Smart Contracts Users
Expectation Deviation Expectation Deviation
Cost of Cost of Cost of Cost of CostTopology E [ b C + ] q Var[ b C + ] E [ b C − ] q Var[ b C − ]I 10000 0 1000 0II 10000 5000 1000 0III 10000 0 1000 500 Table 1
Three cases of cost topology are given assuming the log-normal distribution for both b C + and b C − . Two cases for the probability of smart contract edge contagion are considered: low probabilityof edge contagion characterized by p = 0 . p = 0 .
8. Likewise, two cases for the probability of user edge contagion are considered: lowprobability of user edge contagion characterized by q = 0 . q = 0 . In practice, to choose the probability of the edge contagion p , a platform provider (e.g. Ethereum) may performrisk classification by clustering their ecosystem of smart contracts across a predetermined set of features. The academicliterature [7, 12, 24] or best practices (e.g. https://consensys.github.io/smart-contract-best-practices/) can guide thechoice of such features. Alternatively, to create best practices, platform providers should consult smart contract auditproviders that perform pre deployment smart contract analysis and consulting. Regretfully, the true value of p isunknowable and practically unattainable. Thus, for found risk classes, according to their riskiness, and based on itsjudgment, a platform provider should impute values of edge contagion given their own internal expert knowledge. In practice, to choose the probability of the edge contagion q , a platform provider should make considerationssimilar to when choosing parameter p . ercolation framework for the loss distribution of smart contract risks of simulations is sufficient to achieve desired prices stability and accuracy. This is additionallysupported by the congruency between the simulation based results and the analytical results, asshown in Tables 2 and 3 where the difference between simulation and analytical results does notexceed one percent. For the sake of brevity, and because our findings based on numerical simulationsare the same in all four scenarios, we only investigate the first and third scenarios .Recall that, in scenario 1 (see Table 2), the contagion starts from the root contract. Here, thereare several insights that can be deduced from our numerical results. • First, everything else being fixed, offspring distributions that result in a stochastically highernumber of vertices (for both smart contracts and users) consistently lead to higher means andvariances. Hence, the stochastic “size” of the interactions impacts the moments: the biggerthe network, the higher the moments. • Second, across all parameter settings, the fact that both smart contracts and users costschange in time (which is captured by random variables with differently parameterized distri-butions) makes an impact on the moments of loss distribution. Further, as expected, increasingthe variance of the the costs while keeping their expectation fixed results in an increase of thevariance of loss distribution. Also, the impact of variability of costs of smart contracts versusvariability of costs of users is, in principle, different.Recall that, in scenario 3 (see Table 3), the origin of the contagion is chosen uniformly at randomfrom the set of smart contracts other than the root. Following the analytical results, the simulationsfor this scenario were only performed when the tree-stars graph is deterministic. Here, severalinsights can be deduced from our numerical results. • First, across all parameter settings in scenario 3, when compared to the corresponding settingsin scenario 1, we observe significantly lower moments of the loss distribution. • Second, similarly to scenario 1, higher the levels of contagion parameters higher the moments.Given the high dimension of the parameter space of the model and the number of scenarios, manymore numerical investigations are conceivable. They are not given here both because of the con-strains of space and because of the essentially intuitively obvious impact of the parameters. Moreimportantly, we point out that the analytical results can be used to obtain the exact values ofthe moments in the context of scenarios 1 and 2, whereas they are limited to deterministic smartcontracts/users networks in the context of scenarios 3 and 4. In contrast, the simulation basedapproach does not suffer any such constraints. In addition, the almost perfect match between ouranalytical and numerical results in the cases covered by our theorems validates our numerical re-sults. In particular, our simulations are reliable enough to give extremely good approximations ofthe moments in all four scenarios and for any possible choices of the random tree-stars graph andnetwork topology.
Conclusion.
In this paper, we develop a dynamic structural percolation model for the aggregateloss distribution due to cyber attacks on and contagious failures of smart contracts assuming a tree-stars topology of smart contracts and their users. By focusing on network topologies where cyclesare not allowed and by imposing, based on percolation theory, parsimonious contagion processes onsuch networks, coupled with the introduction of a topology of costs, we distinguish four differentuse cases or scenarios. Based on them, we robustly reduce the complexity of smart contract risk The simulation results for scenario 2 and scenario 4 are available on request.4
Petar Jevti´c and Nicolas Lanchier phenomena and allow for its effective modeling and loss distribution characterization. From amodeling standpoint, we allow for the dynamic nature of smart contracts and their users’ topology,as well as temporal uncertainty of costs both for smart contracts and users, which is captured usingrandom variables with various distributions. Within a rigorous mathematical framework throughprobabilistic analysis, we characterize the mean and variance, which are the main aspects of theloss distribution of smart contract risk. Because smart contract risk may represent a significantemerging liability for platform providers, companies and individuals which adopt this technology,our work can prove to be of considerable value to decision-makers while simultaneously supportingthe penetration of this nascent technology in the economy, and thus unleashing its new potentials.There are two immediate opportunities for further research following this work. First, modelingsmart contract risk in a general star-fully connected graph, to account for loops in call graphs.Second, modeling a collection (or ecosystem) of smart contracts with random interconnections, inorder to ultimately characterize the aggregate risk smart contract platform providers can face.
4. Proofs
In this subsection, we prove Theorem 2 which shows how the mean and variance of the total lossrelate to the mean and variance of the number S + of smart contracts being compromised. In thissection and the next ones, we will repeatedly use that S ( A ) = X y ∈ A ζ ( y ) and C ( A ) = X y ∈ A b C y ζ ( y ) for all A ⊂ V where ζ : V → { , } is the function ζ ( y ) = { vertex y is compromised } = { y ∈ C ( O ) } . First, we compute the conditional mean and variance of the loss restricted to a smart contract andits users, given that the contagion starts from this smart contract, which corresponds to the secondset of equations in the theorem.
Lemma 6 – For all x ∈ V + , E x ( C x ) = E ( C ) = E ( b C + ) + qµ − E ( b C − )Var x ( C x ) = Var ( C ) = Var( b C + ) + ( σ − − µ − )( qE ( b C − )) + qµ − E (( b C − ) ) . Proof.
To begin with, we write C x = C ( V − ( x )) = X y ∈ V − ( x ) b C y ζ ( y ) = b C x ζ ( x ) + X y ∈ V − ( x ) \{ x } b C y ζ ( y ) . (4)Note also that, given that the contagion starts at smart contract x ∈ V + , each of the users of thiscontract, say y , is compromised with probability q , therefore ζ ( y ) = Bernoulli ( p ) whenever O = x ∈ V + and y ∈ V − ( x ) \ { x } . (5) ercolation framework for the loss distribution of smart contract risks Using (4) and (5), and conditioning on Z x = card ( V − ( x ) \ { x } ), E x ( C x | Z x ) = E x ( b C x ζ ( x )) + Z x E x ( b C y ζ ( y )) = E ( b C + ) + Z x qE ( b C − ) (6)while using also independence,Var x ( C x | Z x ) = Var x ( b C x ζ ( x )) + Z x Var x ( b C y ζ ( y ))= Var( b C x ) + Z x (cid:2) E ( b C y ) E x ( ζ ( y ) ) − ( E ( b C y ) E x ( ζ ( y ))) (cid:3) = Var( b C + ) + Z x (cid:2) qE (( b C − ) ) − ( qE ( b C − )) (cid:3) . (7)Taking the expected value in (6) gives E x ( C x ) = E ( E x ( C x | Z x )) = E ( E ( b C + ) + qZ x E ( b C − ))= E ( b C + ) + qE ( X − ) E ( b C − ) = E ( b C + ) + qµ − E ( b C − ) , which proves the first part of the lemma. Using the law of total variance and adding the expectedvalue of (7) and the variance of (6), we also getVar x ( C x ) = E (Var x ( C x | Z x )) + Var( E x ( C x | Z x ))= Var( b C + ) + E ( X − ) (cid:2) qE (( b C − ) ) − ( qE ( b C − )) (cid:3) + Var( X − )( qE ( b C − )) = Var( b C + ) + µ − (cid:2) qE (( b C − ) ) − ( qE ( b C − )) (cid:3) + σ − ( qE ( b C − )) = Var( b C + ) + ( σ − − µ − )( qE ( b C − )) + qµ − E (( b C − ) ) , which proves the second part of the lemma. (cid:3) We now show how the mean and variance of the total loss across the network relate to the mean andvariance of the number of compromised smart contracts, and the mean and variance in Lemma 6,which corresponds to the first set of equations in the theorem.
Lemma 7 – For all x ∈ V + , E x ( C ) = E x ( S + ) E ( C )Var x ( C ) = E x ( S + ) Var ( C ) + Var x ( S + )( E ( C )) . Proof.
Due to the independence of the state (open or closed) of the edges, and the independenceof the local costs attached to the vertices, we have E x ( C | S + ) = S + E ( C ) and Var x ( C | S + ) = S + Var ( C ) (8)The first equation in (8) implies that E x ( C ) = E x ( E x ( C | S + )) = E x ( S + ) E ( C )while using also the second equation in (8) and the law of total variance,Var x ( C ) = E x (Var x ( C | S + )) + Var x ( E x ( C | S + ))= E x ( S + Var ( C )) + Var x ( S + E ( C ))= E x ( S + ) Var ( C ) + Var x ( S + )( E ( C )) . This completes the proof. (cid:3)
Theorem 2 is a direct consequence of Lemmas 6 and 7. Petar Jevti´c and Nicolas Lanchier
This subsection deals with scenario 2 where the contagion starts from one of the users of theroot chosen uniformly at random. This user compromises the system and the relevant loss is thecumulative cost of all the compromised vertices, except for the originator. To begin with, we provethe theorem when the contagion starts from a deterministic vertex x who is a user of the smartcontract at the root. The main idea is to condition on whether(0 , x ) = edge connecting the root 0 and user x ∈ V − (0) \ { } is open or closed in order to derive a relationship between the mean and variance of the loss whenthe contagion starts from x and their counterparts when the contagion starts from the root, forwhich an explicit expression is known from Theorem 3. Lemma 8 – For all x ∈ V − (0) \ { } , E ( C − C ( { x } )) = µ − qE ( b C − ) . Proof.
Because the loss C ( { x } ) = 0 whenever edge e = (0 , x ) is closed and the contagion startsat the root, and that edge e is open with probability q , E ( C − C ( { x } )) = E ( C ) − E ( C ( { x } ) | ξ ( e ) = 1) P ( ξ ( e ) = 1)= E ( C ) − qE ( b C − ) = µ − qE ( b C − ) . This completes the proof. (cid:3)
We now prove a weak version of the first part of Theorem 4 with the contagion starting froma specific user of the root rather than a user chosen uniformly at random.
Lemma 9 – For all x ∈ V − (0) \ { } , E x ( C − C ( { x } )) = q ( E ( C ) − qE ( b C − )) . Proof.
Because C − C ( { x } ) = 0 when e = (0 , x ) is closed, E x ( C − C ( { x } ) | ξ ( e )) = E x ( C − C { x } | ξ ( e ) = 1) { ξ ( e ) = 1 } = E ( C − C ( { x } )) ξ ( e ) . (9)Taking the expected value and applying Lemma 8, we conclude E x ( C − C ( { x } )) = E x ( E x ( C − C ( { x } ) | ξ ( e ))) = E ( C − C ( { x } )) E x ( ξ ( e ))= qE ( C − C ( { x } )) = q ( E ( C ) − qE ( b C − )) = q ( µ − qE ( b C − )) . This completes the proof. (cid:3)
We now study the variance of the loss.
Lemma 10 – For all x ∈ V − (0) \ { } , Var ( C − C ( { x } )) = σ − q (1 − q )( E ( b C − )) . ercolation framework for the loss distribution of smart contract risks Proof.
Let y ∈ V , y = x . Because the unique self-avoiding path connecting x and y goes throughthe root, given that the contagion starts from the root, the events that x gets compromised andthat y gets compromised are independent. This implies thatcov ( ζ ( x ) , ζ ( y )) = 0 for all y = x. Since in addition the b C z are independent,cov ( C, C ( { x } )) = X y ∈ V cov ( b C y ζ ( y ) , b C x ζ ( x )) = Var ( b C x ζ ( x )) . Using also that ζ ( x ) = Bernoulli ( q ) when the contagion starts at the root,Var ( C − C ( { x } )) = Var ( C ) + Var ( C ( { x } )) − ( C, C ( { x } ))= σ + Var ( b C x ζ ( x )) − ( b C x ζ ( x ))= σ − q (1 − q )( E ( b C x )) . Recalling that b C x = b C − in distribution, the result follows. (cid:3) Lemma 11 – For all x ∈ V − (0) \ { } , Var x ( C − C ( { x } )) = qσ + q (1 − q )(( µ − qE ( b C − )) − qE ( b C − )) ) . Proof.
As in the proof of Lemma 9, letting e = (0 , x ),Var x ( C − C ( { x } ) | ξ ( e )) = Var x ( C − C { x } | ξ ( e ) = 1) { ξ ( e ) = 1 } = Var ( C − C ( { x } )) ξ ( e ) . (10)Using (9) and (10), and the law of total variance, we getVar x ( C − C ( { x } )) = E x (Var x ( C − C ( { x } ) | ξ ( e )))+ Var x ( E x ( C − C ( { x } ) | ξ ( e )))= Var ( C − C ( { x } )) E x ( ξ ( e ))+ ( E ( C − C ( { x } ))) Var x ( ξ ( e ))= q Var ( C − C ( { x } )) + q (1 − q )( E ( C − C ( { x } ))) . Then, applying Lemmas 8 and 10, we conclude thatVar x ( C − C ( { x } )) = q ( σ − q (1 − q )( E ( b C − )) ) + q (1 − q )( µ − qE ( b C − )) = qσ + q (1 − q )(( µ − qE ( b C − )) − qE ( b C − )) ) . This completes the proof. (cid:3)
Because the expressions of the mean and variance given in Lemmas 9 and 11 are constant across allpossible choices of the user x of the smart contract at the root, the two lemmas hold more generallywhen the origin of the contagion is chosen uniformly at random from the set of all users of the root,a general result proved in the next lemma for any random variable. Petar Jevti´c and Nicolas Lanchier
Lemma 12 – Let X be any random variable such that E x ( X ) = µ and Var x ( X ) = σ for all x ∈ V − (0) \ { } . Then E − ( X ) = µ and Var − ( X ) = σ . Proof.
Let G = ( V, E ) be a realization of the random graph, and let n be the number of users ofthe root for this realization. Observe that E ( X | O ) = X x E ( X | O = x ) {O = x } = X x E x ( X ) {O = x } Var( X | O ) = X x Var( X | O = x ) {O = x } = X x Var x ( X ) {O = x } (11)where the sums are over the set V − (0) \ { } . Then, E − ( X ) = E − ( E ( X | O )) = X x E x ( X ) P − ( O = x )= µ X x P − ( O = x ) = µ. Similarly, taking the mean in the second equation in (11) gives E − (Var( X | O )) = X x Var x ( X ) P − ( O = x )= σ X x P − ( O = x ) = σ . (12)Also, using that the covariance iscov − ( E x ( X ) {O = x } , E y ( X ) {O = y } )= µ ( P − ( O = x, O = y ) − P − ( O = x ) P − ( O = y ))= µ ( P − ( O = x ) { x = y } − P − ( O = x ) P − ( O = y )) , taking the variance in the first equation in (11) givesVar − ( E ( X | O )) = X x (cid:18) µ n (cid:19) − X x,y (cid:18) µ n (cid:19) = µ − µ = 0 . (13)Using (12) and (13), and the law of total variance, we getVar − ( X ) = E − (Var( X | O )) + Var − ( E ( X | O )) = σ . This completes the proof. (cid:3)
The theorem directly follows from Lemmas 9, 11, and 12. ercolation framework for the loss distribution of smart contract risks Recall that, in scenarios 3 and 4, the contagion starts from a vertex outside V − (0), in which case theloss we are interested in is the cumulative loss C of the smart contract at the root and the usersof this smart contract. The starting point and common idea behind the proof of all the statementsin Theorem 5 is the following: for all vertices x ∈ V \ V − (0) and y ∈ V − (0) , the unique self-avoiding path connecting x and y must go through the root. This implies that, whenthe contagion starts from vertex x , the loss C = 0 only if the root gets compromised. In particular,the conditional expected loss in both scenarios reduces to E ± ( C | ζ (0)) = E ± ( C | ζ (0) = 0)(1 − ζ (0)) + E ± ( C | ζ (0) = 1) ζ (0)= E ± ( C | ζ (0) = 1) ζ (0) = E ( C ) ζ (0) , (14)and similarly for the conditional variance,Var ± ( C | ζ (0)) = Var ± ( C | ζ (0) = 1) ζ (0) = Var ( C ) ζ (0) . (15)Equations (14) and (15) indicate that the mean and variance of the loss can be expressed using themean and variance of the random variable ζ (0). We now focus on scenario 3 in which the contagionstarts from a smart contract chosen uniformly at random among all the smart contracts excludingthe root. To begin with, we compute the mean of ζ (0), which is the probability of A . Lemma 13 – For X + = d + and X − = d − , E + ( ζ (0)) = P + ( A ) = p (cid:18) − ( d + p ) R − d + p (cid:19)(cid:18) − d + − d R + (cid:19) . Proof.
