イーサリアム：次世代スマートコントラクトと分散型アプリケーションプラットフォーム

Abstract

Satoshi Nakamoto's development of Bitcoin in 2009 has often been hailed as a radical development in money and currency, being the first example of a digital asset which simultaneously has no backing or intrinsic value and no centralized issuer or controller. However, another, arguably more important, part of the Bitcoin experiment is the underlying blockchain technology as a tool of distributed consensus, and attention is rapidly starting to shift to this other aspect of Bitcoin. Commonly cited alternative applications of blockchain technology include using on-blockchain digital assets to represent custom currencies and financial instruments (colored coins), the ownership of an underlying physical device (smart property), non-fungible assets such as domain names (Namecoin), as well as more complex applications involving having digital assets being directly controlled by a piece of code implementing arbitrary rules (smart contracts) or even blockchain-based decentralized autonomous organizations (DAOs).

What Ethereum intends to provide is a blockchain with a built-in fully fledged Turing-complete programming language that can be used to create "contracts" that can be used to encode arbitrary state transition functions, allowing users to create any of the systems described above, as well as many others that we have not yet imagined, simply by writing up the logic in a few lines of code. A bare-bones version of Namecoin can be written in two lines of code, and other protocols like currencies and reputation systems can be built in under twenty lines. Smart contracts, cryptographic "boxes" that contain value and only unlock it if certain conditions are met, can also be built on top of the platform, with vastly more power than that offered by Bitcoin scripting because of the added powers of Turing-completeness, value-awareness, blockchain-awareness, and state.

Introduction and Existing Concepts

The concept of decentralized digital currency, as well as alternative applications like property registries, has been around for decades. The anonymous e-cash protocols of the 1980s and the 1990s, mostly reliant on a cryptographic primitive known as Chaumian blinding, provided a currency with a high degree of privacy, but the protocols largely failed to gain traction because of their reliance on a centralized intermediary. In 1998, Wei Dai's b-money became the first proposal to introduce the idea of creating money through solving computational puzzles as well as decentralized consensus, but the proposal was scant on details as to how decentralized consensus could actually be implemented. In 2005, Hal Finney introduced a concept of reusable proofs of work, a system which uses ideas from b-money together with Adam Back's computationally difficult Hashcash puzzles to create a concept for a cryptocurrency, but once again fell short of the ideal by relying on trusted computing as a backend.

In 2009, a decentralized currency was for the first time implemented in practice by Satoshi Nakamoto, combining established primitives for managing ownership through public key cryptography with a consensus algorithm for keeping track of who owns coins, known as "proof of work." The mechanism behind proof of work was a breakthrough in the space because it simultaneously solved two problems. First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. Second, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus, while simultaneously preventing sybil attacks. It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular list, with an economic barrier -- the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called proof of stake, calculating the weight of a node as being proportional to its currency holdings and not computational resources; the discussion of the relative merits of the two approaches is beyond the scope of this paper but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency.

The Bitcoin blockchain has proven remarkably robust in practice over the subsequent years of operation, but it is inherently limited in what it can accomplish beyond simple value transfer. Bitcoin's scripting language is intentionally designed to be restrictive, lacking loops, Turing-completeness, and many other features that would be necessary to build more complex applications. This limitation, while providing safety from certain classes of attacks, severely restricts what can be built on top of Bitcoin. Over the following years, numerous attempts to extend Bitcoin's functionality emerged: colored coins sought to use the Bitcoin blockchain to track ownership of alternative assets, Namecoin attempted to create a decentralized name registration database, and various metacoin protocols aimed to build additional layers on top of Bitcoin's transaction format. While these approaches showed promise, they were ultimately constrained by Bitcoin's scripting capabilities and the inability to access blockchain data from within scripts.

What Ethereum intends to provide is a blockchain with a built-in fully fledged Turing-complete programming language that can be used to create "contracts" that can be used to encode arbitrary state transition functions, allowing users to create any of the systems described above, as well as many others that we have not yet imagined, simply by writing up the logic in a few lines of code.

