ERC20 standard issues

Despite the widespread use, the standard of token ERC20 has its defects: the absence of a transaction processing mechanism (Event Handling) and the opportunity to perform a double-spending attack (Re-Approval Attack).

The absence of a transaction processing mechanism (Event Handling).

This problem is as follows: in any full-fledged currency, the incoming payment should create a so-called Event – this allows to receive information on the change in the holder’s balance in time and, if necessary, to process cash receipts.

Ethereum works in the same way, most of ERC20 tokens operate on its base.

However, standard ERC20 is featured by a complete absence of a transaction processing mechanism, because of smart contract’s structure, in other words, you are always able to send ERC20 tokens to any wallet and the recipient actually will not be able to refuse of accepting the payment. He will notice his changed balance only when he decides to check it again.

Many token standards were created in order to solve this problem, ERC223 and ERC777 can be called the most successful among them. Nevertheless, despite the promising start, the technical part of payment processing presented in these standards did not become a panacea and was not applied widely.

From the problem of EventHandling many others arise. For example, you cannot work with other smart contracts by using a regular Transfer with ERC20 tokens. For secure interaction, you need to implement ApproveAndCall function (read more HERE).

The opportunity to perform a double-spending attack (Re-Approval Attack).

The second problem relates to the same Approve tokens’ function. The thing is that if the token holder approves the withdrawal of a certain amount of funds to any address, the recipient will be able to withdraw more funds than it is supposed.

This can be done as follows:

— Let’s say Bob approved 10 tokens for Alice, but Alice is inactive and does not withdraw funds. Instead, she somehow convinces Bob to change the amount of approved tokens from 10 to 12. Assume that she manages to convince Bob in the second Approve funds and the token holder sends the transaction to the mining pool for confirmation.

— At this time, Alice tracks the transaction and immediately sends the new one with higher price of gas: to withdraw 10 tokens approved by her. Since the gas price of the recipient’s transaction is higher, the priority of her action rises, and the funds are successfully withdrawn to her account before the amount of approved tokens was changed by Bob from 10 to 12.

— After the successful transaction confirmation to change the amount, Alice immidiately sends the transaction to withdraw 12 already approved tokens and withdraws tokens for the second time. In total, Alice has received 22 tokens.

This problem is not so critical. To to prevent such consequences, the tokens sender only needs to adhere to the following procedure: first, he changes the initial amount to 0, then after making sure that he is not going to be cheated, changes 0 to the required amount.

In addition, this problem can be solved by implementing a check for the original amount. In other words, to make settings that change of approved funds can be made only after confirmation that no one withdrew the funds before transaction.

Summarizing the above, it should be noted that all these problems are known to the crypto community from the very foundation of ERC20 standard and despite everything, the standard has become widespread and successfully performs all its functions.

Sincerely, Grox Solutions.

Articles. Public audits

Tetherex Audit

Security Audit of Tetherex Project

Read more


Security audit of the INTERSMART project

Read more


Security audit of the SHIBADOUBLER project

Read more

TronCore Audit

Security Audit of TronCore project

Read more

TRONexPRO Security Audit

Audit of new TRONex project

Read more


Security audit of TRONexVIP smart-contract

Read more

Audit of Omeo Smart-Contract

Audit of part of Omeo project

Read more

APEMaster (Staking) Audit

Audit of APEMaster (Staking) smart-contract

Read more

TronMint Audit

Audit of TronMint Smart-Contract

Read more

SUNexWorld Audit

SUNexWorld smart-contract audit

Read more

FinyTron Audit

Audit of FinyTronDue smart-contract

Read more

TRONCapital Audit

Audit of TRONCapital smart-contract

Read more

ArgosNEX Audit

Audit of ArgosNEX Smart-Contract

Read more

TRONexWorld Audit

Audit of smart-contract from original TRONex team

Read more

Tronner Audit

Audit of the Tronner smart-contract

Read more

TronGuru AUDIT

Audit of the TronGuru Smart-Contract

Read more


Audit of the Trony Smart-Contract

Read more


Security audit of the TRONies smart-contract

Read more


Security audit of the TronEx3 smart-contract

Read more

TronMatrix AUDIT

Security audit of the TronMatrix smart-contract

Read more


Security audit of the TRONPROM smart-contract

Read more


Security audit of the TRX-IN-BANK smart-contract

Read more

TRONex Audit

Security audit of the TRONex smart-contract

Read more


Token is a certain unit of value in the blockchain...

Read more

ICO (CrowdSale)

ICO – Initial Coin Offering or initial coin placement, by...

Read more

ERC20 standard issues

Despite the widespread use, the standard of token ERC20 has...

Read more

ApproveAndCall function for ERC20

Due to one of the known problems of ERC20 EventHandling...

Read more

Example of Smart Contract operation

Since the idea of Smart Contracts was mostly spread in...

Read more

Application of Smart Contracts

Smart contract technologies are still new and it is possible...

Read more

Audit of «Neuromachine Eternal»

Public Audit of NRM Smart Contract

Read more
Load more
To close