To simplify the notation, we introduce ψ ( d + , p ) = φ ( d + p ) φ ( d + ) where φ ( a ) = R − X r =0 a r = 1 − a R − a and denote by D = d (0 , O ) the distance between the root and the origin of the contagion. Usingthat the number of contracts at distance r from the root is d r , the probability mass function of thedistance D can be written as follows: for all r = 1 , , . . . , R , P + ( D = r ) = d r + card ( V + \ { } ) = d r + d + + d + · · · + d R + = d r − φ ( d + ) . (16)Note also that, given that the contagion starts at x ∈ V + , the root gets compromised if and only ifthe unique self-avoiding path from x to the root is open. Because this path has d (0 , x ) edges andthose edges are independently open with probability p , we get P + ( A | D = r ) = P + ( ζ (0) = 1 | D = r ) = p r . (17) Petar Jevti´c and Nicolas Lanchier
Combining (16) and (17), we deduce that P + ( A ) = R X r =1 d r − p r φ ( d + ) = pφ ( d + ) R − X r =0 d r + p r = p φ ( d + p ) φ ( d + ) = p ψ ( d + , p ) . Recalling the definition of φ and ψ , the lemma follows. (cid:3) The next natural step is to compute the variance of ζ (0). To do so, we will use the followingpreliminary result about the covariance. Lemma 14 – For all r, s = 1 , , . . . , R , cov + ( { D = r } , { D = s } ) = d r − φ ( d + ) (cid:18) { r = s } − d s − φ ( d + ) (cid:19) . Proof.
Observing thatcov + ( { D = r } , { D = s } ) = P + ( D = r, D = s ) − P + ( D = r ) P + ( D = s )= P + ( D = r ) ( { r = s } − P + ( D = s ))and recalling from (16) that P + ( D = r ) = d r − /φ ( d + ) give the result. (cid:3) Lemma 15 – For X + = d + and X − = d − , Var + ( ζ (0)) = P + ( A ) P + ( A c ) where P + ( A ) = p (cid:18) − ( d + p ) R − d + p (cid:19)(cid:18) − d + − d R + (cid:19) . Proof.
By (17), we have ζ (0) = Bernoulli ( p r ) when D = r therefore E + ( ζ (0) | D = r ) = p r and Var + ( ζ (0) | D = r ) = p r (1 − p r ) . (18)Using Lemma 14 and the first equation in (18), we getVar + ( E + ( ζ (0) | D )) = Var + (cid:18) R X r =1 p r { D = r } (cid:19) = R X r =1 d r − p r φ ( d + ) − R X r,s =1 d r + s − p r + s ( φ ( d + )) = R X r =1 d r − p r φ ( d + ) − (cid:18) R X r =1 d r − p r φ ( d + ) (cid:19) = p φ ( d + p ) φ ( d + ) − p (cid:18) φ ( d + p ) φ ( d + ) (cid:19) = p ψ ( d + , p ) − ( P + ( A )) . (19)Using (16) and the second equation in (18), we get E + (Var + ( ζ (0) | D )) = R X r =1 p r (1 − p r ) P + ( D = r )= 1 φ ( d + ) R X r =1 p r (1 − p r ) d r − = 1 φ ( d + ) R − X r =0 (cid:0) p ( d + p ) r − p ( d + p ) r (cid:1) = p φ ( d + p ) φ ( d + ) − p φ ( d + p ) φ ( d + ) = P + ( A ) − p ψ ( d + , p ) . (20) ercolation framework for the loss distribution of smart contract risks Using the law of total variance and (19)–(20), we conclude thatVar + ( ζ (0)) = E + (Var + ( ζ (0) | D )) + Var + ( E + ( ζ (0) | D ))= P + ( A ) − ( P + ( A )) = P + ( A )(1 − P + ( A )) = P + ( A ) P + ( A c ) . This completes the proof (cid:3)
Using the previous results, we can now study the loss in scenario 3.
Lemma 16 – For X + = d + and X − = d − , µ = P + ( A ) E ( C ) σ = P + ( A )[ P + ( A c )( E ( C )) + Var ( C )] . Proof.