Bitcoin As A State Transition System

From a technical standpoint, the ledger of a cryptocurrency such as Bitcoin can be thought of as a state transition system, where there is a "state" consisting of the ownership status of all existing bitcoins and a "state transition function" that takes a state and a transaction and outputs a new state which is the result. In a standard banking system, for example, the state is a balance sheet, a transaction is a request to move \(X from A to B, and the state transition function reduces the value in A's account by \)X and increases the value in B's account by \(X. If A's account has less than \)X in the first place, the state transition function returns an error. Hence, one can formally define:

APPLY(S,TX) - S' or ERROR

In the banking system defined above:

APPLY({ Alice: \(50, Bob: \)50 },send \(20 from Alice to Bob") = { Alice: \)30, Bob: $70 }

But:

APPLY({ Alice: \(50, Bob: \)50 },send $70 from Alice to Bob) = ERROR

The "state" in Bitcoin is the collection of all coins (technically, "unspent transaction outputs" or UTXO) that have been minted and not yet spent, with each UTXO having a denomination and an owner (defined by a 20-byte address which is essentially a cryptographic public key). A transaction contains one or more inputs, with each input containing a reference to an existing UTXO and a cryptographic signature produced by the private key associated with the owner's address, and one or more outputs, with each output containing a new UTXO to be added to the state.

The state transition function APPLY(S,TX) - S' can be defined roughly as follows:

1. For each input in TX:
2. If the referenced UTXO is not in S, return an error.
3. If the provided signature does not match the owner of the UTXO, return an error.
4. If the sum of the denominations of all input UTXO is less than the sum of the denominations of all output UTXO, return an error.
5. Return S with all input UTXO removed and all output UTXO added.

The first half of the first step prevents transaction senders from spending coins that do not exist, the second half of the first step prevents transaction senders from spending other people's coins, and the second step enforces conservation of value. In order to use this for payment, the protocol is as follows. Suppose Alice wants to send 11.7 BTC to Bob. First, Alice will look for a set of available UTXO that she owns that totals up to at least 11.7 BTC. Realistically, Alice will not be able to get exactly 11.7 BTC; say that the smallest she can get is 6+4+2=12. She then creates a transaction with those three inputs and two outputs. The first output will be 11.7 BTC with Bob's address as its owner, and the second output will be the remaining 0.3 BTC "change", with the owner being Alice herself.

Mining

If we had access to a trustworthy centralized service, this system would be trivial to implement; it could simply be coded exactly as described, using a centralized server's hard drive to keep track of the state. However, with Bitcoin we are trying to build a decentralized currency system, so we will need to combine the state transaction system with a consensus system in order to ensure that everyone agrees on the order of transactions. Bitcoin's decentralized consensus process requires nodes in the network to continuously attempt to produce packages of transactions called "blocks." The network is intended to produce roughly one block every ten minutes, with each block containing a timestamp, a nonce, a reference to (i.e. hash of) the previous block and a list of all of the transactions that have taken place since the previous block. Over time, this creates a persistent, ever-growing, "blockchain" that constantly updates to represent the latest state of the Bitcoin ledger.

The algorithm for checking if a block is valid, expressed in this paradigm, is as follows:

1. Check if the previous block referenced by the block exists and is valid.
2. Check that the timestamp of the block is greater than that of the previous block and less than 2 hours into the future.
3. Check that the proof of work on the block is valid.
4. Let S[0] be the state at the end of the previous block.
5. Suppose TX is the block's transaction list with n transactions. For all i in 0...n-1, set S[i+1] = APPLY(S[i],TX[i]). If any application returns an error, exit and return false.
6. Return true, and register S[n] as the state at the end of this block.

Essentially, each transaction in the block must provide a valid state transition from what was the canonical state before the transaction was executed to some new state. Note that the state is not encoded in the block in any way; it is purely an abstraction to be remembered by the validating node and can only be (securely) computed for any block by starting from the genesis state and sequentially applying every transaction in every block. Additionally, note that the order in which the miner includes transactions into the block matters; if there are two transactions A and B in a block such that B spends a UTXO created by A, then the block will be valid if A comes before B but not otherwise.

The one validity condition present in the above list that is not found in other systems is the requirement for "proof of work." The precise condition is that the double-SHA256 hash of every block, treated as a 256-bit number, must be less than a dynamically adjusted target, which as of the time of this writing is approximately \(2^{187}\). The purpose of this is to make block creation computationally "hard," thereby preventing sybil attackers from remaking the entire blockchain in their favor. Because SHA256 is designed to be a completely unpredictable pseudorandom function, the only way to create a valid block is simply trial and error, repeatedly incrementing the nonce and seeing if the new hash matches.

At the current target of \(\sim 2^{187}\), the network must make an average of \(\sim 2^{69}\) tries before a valid block is found; in general, the target is recalibrated by the network every 2016 blocks so that on average a new block is produced by some node in the network every ten minutes. In order to compensate miners for this computational work, the miner of every block is entitled to include a transaction giving themselves 25 BTC out of nowhere. Additionally, if any transaction has a higher total denomination in its inputs than in its outputs, the difference also goes to the miner as a "transaction fee." Incidentally, this is also the only mechanism by which BTC are issued; the genesis state contained no coins at all.

