Smart Contracts and the EVM: How Code Becomes Money
2026-06-18
Bitcoin lets you move money. Ethereum lets you write programs that move money according to rules nobody can override, including their author. A smart contract is just code deployed to the blockchain that runs exactly as written whenever someone calls it. That is the promise and the peril: the code is the contract, bugs included.
A World Computer That Everyone Re-Runs
Smart contracts execute on the Ethereum Virtual Machine (EVM), a deterministic computer whose state is shared across the entire network. When you call a contract, every node runs the same bytecode against the same state and must reach the same result, that is how they agree on the outcome without a central server. Determinism is mandatory: no randomness, no clock, no network calls. The contract's only inputs are the transaction and the current chain state.
Gas: Paying for Computation
If anyone can run code on every node forever, an infinite loop would halt the network. Gas solves this. Every operation, addition, storage write, contract call, costs a defined amount of gas (some, like storage writes and cold state access, cost far more than arithmetic), and the caller pays for the total in the chain's native coin. Run out of gas and the transaction reverts, undoing all its changes, but you still pay for the work attempted. Gas both compensates validators and acts as a hard cap that makes denial-of-service economically impractical.
From Solidity to Bytecode
Developers usually write in Solidity, which compiles to EVM bytecode. A contract has persistent storage (state that survives between calls, expensive to write), functions that can read and modify it, and an address that can hold and send funds. Contracts can call other contracts, which is how complex systems, exchanges, lending markets, stablecoins, are composed like Lego from smaller pieces. This composability is Ethereum's superpower and its biggest source of risk.
Immutable by Default
Once deployed, a contract's code typically cannot be changed. That is the point, users can trust it will not be rug-pulled by an edit, but it means bugs are permanent unless the developers planned an upgrade path (usually via a proxy pattern that introduces its own trust assumptions). "Code is law" cuts both ways.
Where Things Go Wrong
- Reentrancy: a contract calls out to another that calls back in before the first finished updating state, draining funds. The 2016 DAO hack (~3.6M ETH, about $50M then) was reentrancy and led to Ethereum's contentious fork.
- Integer and logic errors: a single arithmetic or access-control mistake can be fatal and unfixable.
- Oracle manipulation: contracts that read prices from a manipulable source can be tricked, the basis of many flash-loan attacks.
- Upgrade keys: an admin key that can change the contract reintroduces the centralized trust the system was meant to remove.
Why It Still Matters
Despite the hazards, smart contracts enable financial logic that runs without an intermediary: lending that liquidates automatically, exchanges with no operator, payments that release on a condition. Audits, formal verification, and battle-tested libraries have made the ecosystem far safer than its early years. The mental model to keep: a smart contract is a vending machine for money, utterly reliable about following its rules, and utterly unforgiving if those rules are wrong.