Taking the expected value in (14), we get µ = E + ( C ) = E + ( E + ( C | ζ (0)))= E ( C ) E + ( ζ (0)) = P + ( A ) E ( C ) . To find the variance, we take the expected value in (15) to get E + (Var + ( C | ζ (0))) = Var ( C ) E + ( ζ (0)) = P + ( A ) Var ( C ) (21)and take the variance in (14) and apply Lemma 15 to getVar + ( E + ( C | ζ (0))) = ( E ( C )) Var + ( ζ (0))= P + ( A ) P + ( A c ) ( E ( C )) . (22)Using the law of total variance and (21)–(22), we conclude that σ = Var + ( C ) = E + (Var + ( C | ζ (0))) + Var + ( E + ( C | ζ (0)))= P + ( A ) Var ( C ) + P + ( A ) P + ( A c ) ( E ( C )) = P + ( A ) (cid:2) P + ( A c )( E ( C )) + Var ( C ) (cid:3) . This completes the proof. (cid:3)
Finally, we deal with scenario 4 in which the contagion starts from a vertex chosen uniformlyat random from the set of users excluding the users of the root contract. As previously, we start bycomputing the expected value of ζ (0), which is the probability of A . Lemma 17 – For X + = d + and X − = d − , E − ( ζ (0)) = P − ( A ) = qP + ( A ) = pq (cid:18) − ( d + p ) R − d + p (cid:19)(cid:18) − d + − d R + (cid:19) . Proof.
Because X − = d − , all the contracts have the same number of users, from which it followsthat the distance D in scenarios 3 and 4 are related as follows: P − ( D = r + 1) = P + ( D = r ) for all r = 1 , , . . . , R. (23) Petar Jevti´c and Nicolas Lanchier
In addition, for all x ∈ V − , the unique self-avoiding path from x to the root has d (0 , x ) − E + and one edge in the subset E − therefore P − ( A | D = r + 1) = p r q = qP + ( A | D = r ) . (24)Combining (23) and (24), we conclude that P − ( A ) = R X r =1 P − ( A | D = r + 1) P − ( D = r + 1)= R X r =1 qP + ( A | D = r ) P + ( D = r ) = qP + ( A ) , and the proof is complete. (cid:3) Using (23), and repeating the proof of Lemma 14, givecov − ( { D = r + 1 } , { D = s + 1 } ) = cov + ( { D = r } , { D = s } ) . (25)It also follows from (24) that ζ (0) = Bernoulli ( p r q ) when D = r + 1 so E − ( ζ (0) | D = r + 1) = p r q Var − ( ζ (0) | D = r + 1) = p r q (1 − p r q ) . (26)Repeating the proof of Lemma 15 using (25), and (26) in place of (18),Var + ( ζ (0)) = qP + ( A )(1 − qP + ( A ))= P − ( A )(1 − P − ( A )) = P − ( A ) P − ( A c ) . (27)Finally, using (14) and (15) like in the proof of Lemma 16, together with (27), we get the meanand variance given in the second part of Theorem 5. Acknowledgments
This work is partially supported by the NSF grant ercolation framework for the loss distribution of smart contract risks References [1] Nicola Atzei, Massimo Bartoletti, and Tiziana Cimoli. A survey of attacks on ethereum smartcontracts (sok). In
Principles of Security and Trust , pages 164–186. Springer, 2017.[2] S. R. Broadbent and J. M. Hammersley. Percolation processes. I. Crystals and mazes.
Proc.Cambridge Philos. Soc. , 53:629–641, 1957.[3] Ting Chen, Xiaoqi Li, Xiapu Luo, and Xiaosong Zhang. Under-optimized smart contractsdevour your money. In
Software Analysis, Evolution and Reengineering (SANER), 2017 IEEE24th International Conference on , pages 442–446. IEEE, 2017.[4] Paul Embrechts. Actuarial versus financial pricing of insurance.
The Journal of Risk Finance ,1(4):17–26, 2000.[5] M Frowis and R Bohme. In code we trust?: Measuring the control flow immutability of allsmart contracts deployed on ethereum.
LNCS , 10436:357–372, 2017.[6] G. R. Grimmett.
Percolation . Springer-Verlag, New York, 1989.[7] Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind. A semantic framework for thesecurity analysis of ethereum smart contracts. In
International Conference on Principles ofSecurity and Trust , pages 243–269. Springer, 2018.[8] Marco Iansiti and Karim R Lakhani. The truth about blockchain.