In order to better understand the purpose of mining, let us examine what happens in the event of a malicious attacker. Since Bitcoin's underlying cryptography is known to be secure, the attacker will target the one part of the Bitcoin system that is not protected by cryptography directly: the order of transactions. The attacker's strategy is simple:

1. Send 100 BTC to a merchant in exchange for some product (preferably a rapid-delivery digital good).
2. Wait for the delivery of the product.
3. Produce another transaction sending the same 100 BTC to himself.
4. Try to convince the network that his transaction to himself was the one that came first.

Once step (1) has taken place, after a few minutes some miner will include the transaction in a block, say block number 270000. After about one hour, five more blocks will have been added to the chain after that block, with each of those blocks indirectly pointing to the transaction and thus "confirming" it. At this point, the merchant will accept the payment as finalized and deliver the product. Since we are assuming this is a digital good, delivery is instant. Now, the attacker creates another transaction sending the 100 BTC to himself. If the attacker simply releases it into the wild, the transaction will not be processed; miners will attempt to run APPLY(S,TX) and notice that TX consumes a UTXO which is no longer in the state. So instead, the attacker creates a "fork" of the blockchain, starting by mining another version of block 270000 pointing to the same block 269999 as a parent but with the new transaction in place of the old one. Because the block data is different, this requires redoing the proof of work. Furthermore, the attacker's new version of block 270000 has a different hash, so the original blocks 270001 to 270005 do not "point" to it; thus, the original chain and the attacker's new chain are completely separate. The rule is that in a fork the longest blockchain is taken to be the truth, and so legitimate miners will work on the 270005 chain while the attacker alone is working on the 270000 chain. In order for the attacker to make his blockchain the longest, he would need to have more computational power than the rest of the network combined in order to catch up (hence, "51% attack").

Merkle Trees

Merkle trees are a fundamental data structure used in Bitcoin blocks to enable efficient and secure verification of transaction inclusion. A Merkle tree is a binary tree of hashes where the leaf nodes contain hashes of individual transactions, and each interior node contains the hash of its two children, recursively building up to a single root hash that is stored in the block-header/" class="glossary-link" data-slug="block-header" title="block header">block header. This hierarchical structure allows anyone to verify that a specific transaction is included in a block by downloading only the Merkle branch—the chain of hashes from the transaction up to the root—rather than downloading all transactions in the block.

The efficiency gains are substantial: while a full Bitcoin node must store the entire blockchain (approximately 15GB as of 2013), a simplified payment verification (SPV) node only needs to download block headers containing Merkle roots, requiring just 4MB of data. To verify a transaction, an SPV node requests the Merkle branch from full nodes, which requires only \(O(\log n)\) data where \(n\) is the number of transactions in a block. This logarithmic scaling makes it feasible to run lightweight clients on mobile devices and low-resource environments.

Bitcoin's use of Merkle trees demonstrates a key principle: cryptographic structures can dramatically reduce the trust and resource requirements for participating in a decentralized network. This same principle underlies Ethereum's design, where Merkle trees are used not only for transactions but also for state and receipt storage, enabling even more sophisticated light client protocols.

Alternative Blockchain Applications

The success of Bitcoin's blockchain inspired numerous attempts to extend the concept beyond simple currency. Namecoin, launched in 2010, was one of the earliest examples—a decentralized name registration database built on a blockchain, allowing users to register names in a distributed namespace that no central authority could censor or revoke. Colored coins emerged as a way to represent alternative assets on the Bitcoin blockchain by "tagging" specific transaction outputs to represent ownership of real-world assets, company shares, or other cryptocurrencies. Metacoins and meta-protocols like Mastercoin (later Omni) layered additional functionality on top of Bitcoin by encoding extra data in Bitcoin transactions and building separate protocol rules on top.

However, all these approaches suffered from fundamental limitations imposed by Bitcoin's architecture. The Bitcoin scripting language is intentionally restricted—it cannot access blockchain state, lacks loops and complex control flow, and provides limited introspection into transaction values. Building sophisticated applications required awkward workarounds: encoding metadata in transaction fields never intended for that purpose, relying on off-chain infrastructure for complex logic, or accepting severe limitations on what the protocol could accomplish.

These constraints motivated the search for a more general-purpose blockchain platform. Rather than building yet another special-purpose protocol on top of Bitcoin's limited foundation, Ethereum takes a different approach: providing a blockchain with a built-in Turing-complete programming language, allowing anyone to write smart contracts and decentralized applications with arbitrary rules for ownership, transaction formats, and state transition functions.

