I would like to invite researchers to investigate the problem of Ethereum token standards and most notably ERC-20. I am the author of ERC-223 token standard and a security expert.
Full post here: erc20_research.md · GitHub
(no clue whose genius idea it was to restrict publications on RESEARCH FORUM to 2 links per post)
So, I kinda know what I’m talking about.
I’m stating that ERC-20 is an insecure standard. It has two major architecture flaws:
Lack of transaction handling: Known problems of ERC-20 token standard | by Dexaran | Medium
approve & transferFrom is a pull transacting pattern and pull transacting is not designed for trustless decentralized systems so it poses a threat to users’ funds safety there: ERC-20 approve & transferFrom asset transfer method poses a threat to users’ funds safety. | by Dexaran | Jul, 2023 | Medium
Today users lost at least $130M worth of ERC-20 tokens because of the above mentioned design flaw of the standard.
First, I described this issue in 2017. This can be a precedent of a vulnerability discovery in a “final” EIP. The EIP process does not allow changes even upon vulnerability disclosure.
It caused people to lose $13K when I first reported it.
Then it became $16K when I reported it and had a discussion with Ethereum Foundation members.
Then it became $1,000,0000 in 2018.
Then the author of ERC-20 standard stated he doesn’t want to use it in his new project (probably because he knows about the problem of lost funds).
Ethereum Foundation didn’t make any statement about this so far. This issue fits in “critical severity security vulnerability” according to OpenZeppelin bug bounty criteria OpenZeppelin avoided paying the bug bounty for disclosing a flaw in the contract that caused a freeze of $1.1B worth of assets · Issue #4474 · OpenZeppelin/openzeppelin-contracts · GitHub
Also there is a heavy ongoing censorship on Ethereum reddit r/ethereum
For example there is a post about ERC-20 security flaws made on r/Cybersecurity and this post was assigned “Vulnerability Disclosure” status: Reddit - Dive into anything
The same exact post was removed from r/ethereum with a reason “Not related to Ethereum or ecosystem” Reddit - Dive into anything
Excuse me, when ERC-20 became “not related to Ethereum ecosystem”?
And other posts are not getting approved for days Reddit - Dive into anything
https://www.reddit.com/r/ethereum/comments/15llp7p/i_want_to_raise_the_issue_of_censorship_on/
tl;dr:
OP points to the fact that it’s possible to send erc20 tokens to token contract address.
No, OP points to the fact that ERC-20 standard is designed in a way that violates secure software design practices which resulted in (1) impossibility of handling transactions and (2) the implementation of pull transacting method which is not suitable for decentralized trustless assets and must be avoided.
The impossibility of handling transactions in turn resulted in impossibility of handling errors.
The impossibility of handling errors resulted in the fact that “it’s possible to send erc20 tokens to token contract address” as @p_m said but this is just the top of the iceberg. The root of the problem is a bit more complicated.
It must be noted that:
Lack of error handling is a cruel violation of secure software designing principles and it resulted in a loss of $130M worth of ERC-20 tokens already.
Its weird to see how people are eager to investigate and debate some abstract paper but not to devote their attention and conduct an investigation of a real ongoing scandal of the decade. A true story of millions of dollars losses and a problem that was getting silenced for years by Ethereum Foundation.
The incident serves as a reminder that while blockchain and smart contract technologies offer numerous benefits, security risks are a significant concern. Proper development practices, rigorous testing, code audits, and ongoing monitoring are essential to mitigate these risks and protect both users and valuable assets.
asdsadsads dsadasda sd asd asdasaasdasedqweqweqweqasdasdasd