Security concerns regarding token standards and $130M worth of ERC20 tokens loss on Ethereum mainnet

I would like to invite researchers to investigate the problem of Ethereum token standards and most notably ERC-20. I am the author of ERC-223 token standard and a security expert.

Full post here: erc20_research.md · GitHub

(no clue whose genius idea it was to restrict publications on RESEARCH FORUM to 2 links per post)

• I’ve created a security auditing organization that audited more than 300 smart-contracts and not even a single one was hacked afterwards
• I was doing security audits myself.

• I have launched a successful consensus-level attack on one of the top5 chains of its time

So, I kinda know what I’m talking about.

I’m stating that ERC-20 is an insecure standard. It has two major architecture flaws:

1. Lack of transaction handling: Known problems of ERC-20 token standard | by Dexaran | Medium

2. approve & transferFrom is a pull transacting pattern and pull transacting is not designed for trustless decentralized systems so it poses a threat to users’ funds safety there: ERC-20 approve & transferFrom asset transfer method poses a threat to users’ funds safety. | by Dexaran | Jul, 2023 | Medium

Today users lost at least $130M worth of ERC-20 tokens because of the above mentioned design flaw of the standard.

First, I described this issue in 2017. This can be a precedent of a vulnerability discovery in a “final” EIP. The EIP process does not allow changes even upon vulnerability disclosure.

• It caused people to lose $13K when I first reported it.

• Then it became $16K when I reported it and had a discussion with Ethereum Foundation members.

• Then it became $1,000,0000 in 2018.

• Then the author of ERC-20 standard stated he doesn’t want to use it in his new project (probably because he knows about the problem of lost funds).

• And today there are $130,000,000 lost

Ethereum Foundation didn’t make any statement about this so far. This issue fits in “critical severity security vulnerability” according to OpenZeppelin bug bounty criteria OpenZeppelin avoided paying the bug bounty for disclosing a flaw in the contract that caused a freeze of $1.1B worth of assets · Issue #4474 · OpenZeppelin/openzeppelin-contracts · GitHub

You can find the full timeline of events here ERC-223

Also there is a heavy ongoing censorship on Ethereum reddit r/ethereum

For example there is a post about ERC-20 security flaws made on r/Cybersecurity and this post was assigned “Vulnerability Disclosure” status: Reddit - Dive into anything

The same exact post was removed from r/ethereum with a reason “Not related to Ethereum or ecosystem” Reddit - Dive into anything

Excuse me, when ERC-20 became “not related to Ethereum ecosystem”?

And other posts are not getting approved for days Reddit - Dive into anything

https://www.reddit.com/r/ethereum/comments/15llp7p/i_want_to_raise_the_issue_of_censorship_on/

tl;dr:

OP points to the fact that it’s possible to send erc20 tokens to token contract address.

No, OP points to the fact that ERC-20 standard is designed in a way that violates secure software design practices which resulted in (1) impossibility of handling transactions and (2) the implementation of pull transacting method which is not suitable for decentralized trustless assets and must be avoided.

The impossibility of handling transactions in turn resulted in impossibility of handling errors.

The impossibility of handling errors resulted in the fact that “it’s possible to send erc20 tokens to token contract address” as @p_m said but this is just the top of the iceberg. The root of the problem is a bit more complicated.

It must be noted that:

• It is not possible to send plain ether to any contract address that is not designed to receive it, the tx will get reverted because ether implements transaction handling
• It is not possible to send ERC-223 token to any contract address that is not designed to receive it because ERC-223 implements transaction handling
• It is not possible to send ERC-721 NFT to any contract address that is not designed to receive it because the transferring logic of ERC-721 is based on ERC-223 and it implements transaction handling
• It is only possible to send ERC-20 token and lose it to a software architecture flaw that does not implement a widely used mechanism

Lack of error handling is a cruel violation of secure software designing principles and it resulted in a loss of $130M worth of ERC-20 tokens already.

Its weird to see how people are eager to investigate and debate some abstract paper but not to devote their attention and conduct an investigation of a real ongoing scandal of the decade. A true story of millions of dollars losses and a problem that was getting silenced for years by Ethereum Foundation.

The incident serves as a reminder that while blockchain and smart contract technologies offer numerous benefits, security risks are a significant concern. Proper development practices, rigorous testing, code audits, and ongoing monitoring are essential to mitigate these risks and protect both users and valuable assets.

asdsadsads dsadasda sd asd asdasaasdasedqweqweqweqasdasdasd

Here is a script that calculates and displays the token losses in the most user-friendly way: ERC-20 Losses Calculator