Scripting

Bitcoin Script, the language used to define spending conditions for Bitcoin transactions, is intentionally designed with severe limitations. It is not Turing-complete—most notably, it lacks loops and complex control flow structures. The language operates as a simple stack-based execution environment where operations push and pop values, evaluate cryptographic conditions, and ultimately return true or false to determine whether a transaction is valid. While this simplicity provides security benefits and makes formal analysis easier, it also makes many types of applications impossible to implement.

These limitations fall into three main categories. First, the lack of Turing-completeness prevents implementing complex state machines, decision trees, or any algorithm requiring iteration. Second, value-blindness means that scripts cannot specify fine-grained control over withdrawal amounts—a UTXO can only be spent in its entirety, with change sent to a new output. A script cannot, for example, limit withdrawals to a maximum of X per day while leaving the remainder locked. Third, the lack of blockchain state awareness means that UTXO are either spent or unspent with no intermediate states, making multi-stage contracts impossible to implement purely on-chain.

These constraints make sophisticated applications like decentralized autonomous organizations, savings wallets with withdrawal limits, decentralized exchanges, or prediction markets either impossible or require awkward off-chain mechanisms. An advanced financial contract might require access to market data, the ability to maintain internal state across multiple transactions, and complex conditional logic—none of which Bitcoin Script can provide. Ethereum removes these limitations by providing a Turing-complete language with full access to blockchain state.

Ethereum

Ethereum's fundamental goal is to provide a blockchain with a built-in Turing-complete programming language that allows anyone to write smart contracts and decentralized applications where they can create their own arbitrary rules for ownership, transaction formats, and state transition functions. Rather than designing a protocol for specific applications like currency, name registration, or asset trading, Ethereum provides a foundational layer—a blockchain-based distributed computing platform that developers can use to build any application they can imagine.

The architecture differs fundamentally from Bitcoin's UTXO model. Ethereum uses an account-based system where the blockchain state consists of a mapping from addresses to account objects. Each account has a balance, a transaction counter (nonce), and for contract accounts, associated code and storage. The platform includes a built-in Turing-complete programming language for writing contract code that executes in the Ethereum Virtual Machine (EVM), a stack-based execution environment that processes transactions and state transitions.

This generality enables a vast range of applications: alternative cryptocurrencies with custom issuance rules, financial derivatives and stablecoins, identity and reputation systems, decentralized file storage, decentralized autonomous organizations (DAOs), and much more. The whitepaper emphasizes that Ethereum is not optimized for any particular use case but instead provides the fundamental building blocks—accounts, transactions, a Turing-complete language, and gas-metered execution—that developers can combine to create whatever applications the ecosystem demands.

Ethereum Accounts

In Ethereum, the state is made up of accounts, and there are two fundamental types. Externally owned accounts (EOAs) are controlled by private keys and have no associated code—they represent human users or external entities interacting with the blockchain. Contract accounts are controlled by their contract code and are activated when they receive a message or transaction. Both types share a common structure: every account has a nonce (a counter used to ensure each transaction can only be processed once), an ether balance, and for contracts specifically, contract code and persistent storage.

Ether is the primary internal cryptocurrency of Ethereum, serving as both a medium of value transfer and the fundamental unit for paying transaction fees (gas). Unlike Bitcoin's UTXO model where value is distributed across multiple unspent outputs, Ethereum accounts maintain a simple balance that increases when they receive ether and decreases when they send it. This account-based model simplifies many types of applications, particularly those requiring persistent state or complex access control, though it introduces different security considerations compared to Bitcoin's approach.

The distinction between EOAs and contract accounts is crucial to understanding Ethereum's operation. EOAs can initiate transactions by creating and signing messages with their private keys, paying gas fees to have their transactions included in blocks. Contract accounts cannot initiate transactions themselves but can send messages to other contracts in response to receiving a transaction or message, enabling complex chains of execution where a single external transaction triggers multiple contract-to-contract interactions.

Messages and Transactions

Transactions in Ethereum are signed data packages created by externally owned accounts and broadcast to the network. A transaction contains the recipient address, a cryptographic signature proving the sender's identity, the amount of ether to transfer, an optional data field (crucial for interacting with contracts), STARTGAS (the maximum number of computational steps the transaction is allowed to take), and GASPRICE (the fee per computational step the sender is willing to pay). Miners collect these transactions, validate them, execute them, and include them in blocks, receiving the gas fees as compensation.

Messages are conceptually similar to transactions but are produced by contracts rather than external actors. When a contract's code executes, it can send messages to other contracts—these internal messages contain the sender (the contract address), recipient, an amount of ether to transfer, an optional data payload, and a STARTGAS limit. Messages enable contract-to-contract communication, allowing complex applications to be built from multiple interacting contracts rather than monolithic programs.

