This study addresses the critical problem of high-impact risks in ERC-20 smart contracts—particularly USDT—in asset transfers, alongside a pronounced user awareness gap. Methodologically, it employs a mixed approach: a controlled user experiment (N=110) using MetaMask, complemented by source-code audits of 78 mainstream tokens (combining manual review and automated analysis). Results reveal that users systematically underestimate five predefined risk mechanisms—including blacklisting, pausability, and arbitrary upgradability—with 71.8% failing to recognize them; risk identification success rates are only half those for basic transaction recognition. Furthermore, 19.2% of top-tier contracts embed at least one predefined risk, and 25.6% contain three newly identified risk patterns. The study’s contributions include: (1) establishing a validated framework for assessing risk perception in decentralized applications; (2) empirically demonstrating systemic UI failures in conveying smart contract risks; and (3) advancing design paradigms for explainable contracts and risk-aware interfaces.

Smart contracts are increasingly used in critical use cases (e.g., financial transactions). Thus, it is pertinent to ensure that end-users understand the transfer risks in smart contracts. To address this, we investigate end-user comprehension of risks in the most popular Ethereum smart contract (i.e., USD Tether (USDT)) and their prevalence in the top ERC-20 smart contracts. We focus on five transfer risks with severe impact on transfer outcomes and user objectives, including users being blacklisted, contract being paused, and contract being arbitrarily upgraded. Firstly, we conducted a user study investigating end-user comprehension of smart contract transfer risks with 110 participants and USDT/MetaMask. Secondly, we performed manual and automated source code analysis of the next top (78) ERC-20 smart contracts (after USDT) to identify the prevalence of these risks. Results show that end-users do not comprehend real risks: most (up to 71.8% of) users believe contract upgrade and blacklisting are highly severe/surprising. More importantly, twice as many users find it easier to discover successful outcomes than risky outcomes using the USDT/MetaMask UI flow. These results hold regardless of the self-rated programming and Web3 proficiency of participants. Furthermore, our source code analysis demonstrates that the examined risks are prevalent in up to 19.2% of the top ERC-20 contracts. Additionally, we discovered (three) other risks with up to 25.6% prevalence in these contracts. This study informs the need to provide explainable smart contracts, understandable UI and relevant information for risky outcomes.