ERC-20 Standard – Callisto Network Security Department Statement

Do repost and rate:

Standardized critical severity security flaw is not acceptable for a standard of digital assets that should focus on the safety of users’ funds.

ERC-20  function is non-handleable. It can result in permanent loss of funds for end users. According to OpenZeppelin bug bounty criteria, this is a critical severity security flaw

II. ERC-20 has three interpretations.

ERC-20 specification is not strict enough. There are currently three types of tokens that pretend to be ERC-20 but behave differently:

  • Tokens that return true on successful transferFrom function execution but revert a transaction on failure. (Example: UNI token
  • Tokens that return true on successful transferFrom function execution otherwise return false and never revert a transaction (Example: DAO token
  • Tokens that do not return anything and revert a transaction on failure. (Example: 

Technically, USDT and BNB are incompatible with the ERC-20 standard as the standard declares that function must have a boolean return

III. approve & transferFrom is a pull transacting method. Pull transacting is not suitable for trustless systems.

Authorizing a contract to manage tokens on token holders’ behalf introduces security risks for the token holder. Authorizing a contract to spend any amount of funds (i.e., issuing an unlimited approval) is a pattern that must be avoided.

Read more about the applicability of push transaction vs pull transaction 

Note for security auditors.

We encourage security auditing organizations and individual security auditors to highlight the known vulnerabilities of the ERC-20 standard in their security reports.

That’s how it is done in our reports. It is not legitimate to state that a contract is “secure” if it utilizes ERC-20 tokens without applying additional security restrictions. Such contracts are definitely not safe because end users will lose their funds.

Callisto Network has been a truly independent security auditor since 2018. We focus on promoting the best security practices to minimize the amount of funds that any crypto users may lose.

We believe that cryptocurrency adoption is impossible without fault-tolerant services such as those available in existing banking applications.

Read more about Callisto Network.

Request a security audit.

 https://www.publish0x.com

Regulation and Society adoption

Ждем новостей

Нет новых страниц

Следующая новость

All content provided by the site, hyperlinks, related applications, forums, blogs, social networks and other information is taken from third-party sources and is intended for reference only. We make no warranties with respect to our content, including but not limited to accuracy and timeliness. No part of the content we provide is financial advice, legal advice or any other form of advice intended for any of your personal purpose. Any use of our content is entirely at your own risk. You should conduct your own research, review, analysis and verification of our content before relying on them. Trading is a very risky activity that can lead to large losses, so consult your financial Advisor before making any decision. No content on our site is a public offer or invitation to action.

This resource may contain 18+materials

© 2016-2024