The gas mechanism is crucial for preventing abuse: every computational step, storage operation, and data byte in a transaction consumes gas. If a transaction runs out of gas before completing, all state changes are reverted (except the gas payment to the miner), preventing infinite loops or excessive computation from grinding the network to a halt. The sender specifies both the total gas budget (STARTGAS) and the price they're willing to pay per unit (GASPRICE), and any unused gas is refunded after execution completes.

Ethereum State Transition Function

The Ethereum state transition function APPLY(S,TX) - S' defines how a transaction transforms the blockchain state, and it follows a precise sequence of steps. First, the system checks transaction validity: verifying the signature is correct, confirming the nonce matches the sender's account nonce, and ensuring the sender has sufficient balance to pay the upfront cost (STARTGAS × GASPRICE plus the value being sent). If any check fails, the transaction is rejected before execution begins. If valid, the transaction fee is deducted from the sender's account, the sender's nonce is incremented, and an initial gas counter is set to STARTGAS minus a per-byte fee for the transaction data.

Next, the system transfers the specified ether value from the sender to the recipient. If the recipient is an externally owned account, this completes the transaction. If the recipient is a contract account, the contract's code runs in the Ethereum Virtual Machine, consuming gas for each operation until either the code completes successfully, the code explicitly halts, or the gas runs out. During execution, the contract can read and modify its storage, send messages to other contracts, and create new contracts.

Finally, if the value transfer failed (insufficient balance) or code execution failed (running out of gas or hitting an error), all state changes are reverted—except that the sender still pays gas fees to the miner for the computation performed. If execution succeeded, the remaining gas is refunded to the sender, and the gas that was consumed is sent to the miner as a fee. This mechanism ensures that miners are compensated for computation while preventing runaway execution from consuming unbounded resources.

Code Execution

The Ethereum Virtual Machine (EVM) is the runtime environment where contract code executes—a low-level, stack-based virtual machine similar in concept to the Java Virtual Machine or WebAssembly. Contract code is stored as a sequence of bytes, where each byte represents an operation (opcode) that the EVM can execute. The execution model is deliberately simple and deterministic: every node running the EVM with the same input state and transaction must arrive at the same output state, ensuring consensus across the network.

The EVM provides three distinct types of storage for computation. The stack is a last-in-first-out (LIFO) structure limited to 1024 elements, used for immediate operation values. Memory is an infinitely expandable byte array that persists only for the duration of a single message call and is reset between executions. Storage is the persistent key-value store permanently associated with each account/" class="glossary-link" data-slug="contract-account" title="contract account">contract account, where contracts maintain their long-term state across transactions. These storage types are priced differently in gas—stack and memory operations are cheap, while storage operations are expensive to prevent blockchain bloat.

During execution, contract code has access to crucial context: it can read the message sender's address, the amount of ether sent, the data payload provided by the caller, and block-level properties like the current block number, timestamp, and miner address. The code can return an output byte array to the caller and can send messages to other contracts or create new contracts. This execution model is Turing-complete—loops and complex control flow are possible—but the gas mechanism ensures that all computation terminates in bounded time, solving the halting problem economically rather than through language restrictions.

Blockchain and Mining

The Ethereum blockchain is fundamentally similar to Bitcoin's, serving as a database containing every transaction ever executed. However, while Bitcoin stores only a transaction list, Ethereum stores both the transaction list and the most recent state. Each block in Ethereum contains the previous block's hash, a state root (the root hash of the Patricia trie">Merkle Patricia trie representing the entire state), a transaction root, a receipt root (storing data from transaction execution), along with difficulty, timestamp, and nonce values. The state itself is a large Merkle Patricia trie mapping addresses to account objects, where each account has a balance, nonce, code (if present), and storage.

Ethereum uses a modified version of the GHOST (Greedy Heaviest Observed Subtree) protocol to address security issues that arise from fast block times. In traditional longest-chain protocols, fast blocks lead to high stale rates, reducing network security and increasing centralization risks as large miners waste less computation on stales. GHOST includes stale blocks (called "uncles" in Ethereum) in the calculation of which chain is longest, and provides partial rewards to uncle blocks, incentivizing miners to reference them. This allows Ethereum to maintain a target block time of approximately 12 seconds while preserving network security.

The mining algorithm works similarly to Bitcoin's proof-of-work, requiring miners to find a nonce such that the hash of the block is below a certain difficulty target. However, Ethereum's memory-hard mining algorithm (Ethash) is designed to be ASIC-resistant, promoting a more decentralized mining ecosystem. The difficulty adjusts dynamically based on block times to maintain the ~12 second target, ensuring consistent block production while the GHOST protocol provides security guarantees despite the faster block times compared to Bitcoin's 10-minute average.

