On May 21st, ShapeShift announced on their blog the upcoming launch of a new product called “Prism”. A Prism is supposedly an Ethereum smart contract which allows a user to gain exposure to a collection of cryptocurrencies of their choice using only the Ether token (ETH) native to the Ethereum platform.

Here’s a quick overview of how it works:

User visits the Prism website and creates an account

User enters the size of their desired investment in ETH

User configures a cryptocurrency distribution of their choice (see below)

User deposits the ETH amount to a smart contract Ethereum address designed by ShapeShift

ShapeShift deposits an equal ETH amount to the same smart contract

The deposited ETH remains within that smart contract until a point in time when the user decides to liquidate the investment

When the user liquidates their Prism, they receive the current value of their investment in ETH back to their own address

An example of a cryptocurrency distribution for a specific Prism (source).

The product is marketed as “The World’s First Trustless Asset Portfolio Platform” by ShapeShift. Specifically, their blog post states:

Prism is a platform upon which humans and machines can acquire exposure to portfolios of digital assets without trusting a counterparty.

The problem

The funds deposited to the smart contract above can be withdrawn to two different parties; either to you, or to ShapeShift. How the funds in are divided up is entirely dependent on a third party you perhaps did not know about: the oracle.

Oracles exist because smart contracts do not know what the price of assets are. The smart contract is entirely oblivious to the performance of your Prism, so it requires the input from an oracle to learn that information. This means that what happens to the funds that are locked up in the contract between you and ShapeShift is decided by the oracle (which, coincidentally, is also developed by ShapeShift). To alleviate some of the obvious concerns that this raises, ShapeShift has plans to allow third-party oracles in the future.

In the best case scenario, the counterparty of your Prism is ShapeShift plus a third-party oracle. That means you stand to lose your investment only if both ShapeShift and the oracle are hacked. This is concerning, given that ShapeShift was hacked just last year as a part of an inside job.

Having multiple entities as your counterparty is certainly not the same as having no counterparty risk, which ShapeShift suggests. In fact, the security model of a smart contract where the counterparty is comprised by ShapeShift and an oracle is entirely equivalent to a regular 2-out-of-3 multi-signature wallet security setup, which was employed by Bitfinex using BitGo during one of the largest exchange hacks the industry has ever seen (1, 2), which resulted in the loss of over US$60m customer funds. And yes, these funds were all withdrawn from user-specific wallets one by one (i.e. it doesn’t matter if the funds are all in a single wallet or distributed over thousands of smart contracts if the attack vector is the same for each one).

There have been several attempts to restrict oracles ability to tamper with the data fetched from the data sources. The most notable effort is Oraclize, which leverages TLSNotary proofs as well as SafetyNet — a software remote attestation technology developed by Google. These technologies can provide users with certain security guarantees that the oracle is fetching untampered data from the source, but no technology can possibly eliminate the risk that the source itself is corrupted. That means that there is an inescapable trust element involved on which the entire security model relies on, which arguably makes Prism the very opposite of trustless, regardless the use of smart contracts.

Conclusion

Do not let the complexity of smart contracts fool you. Smart contracts are not magical. Usage of smart contracts doesn’t make your product automatically trustless, just as saying blockchain 3 times fast doesn’t make your databases immutable. In this instance, the smart contract setup provides the same security model as if you had left your funds on an exchange that employs the 2-out-of-3 multi-signature scheme Bitfinex used in 2016 (although with the stated goal of eventually allowing you to choose from a wider variety of third-party signers than just BitGo). Instead, in this case, the magical benefits of using smart contracts are the following: