Table of contents
- What a smart contract is
- How execution works on Ethereum
- Core properties and trade-offs
- Token standards that power Web3
- Oracles and the “oracle problem”
- Common use cases in 2025
- Security pitfalls and best practices
- Upgrades and proxy patterns
- Fees and scaling with rollups
- Account abstraction and smart-contract wallets
- Getting started
- FAQs
What a smart contract is
A smart contract is program code plus state stored at an on-chain address; when a transaction calls it, every node executes that code to reach the same result. In Ethereum’s docs: “a program that runs on the Ethereum blockchain,” holding functions and data at a specific address. This idea traces to Nick Szabo’s 1990s vision of computerized transaction protocols that enforce agreements.
How execution works on Ethereum
Smart contracts run inside the Ethereum Virtual Machine (EVM). Calls are deterministic, so identical inputs produce identical outputs across all nodes. Users pay gas (quoted in gwei) for compute and storage during execution, and gas is required whether you deploy, call functions, or mint tokens.
Contracts live at addresses and are invoked by transactions sent from externally owned accounts (EOAs) or by other contracts. EOAs are controlled by private keys; contract accounts are controlled by code. Events/logs emitted during execution are indexed for off-chain consumption by apps and indexers.
Core properties and trade-offs
Smart contracts are transparent, programmable, and composable, but they are also unforgiving: public/external functions can be called by anyone, and mistakes are permanent. While a contract’s bytecode at an address is immutable, developers can design systems that route through upgradeable proxies, which introduces flexibility but adds trust and complexity. Thorough testing is strongly recommended before deployment.
Token standards that power Web3
- ERC-20 defines a common interface for fungible tokens used across DeFi and exchanges.
- ERC-721 defines non-fungible tokens (NFTs) representing unique assets.
- ERC-1155 is a multi-token standard that lets one contract manage many token types (fungible, non-fungible, semi-fungible) with efficient batch operations.
Oracles and the “oracle problem”
Blockchains cannot directly fetch external data, so contracts need oracles to bridge off-chain information such as prices, weather, or web APIs. This architectural gap is known as the oracle problem; oracle networks like Chainlink deliver verified data and off-chain computation to contracts.
Common use cases in 2025
Smart contracts underpin decentralized exchanges, lending markets, stablecoins, DAOs, NFTs, and more. Token transfers, swaps, lending/borrowing logic, and governance voting are all executed by contracts, while front-ends and wallets call those contracts via standard ABIs and events.
Security pitfalls and best practices
Reentrancy is a classic vulnerability in which external calls re-enter a function before state updates complete—the issue behind 2016’s DAO exploit. Defenses include the checks-effects-interactions (CEI) pattern and using guards like OpenZeppelin’s ReentrancyGuard. Additional patterns include “pull payments” and pausing mechanisms for emergencies.
Other recurring risks include unchecked external calls, integer mistakes, improper authorization, and unsafe upgrade logic. Formal verification and symbolic execution tools are increasingly used alongside audits and bug bounties.
Upgrades and proxy patterns
Although code at a deployed address cannot be altered, systems can be made upgradeable by separating storage and logic via proxies. Popular approaches include Transparent and UUPS proxies; OpenZeppelin maintains audited implementations and upgrade tooling. Use upgrades carefully as they introduce new trust assumptions.
Fees and scaling with rollups
Gas can be substantial on Layer 1, so many apps use Layer-2 rollups. Optimistic and ZK rollups move execution off-chain while posting data/proofs to Ethereum, reducing fees and increasing throughput while inheriting L1 security properties.
Account abstraction and smart-contract wallets
Account abstraction lets wallets be smart contracts with custom validation and features like passkeys, social recovery, batched actions, and sponsor-paid gas. ERC-4337 enables this without changing the base protocol by introducing UserOperation objects, an EntryPoint contract, and a decentralized bundler mempool.
Getting started
- Learn Solidity basics and deploy a simple contract in a test environment with tutorials and Remix/Hardhat examples.
- Explore OpenZeppelin’s Contracts Wizard and libraries to implement standard tokens and security patterns.
- Before mainnet, write unit/integration tests, run static analyzers, consider audits/bug bounties, and design a cautious upgrade plan if you need upgradeability.
FAQs
What languages are used to write smart contracts on Ethereum?
Most contracts are written in Solidity; Vyper and other languages exist for specific use cases. They compile to EVM bytecode executed by nodes.
Why do I pay gas for calling a contract?
Gas compensates validators for compute and storage used by your transaction. It is quoted in gwei and applies to deployment and function calls.
Can a smart contract change after deployment?
The code at a given address is immutable, but systems can be architected with proxies that delegate calls to upgradeable logic contracts. This flexibility trades off with added complexity and trust.
How do standards like ERC-20, 721, and 1155 help?
They define interfaces that wallets, exchanges, and apps can rely on, enabling interoperability for fungible tokens, NFTs, and multi-token contracts.
What protects contracts against reentrancy?
Use the CEI pattern and purpose-built guards such as ReentrancyGuard; avoid making external calls before state updates.
Sources
- Ethereum.org smart-contract fundamentals, accounts, events, gas, security, upgrading, and scaling (rollups).
- Token standards: EIP-20 (ERC-20), EIP-721 (NFTs), EIP-1155 (multi-token), with developer explainers.
- Oracles and the oracle problem: Chainlink education and docs.
- Classic vulnerability and patterns: The DAO/reentrancy explainers; CEI and OpenZeppelin protections.
- Upgrade patterns and tooling: OpenZeppelin proxies and upgrade guides.
- Account abstraction: ERC-4337 overviews and Ethereum roadmap page.