Applications

The applications that can be built on Ethereum fall into three broad categories. The first category is financial applications, providing users with more powerful ways to manage and enter contracts involving their money. This includes sub-currencies, financial derivatives, hedging contracts, savings wallets with withdrawal limits, wills that distribute funds automatically, and even employment contracts that calculate payment based on verified work completion. These applications leverage Ethereum's programmability to create complex financial instruments that would be impossible or extremely difficult to implement in traditional systems or even on Bitcoin.

The second category is semi-financial applications, where money is involved but there is also a substantial non-monetary component to what is being done. A perfect example is self-enforcing bounties for solutions to computational problems. Someone could post a computational problem along with a reward, and the contract could automatically verify submitted solutions and pay out the bounty to the first correct answer. This category bridges pure finance and other domains, using economic incentives to solve problems or coordinate behavior.

The third category is applications that have nothing to do with money at all, such as online voting and decentralized governance systems. These non-financial applications demonstrate Ethereum's flexibility as a general-purpose platform. Examples include decentralized domain name systems like Namecoin, reputation systems, decentralized file storage, and organizational governance tools. Of all these application types, token systems have emerged as the most common and fundamental, serving as building blocks for many other applications.

Token Systems

Token systems are surprisingly straightforward to implement on Ethereum, despite being one of the most powerful and common applications. At their core, token systems are simply a database with a single operation: subtract X units from account A and add X units to account B, with the condition that A had at least X units before the transaction and the transaction is authorized by A. The implementation requires maintaining a mapping of addresses to balances and providing a transfer function that performs the appropriate checks before moving tokens between accounts.

The contract code for a basic token system is remarkably simple and can be written in just a few lines. It consists of a data structure mapping addresses to balances, an initialization function that assigns initial token supply, and a transfer function that checks the sender's balance and authorization before executing the transfer. This simplicity stands in stark contrast to the complexity required to implement similar systems on Bitcoin, which would require significant workarounds and limitations due to Bitcoin's restricted scripting capabilities.

Tokens on Ethereum can represent virtually anything of value. They might represent sub-currencies with their own monetary policies, financial derivatives tracking external assets, company shares with dividend rights, loyalty points in customer programs, commodities like gold or oil, or even representations of physical property. The programmability of Ethereum allows these tokens to have arbitrary rules governing their behavior, such as transfer restrictions, automatic burning mechanisms, dividend distributions, or governance rights. This flexibility has made token systems the foundational building block for much of the Ethereum ecosystem.

Financial Derivatives and Stable-Value Currencies

Financial derivatives represent one of the most fundamental and important applications of Ethereum smart contracts. A simple hedging contract demonstrates the basic mechanism: party A deposits a certain amount of ether worth \(1000, party B deposits an equivalent amount, and the contract records the USD value of ether at that moment using a data feed. After 30 days, the contract recalculates the value and sends ether worth \)1000 to A and the remainder to B. If the price of ether has risen, A receives fewer ether but maintains $1000 value; if it has fallen, A receives more ether to maintain that value. This allows A to hedge against volatility while B speculates on price movements.

The implementation of such contracts requires access to external data through oracle contracts or data feeds. These oracles provide price information, weather data, or other real-world information that contracts need to execute properly. While oracles introduce a trust dependency, they can be designed with redundancy and cryptoeconomic incentives to provide reliable data. The contract itself simply queries the oracle, performs calculations based on that data, and distributes funds according to its programmed logic.

Stablecoins and more complex financial instruments can be built using similar mechanisms. A stablecoin contract might maintain a reserve of ether and issue tokens pegged to a fiat currency, automatically adjusting supply or collateral requirements based on price feeds. Options contracts, futures, swaps, and other derivatives that would normally require complex legal frameworks and trusted intermediaries can instead be encoded as self-executing smart contracts. This programmable finance infrastructure enables sophisticated financial engineering while maintaining the transparency and security guarantees of blockchain technology.

Identity and Reputation Systems

A name registration system similar to Namecoin is trivially implementable on Ethereum and serves as the simplest example of an identity system. The contract maintains a database with a key-value table mapping names to associated data (such as IP addresses, public keys, or other information). Anyone can register a name by sending a transaction to the contract along with a small registration fee, provided that name is not already taken. The owner can update the associated data at any time, and names can be made transferable or permanent according to the rules encoded in the contract.

More advanced identity systems can be built on this foundation to include reputation scores, web of trust relationships, and decentralized identity verification. For example, a contract could maintain reputation scores based on verified transactions, peer ratings, or completion of tasks. These scores would be publicly visible and cryptographically tied to specific addresses, creating a portable reputation that follows users across applications. Web of trust systems could allow users to vouch for others' identities, building social graphs that help distinguish legitimate users from bad actors.

