The Hedera Smart Contract Service (HSCS) combines the third-generation Hedera native entity functionality - high throughput with fast finality, affordable and predictable fees, and fair transaction ordering - with an optimized and highly performant second-generation Ethereum Virtual Machine (EVM). Our goal is to provide full support for smart contracts written on other EVM-compatible chains and to facilitate their smooth deployment on Hedera — as simple as copy/paste. Developers should be able to simply point to a Hedera-supported RPC endpoint and carry out their smart contract executions and queries with the same code and similar tools - this is our goal for EVM equivalence
To achieve this, the ledger executes all smart contract transactions using the Besu EVM and persists the changes in the Hedera-optimized Virtual Merkle Tree state. Users are able to observe certain finality (not probabilistic finality) of smart contract executions in 2-3 seconds whiles ensuring state changes can be fully encapsulated in smart contract functionality.
Hedera Consensus Nodes must strike a delicate balance between Hedera security and EVM security models. With HSCS Security Model v1, the complexity of this challenge left gaps for which bad actors could operate. With the HCSC Security Model v2, greater clarity and additional protections have been brought to the network.
The old security model (pre 0.35.2) supported account key signatures provided at transaction time for authorization. The boundary rules could be summarized as follows
This provided a huge improvement to user experience as contracts could combine transactions in an attempt at atomicity. For instance, a contract could associate, transfer and approve transactions on a user's behalf with one signature. While focusing on usability, this approach did not address cases in which bad actors could carry out an unsanctioned transaction on behalf of a user, e.g., https://hedera.com/blog/analysis-remediation-of-the-precompile-attack-on-the-hedera-network
To address this, the core Hedera engineers thoroughly analyzed the Smart Contract Service and the HTS system contracts, aiming to secure the state and token assets of users and the network during Smart Contract executions. The results of this effort are the guidelines in Hedera Services release v0.35.2.
In the new model, account key signatures may not provide authorization for contract actions. The boundary rules can be summarized as follows
In summary, the HSCS utilizes a three-level approach:
To achieve state change or value transfer, executions must not break any of the rules of each level. Transactions that don’t satisfy the appropriate authorization will fail with response codes such as INVALID_FULL_PREFIX_SIGNATURE_FOR_PRECOMPILE when a sender is not authorized to carry out an operation. More operational-specific response codes will be returned where applicable, e.g., SPENDER_DOES_NOT_HAVE_ALLOWANCE.
INVALID_FULL_PREFIX_SIGNATURE_FOR_PRECOMPILE
SPENDER_DOES_NOT_HAVE_ALLOWANCE
To add greater clarity to the security model, it’s valuable to explore the rules of account (EOA & contract) interaction in smart contract execution.
The two illustrations below describe the context for contract executions for EOAs and contracts during regular and delegate calls. We follow how the accounts, state (storage and value balance), and code may change as you progress through the chain of calls.
In the regular call case, the call to contract B sees B’s code executed in the context of its own state, therefore allowing B to only modify B’s own state. The sender value also appropriately differs between the calls to highlight that the EOA made the 1st call and contract A made the 2nd.
In a delegate call case, the call to contract B sees B’s code executed in the context of A’s state, therefore allowing B to modify A’s state. The sender and recipient values are preserved from the 1st call as if the EOA initiated the call.
In summary, a delegate call executes the called contract's code in the context of the previous calling account, giving the code access to the previous account's state and blurring the lines of authorized state management.
Applying this to the security model changes, the following table summarizes the authorization check changes.
At the time of the change, the HTS system contract was the only pathway to expose Hedera API functionality through Smart Contracts. As such, it’s fair to consider the differences between pre and post-security model updates when observing HTS system contract state-changing functions.
v1 Model Authorization Requirement
While the changes impacts user experience requiring more explicit steps, it more than proportionately increases user and network security across the board. The team continues to push diligently to provide the community with secure and scalable API solutions to enable them to build creative dApps and carve out their own shared world on the ledger.
Open a Testnet Account
Try Examples and Tutorials
Join the Developer Discord
Read the Learning Center
Read the Hedera Blog