Get Ready for the Updated Security Model of the Hedera Smart… | Hedera Hedera Network Services Token Service Mint and configure tokens and accounts. Consensus Service Verifiable timestamps and ordering of events. Smart Contracts Run Solidity smart contracts. HBAR The Hedera network's native cryptocurrency. Insights How It Works Learn about Hedera from end to end. Explorers View live and historical data on Hedera. Dashboards Analyze network activity and metrics. Network Nodes Understand networks and node types. Devs Start Building Get Started Learn core concepts and build the future. Documentation Review the API and build using your favorite language. Developer Resources Integrations Plugins and microservices for Hedera. Fee Estimator Understand and estimate transaction costs. Open Source Hedera is committed to open, transparent code. Learning Center Learn about web3 and blockchain technologies. Grants Grants & accelerators for your project. Bounties Find bugs. Submit a report. Earn rewards. Ecosystem ECOSYSTEM Hedera Ecosystem Applications, developer tools, network explorers, and more. NFT Ecosystem Metrics Analyze on-chain and market NFT ecosystem metrics. CATEGORIES Web3 Applications Connect into the innovative startups decentralizing the web on Hedera. Enterprise Applications Learn about the Fortune 500 companies decentralizing the web on Hedera. Wallets & Custodians Create a Hedera account to manage HBAR, fungible tokens, and NFTs. Network Explorers Hedera mainnet and testnet graphical network explorers. Developer Tooling Third-party APIs, integrations, and plugins to build apps on Hedera. Grants & Accelerators Boost your project with support from the Hedera ecosystem. Partner Program Explore our partners to bring your vision into reality. Hedera Council Over 30 highly diversified organizations govern Hedera. Use Cases Hedera Solutions Asset Tokenization Studio Open source toolkit for tokenizing assets securely. Stablecoin Studio All-in-one toolkit for stablecoin solutions. Hedera Guardian Auditable carbon markets and traceability. Functional Use Cases Data Integrity & AI Reliable, secure, and ethically governed insights. Sustainability Enabling fair carbon markets with trust. Real-World Asset Tokenization Seamless tokenization of real-world assets and digital at scale. Consumer Engagement & Loyalty Mint, distribute, and redeem loyalty rewards. Decentralized Identity Maintain the lifecycle of credentials. Decentralized Logs Scalable, real-time timestamped events. DeFi Dapps built for the next-generation of finance. NFTs Low, fixed fees. Immutable royalties. Payments Scalable, real-time, and affordable crypto-payments. HBAR Overview Learn about Hedera's token, HBAR. Treasury Management Hedera’s report of the HBAR supply. Governance Decentralized Governance Hedera Council See the world's leading organizations that own Hedera. About Meet Hedera's Board of Directors and team. Journey Watch Hedera's journey to build an empowered digital future for all. Transparent Governance Public Policy Hedera's mission is to inform policy and regulation that impact the industry. Meeting Minutes Immutably recorded on Hedera. Roadmap Follow Hedera's roadmap in its journey to build the future. Resources Company What's New Partners Papers Careers Media Blog Technical Press Podcast Community Events Meetups Store Brand Navigation QUICKSTART Get Ready for the Updated Security Model of the Hedera Smart Contract Service by July 2023 technical May 04, 2023 by Ed Marquez Head of Developer Relations What is the change? After the security incident of March 2023, core Hedera engineers conducted a thorough analysis of the Smart Contract Service and the Hedera Token Service system contracts. No new vulnerabilities were found, but the team looked for any behavioral differences between Hedera Token Service system contract APIs and those of Ethereum Virtual Machine (EVM) or ERC token APIs that could be used maliciously. To eliminate any possibility of such differences being used as attack vectors in the future, the consensus node software will align the behaviors of the Hedera Smart Contract Service and HTS system contracts with those of EVM and typical token APIs such as ERC 20 and ERC 721. As a developer on Hedera, what should I do? Developers are strongly encouraged to test their applications with new contracts and UX using the new security model to avoid unintended consequences. The new security model has been applied to contracts created from the mainnet 0.35.2 release onwards. Existing contracts deployed prior to this upgrade will continue to use the previous security model for a limited time to allow for application/UX modifications. The previous security model will only be maintained for an approximate period of 3 months. The current target is for the network to remove the previous security model and for all contracts to follow the new security model by the mainnet release of July 2023. See more information in the official Hedera documentation. What does the change in security model mean for smart contract developers? The security update involves changes to entity permissions during contract executions when modifying state. In short, system contract calls (smart contract calls to the Hedera Token Service) are no longer executed with all upper caller privileges even if the authorized user provides a signature. After Before Impact on Functionality Below are some of the key functions impacted with the model update: Externally owned accounts (EOAs) and contracts must now provide explicit approval/allowance to a contract for the approved entity to be able to transfer value from that account balance. For functionality specific to HTS tokens (e.g. Pause, Freeze, or Grant KYC), a contract is authorized to perform the associated token management function only if the ContractId is listed as a key on the token (e.g. Pause Key, Freeze Key, or KYC Key respectively). This applies for all key structures (key list, key thresholds, etc.). Keep in mind that a contract will not be able to perform HTS management functions if the contract is not listed as a key for the token. Users can no longer associate their account to HTS tokens using a smart contract. Token associations can be performed using the Hedera SDKs (also see HIP-719 for an incoming alternative via ERC interface). While users can continue to create HTS tokens through smart contracts, only the smart contract used to create the token can be specified as the treasury account and/or auto-renew account (when enabled) for the token. A contract cannot specify another account for those fields. Note that a contract is still able to specify any public key as the manager of HTS functionality (e.g. Pause, Freeze, Grant KYC, etc.) Additional information and guidance will continue to be provided in the following weeks. Note that testing your specific contracts is the best way to identify the actions you may need to take to align with the new security model of the Hedera Smart Contract Service. Share This Back to blog What is gRPC, gRPC-Web, and Proxies? Ed Marquez Pragmatic Blockchain Design Patterns – Integrating Blockchain into Business Processes Michiel Mulders Zero Cost EthereumTransaction on Success: Hedera's New Fee Model for Relay Operators Oliver Thorn Hedera Adopts Chainlink Standard for Cross-Chain Interoperability To Accelerate Ecosystem Adoption Hedera Team Hedera Developer Highlights March 2025 Michiel Mulders Hedera Release Cycle Overview Ed Marquez View All Posts Sign up for the newsletter CONNECT WITH US Transparency Open Source Audits & Standards Sustainability Commitment Carbon Offsets Governance Hedera Council Public Policy Treasury Management Meeting Minutes LLC Agreement Node Requirements Community Events Meetups HBAR Telegram Developer Discord Twitter Community Support FAQ Network Status Developer Discord StackOverflow Brand Brand Guidelines Built on Hedera Logo Hedera Store About Team Partners Journey Roadmap Careers Contact General Inquiry Public Relations © 2018-2025 Hedera Hashgraph, LLC. All trademarks and company names are the property of their respective owners. All rights in the Deutsche Telekom mark are protected by Deutsche Telekom AG. All rights reserved. Hedera uses the third party marks with permission. Terms of Use  |  Privacy Policy