Such identity and reputation systems become particularly powerful when integrated with other applications. A marketplace could require minimum reputation scores for sellers, a loan platform could adjust interest rates based on borrower reputation, or a social network could use web of trust to filter spam and fraudulent content. By providing a shared infrastructure for identity that any application can query, Ethereum enables a new class of trust-based applications that don't rely on centralized identity providers or proprietary reputation systems.

Decentralized File Storage

Decentralized file storage can be implemented through Ethereum contracts that coordinate between users who need storage and providers who offer it. In a "decentralized Dropbox" model, users would pay a monthly fee to upload files, with the contract distributing payments to storage providers who prove they are actually storing the data. The proof mechanism works through periodic cryptographic challenges: the contract randomly selects portions of files and asks providers to supply Merkle tree proofs demonstrating they possess that data. Providers who fail challenges or go offline would lose their deposits and future payment stream.

This approach offers several advantages over centralized storage. Merkle tree proofs enable efficient verification—users and the contract can confirm file availability without downloading entire files. The system naturally distributes files across multiple independent providers, creating redundancy without requiring explicit replication protocols. Economic incentives align provider behavior with user needs: providers earn money by reliably storing data and lose money if they fail to do so. This eliminates the trust requirement inherent in centralized storage solutions.

Storage costs in such a system can potentially be lower than centralized alternatives for several reasons. The elimination of monopoly pricing allows market competition to drive costs down to near the actual cost of storage. Implicit redundancy from multiple users storing similar files can reduce total storage requirements. There's no need for expensive data center infrastructure or corporate overhead. However, challenges remain around payment mechanisms, ensuring adequate provider participation, and managing the tradeoff between redundancy and cost. Despite these challenges, decentralized storage demonstrates how Ethereum can coordinate complex multi-party interactions through economic incentives alone.

Decentralized Autonomous Organizations

A Decentralized Autonomous Organization (DAO) is a virtual entity that has a set of members or shareholders who collectively have the right to spend the entity's funds and modify its code. A typical DAO operates with a simple rule: 67% of members are needed to make spending decisions or modify the organization's code. Members can submit proposals, vote on them, and if a proposal receives sufficient support, the contract automatically executes the decision. Membership shares can be transferable, allowing a liquid market for DAO participation, and different classes of shares can have different voting rights or economic claims.

The simplest DAO design is a self-modifying contract that maintains a list of members and requires a 2/3 majority vote to change any aspect of the contract, including its own voting rules. Members would submit code changes as transactions, other members would vote, and upon reaching the threshold, the contract would update itself. More sophisticated designs might include delegated voting systems where members can assign their voting power to representatives, or liquid democracy where votes can be delegated but reclaimed at any time for important decisions.

DAOs can serve various purposes beyond simple fund management. A DAO could function as a decentralized corporation, hiring contractors, purchasing services, and distributing profits to shareholders—all governed by smart contract code rather than traditional legal structures. It could operate as a decentralized investment fund, with members voting on which projects to fund. It could manage a commons resource, with stakeholders voting on allocation rules. The key insight is that by encoding governance rules in transparent, immutable code and tying them to economic stake, DAOs can coordinate group decisions without requiring traditional hierarchical management or legal enforcement.

Further Applications

Beyond the major categories already discussed, Ethereum enables numerous other applications. Savings wallets with sophisticated security features can impose daily withdrawal limits while providing emergency keys for recovery, protecting users from theft while maintaining ultimate control. Crop insurance contracts can automatically pay farmers based on weather data feeds, eliminating claims processing and reducing administrative overhead. Peer-to-peer gambling applications can operate without any trusted intermediary, with smart contracts holding stakes and automatically paying winners based on verifiable random numbers or real-world event data.

On-chain prediction markets allow users to bet on future events, creating powerful forecasting mechanisms through the wisdom of crowds. These can be augmented with SchellingCoin-style protocols to create decentralized oracles: participants independently report data (like election results or weather conditions), and those whose reports match the majority receive rewards while outliers are penalized. This cryptoeconomic approach incentivizes honest reporting and can provide reliable real-world data to other contracts without requiring trust in any single oracle provider.

Multi-signature wallets represent another important application, enabling shared control of funds between multiple parties. A 2-of-3 multi-sig wallet might require any two of three designated parties to approve a transaction before funds can be spent, useful for escrow arrangements, corporate treasuries, or personal security. Decentralized marketplaces can combine identity systems, reputation scores, escrow contracts, and dispute resolution mechanisms to enable peer-to-peer commerce without centralized platforms. Each of these applications demonstrates how Ethereum's programmability enables new trust models and organizational structures.