Harvard Business Review ,95(1):118–127, 2017.[9] CB Insights. Banking is only the start: 20 big industries where blockchain could be used.
CBInsights , 25, 2016.[10] Petar Jevti´c and Nicolas Lanchier. Dynamic structural percolation model of loss distributionfor cyber risk of small and medium-sized enterprises for tree-based LAN topology.
InsuranceMath. Econom. , 91:209–223, 2020.[11] Rob Kaas, Marc Goovaerts, Jan Dhaene, and Michel Denuit.
Modern actuarial risk theory:using R , volume 128. Springer Science & Business Media, 2008.[12] Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. Zeus: Analyzing safety ofsmart contracts. NDSS, 2018.[13] Nicolas Lanchier.
Stochastic modeling . Springer, 2017.[14] Yuval Marcus, Ethan Heilman, and Sharon Goldberg. Low-resource eclipse attacks onethereum’s peer-to-peer network.
IACR Cryptology ePrint Archive , 2018:236, 2018.[15] Muhammad Izhar Mehar, Charles Louis Shier, Alana Giambattista, Elgar Gong, GabrielleFletcher, Ryan Sanayhie, Henry M Kim, and Marek Laskowski. Understanding a revolutionaryand flawed grand experiment in blockchain: The dao attack.
Journal of Cases on InformationTechnology (JCIT) , 21(1):19–32, 2019.[16] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008.[17] Ivica Nikoli´c, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor. Finding thegreedy, prodigal, and suicidal contracts at scale. In
Proceedings of the 34th Annual ComputerSecurity Applications Conference , pages 653–663, 2018.[18] Barbara G Ryder. Constructing the call graph of a program.
IEEE Transactions on SoftwareEngineering , (3):216–226, 1979.[19] Pavel V Shevchenko.
Modelling operational risk using Bayesian inference . Springer Science &Business Media, 2011.[20] Deep Shift. Technology tipping points and societal impact. In
World Economic Forum SurveyReport , 2015. Petar Jevti´c and Nicolas Lanchier [21] David Shrier, Weige Wu, and Alex Pentland. Blockchain & infrastructure (identity, datasecurity).
Massachusetts Institute of Technology-Connection Science , 1(3), 2016.[22] Melanie Swan.
Blockchain: Blueprint for a new economy . ” O’Reilly Media, Inc.”, 2015.[23] Nick Szabo. Smart contracts: building blocks for digital markets.
EXTROPY: The Journal ofTranshumanist Thought,(16) , 1996.[24] Sergei Tikhomirov, Ekaterina Voskresenskaya, Ivan Ivanitskiy, Ramil Takhaviev, EvgenyMarchenko, and Yaroslav Alexandrov. Smartcheck: Static analysis of ethereum smart con-tracts. 2018.[25] Mark Van Rijmenam and Philippa Ryan.
Blockchain: Transforming Your Business and OurWorld . Routledge, 2018.
School of Mathematical and Statistical SciencesArizona State UniversityTempe, AZ 85287, [email protected]@asu.edu e r c o l a t i o n f r a m e w o r k f o r t h e l o ss d i s t r i b u t i o n o f s m a r t c o n t r a c t r i s k s Analytical Results Simulation Results
Number of simulations: 10000000.
Expectation Deviation Expectation Deviation
Contagion scenario: [ Q , Q , Q , Q ] = [1 . , . , . , . of Loss of Loss of Loss of LossCost Smart contracts Users Contagion Topology [ p , p , p ] [ q , q , q , q , q ] ( p, q ) E [ L t ] p Var[ L t ] E [ L t ] p Var[ L t ][0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 68112.00 21666.32 68103.05 21668.17[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.8,0.8) 63984.00 20423.47 63986.51 20429.11[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 51722.88 21560.68 51729.05 21564.09[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.8,0.8) 48588.16 20307.61 48589.85 20304.28[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 55728.00 17757.75 55726.09 17764.73[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.8,0.2) 54696.00 17414.61 54695.96 17412.82[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 42318.72 17664.04 42308.19 17666.34[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.8,0.2) 41535.04 17326.01 41532.69 17326.06 I [0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 20592.00 11514.53 20590.19 11514.84[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.2,0.8) 19344.00 10856.65 19340.23 10853.55[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 18775.68 9816.03 18779.33 9820.13[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.2,0.8) 17637.76 9263.84 17638.57 9260.89[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 16848.00 9438.48 16848.34 9437.55[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.2,0.2) 16536.00 9255.56 16535.89 9257.05[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 15361.92 8050.01 15365.43 8055.28[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.2,0.2) 15077.44 7892.24 15077.99 7893.62[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 68112.00 24462.81 68099.27 24461.01[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.8,0.8) 63984.00 23369.17 63964.57 23373.77[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 51722.88 23723.89 51731.94 23722.85[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.8,0.8) 48588.16 22591.12 48592.92 22584.33[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 55728.00 21079.32 55729.30 21082.61[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.8,0.2) 54696.00 20791.07 54694.60 20789.54[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 42318.72 20247.92 42319.76 20247.80[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.8,0.2) 41535.04 19953.72 41533.41 19953.31 II [0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 20592.00 13099.02 20588.87 13099.83[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.2,0.8) 19344.00 12524.65 19340.46 12525.41[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 18775.68 11485.40 18769.41 11478.62[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.2,0.8) 17637.76 11017.20 17640.30 11023.83[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 16848.00 11317.46 16848.22 11314.42[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.2,0.2) 16536.00 11165.37 16537.00 11164.44[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 15361.92 10018.12 15366.09 10021.09[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.2,0.2) 15077.44 9891.79 15078.96 9894.34[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 68112.00 21666.32 68112.36 21757.41[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.8,0.8) 63984.00 20423.47 63989.54 20492.10[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 51722.88 21560.68 51716.16 21634.02[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.8,0.8) 48588.16 20307.61 48579.16 20368.48[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 55728.00 17757.75 55731.34 17786.87[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.8,0.2) 54696.00 17414.61 54692.31 17438.72[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 42318.72 17664.04 42317.99 17686.78[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.8,0.2) 41535.04 17326.01 41537.19 17338.98 III [0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 20592.00 11514.53 20591.05 11567.02[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.2,0.8) 19344.00 10856.65 19345.33 10903.39[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 18775.68 9816.03 18774.70 9875.13[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.2,0.8) 17637.76 9263.84 17636.26 9308.82[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 16848.00 9438.48 16844.12 9452.76[0.0,0.0,1.0] [0.0,0.1,0.2,0.3,0.4] (0.2,0.2) 16536.00 9255.56 16533.49 9265.07[0.0,0.4,0.6] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 15361.92 8050.01 15356.57 8062.96[0.0,0.4,0.6] [0.0,0.1,0.2,0.3,0.4] (0.2,0.2) 15077.44 7892.24 15076.54 7904.62
Table 2 . The analytically calculated and simulation based first and second moments of loss distribution for smart contract risk. The contagion scenariounder consideration is scenario 1. The cost topologies I, II, and III are investigated. Simulation based results are achieved with 10 million simulationscenarios. The t = 1 and λ = 1 are assumed. P e t a r J ev t i ´ c a n d N i c o l a s L a n c h i e r Analytically Calculated Premium Simulation Based Premium
Number of simulations: 10000000.
Expectation Deviation Expectation Deviation
Contagion scenario: [ Q , Q , Q , Q ] = [1 . , . , . , . of Loss of Loss of Loss of LossCost Smart contracts Users Contagion Topology [ p , p , p ] [ q , q , q , q , q ] ( p, q ) E [ L t ] p Var[ L t ] E [ L t ] p Var[ L t ][0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 9152.00 6122.99 9151.82 6122.94 I [0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 7488.00 5024.34 7487.80 5023.78[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 1232.00 3847.64 1231.56 3847.14[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 1008.00 3151.20 1008.40 3151.87[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 9152.00 7404.35 9151.30 7404.43 II [0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 7488.00 6525.13 7486.59 6524.63[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 1232.00 4139.76 1229.37 4133.33[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 1008.00 3501.91 1007.76 3500.73[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.8) 9152.00 6168.12 9152.88 6168.27 III [0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.8,0.2) 7488.00 5038.12 7490.12 5036.94[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.8) 1232.00 3857.33 1232.50 3857.91[0.0,0.0,1.0] [0.0,0.0,0.0,0.0,1.0] (0.2,0.2) 1008.00 3154.16 1007.68 3153.85
Table 3 . The analytically calculated and simulation based first and second moments of loss distribution for smart contract risk. The contagion scenariounder consideration is scenario 3. The cost topologies I, II, and III are investigated. Simulation based results are achieved with 10 million simulationscenarios. Only deterministic graph structure is considered. The t = 1 and λ = 1= 1