Miscellanea And Concerns

Ethereum's implementation of the modified GHOST protocol includes specific rules for uncle inclusion and rewards. Uncles must be direct children of the current block's ancestor (between 2 and 7 generations back), must be valid block headers, must be distinct from previous uncles, and must not be direct ancestors of the current block. Uncle blocks receive 87.5% of the standard block reward, while the including block receives an additional 3.125% per uncle included (up to two uncles). This incentive structure encourages miners to reference stale blocks they observe, strengthening network security while rewarding miners who experienced temporary bad luck with network propagation.

The transaction-fee/" class="glossary-link" data-slug="transaction-fee" title="fee">fee system is based on the concept of "gas," where every computational operation has a fixed gas cost. For example, a multiplication operation costs 5 gas, a SHA256 hash costs 20 gas, and every transaction has a base cost of 21,000 gas. Users specify both a gas limit (maximum gas they're willing to consume) and a gas price (how much ether they'll pay per unit of gas). This system serves multiple purposes: it prevents infinite loops and denial-of-service attacks by ensuring all computation is paid for, it creates a market for block space where users bid via gas prices, and it allows miners to set a minimum gas price they're willing to accept, protecting network resources.

Scalability remains a significant concern, as every node/" class="glossary-link" data-slug="full-node" title="full node">full node must process every transaction to verify the state. Current blockchain architectures struggle to match centralized systems' transaction throughput. Potential solutions include state sharding, where different nodes process different subsets of transactions, and a transition from proof-of-work to proof-of-stake consensus, which could enable more efficient block production. Light clients using Merkle proofs can verify transactions without processing all blocks, but someone must still process everything. These scalability challenges represent active areas of research and development critical to Ethereum's long-term viability.

Conclusion

The Ethereum protocol was originally conceived as an upgraded version of a cryptocurrency, providing advanced features like on-blockchain escrow, withdrawal limits, and financial contracts through a highly generalized programming language. However, the Ethereum protocol moves far beyond just currency. Protocols around decentralized file storage, decentralized computation, and decentralized prediction markets, among dozens of other concepts, have the potential to substantially increase the efficiency of the computational industry and provide a massive boost to other peer-to-peer protocols by adding for the first time an economic layer.

Rather than providing a limited set of operations designed for specific use cases, Ethereum provides a Turing-complete programming language that enables developers to build any application they can design. Want to invent your own financial derivative? Create your own currency? Establish a government on the blockchain? These are all trivially implementable with Ethereum's scripting system. The platform's power lies not in predicting what applications will be built, but in providing the foundational infrastructure that makes building them easy.

The concept of an arbitrary state transition function as implemented by the Ethereum protocol provides a platform with unique potential. Rather than being a closed-ended, single-purpose protocol intended for specific applications in data storage, gambling, or finance, Ethereum is open-ended by design, and we believe it is extremely well-suited to serving as a foundational layer for a large number of both financial and non-financial protocols in the years to come. The applications that will be built on Ethereum in the future may be ones we cannot even imagine today, and that open-ended possibility represents the true promise of the platform.

References and Further Reading

The Ethereum whitepaper builds upon extensive prior work in cryptocurrency and distributed systems research. The foundational Bitcoin protocol is described in Satoshi Nakamoto's original 2008 paper "Bitcoin: A Peer-to-Peer Electronic Cash System," which introduced the concept of blockchain-based digital currency. Early attempts to extend Bitcoin's functionality include Namecoin, a decentralized name registration system demonstrating blockchain applications beyond currency, though limited by Bitcoin's restricted scripting capabilities.

The colored coins whitepaper proposed a method for representing alternative assets on the Bitcoin blockchain by "coloring" specific bitcoins to represent other assets, while Mastercoin attempted to create a protocol layer on top of Bitcoin for more complex financial instruments. Both highlighted the limitations of building on Bitcoin and motivated the need for a more flexible platform. The concept of decentralized autonomous corporations, explored in Bitcoin Magazine, provided theoretical foundations for organizational governance through smart contracts.

Key technical components include simplified payment verification (SPV) for light clients, Merkle trees for efficient data verification, and Patricia tries for Ethereum's state representation. The GHOST (Greedy Heaviest Observed Subtree) protocol, described in a 2013 cryptography paper, addresses security issues arising from fast block times and forms the basis for Ethereum's consensus mechanism. These references represent the intellectual foundations upon which Ethereum was built, combining insights from cryptocurrency, distributed systems, cryptography, and game theory to create a general-purpose blockchain platform.