ERC20 standard issues
Despite the widespread use, the standard of token ERC20 has its defects: the absence of a transaction processing mechanism (Event Handling) and the opportunity to perform a double-spending attack (Re-Approval Attack).
The absence of a transaction processing mechanism (Event Handling).
This problem is as follows: in any full-fledged currency, the incoming payment should create a so-called Event – this allows to receive information on the change in the holder’s balance in time and, if necessary, to process cash receipts.
Ethereum works in the same way, most of ERC20 tokens operate on its base.
However, standard ERC20 is featured by a complete absence of a transaction processing mechanism, because of smart contract’s structure, in other words, you are always able to send ERC20 tokens to any wallet and the recipient actually will not be able to refuse of accepting the payment. He will notice his changed balance only when he decides to check it again.
Many token standards were created in order to solve this problem, ERC223 and ERC777 can be called the most successful among them. Nevertheless, despite the promising start, the technical part of payment processing presented in these standards did not become a panacea and was not applied widely.
From the problem of EventHandling many others arise. For example, you cannot work with other smart contracts by using a regular Transfer with ERC20 tokens. For secure interaction, you need to implement ApproveAndCall function (read more HERE).
The opportunity to perform a double-spending attack (Re-Approval Attack).
The second problem relates to the same Approve tokens’ function. The thing is that if the token holder approves the withdrawal of a certain amount of funds to any address, the recipient will be able to withdraw more funds than it is supposed.
This can be done as follows:
— Let’s say Bob approved 10 tokens for Alice, but Alice is inactive and does not withdraw funds. Instead, she somehow convinces Bob to change the amount of approved tokens from 10 to 12. Assume that she manages to convince Bob in the second Approve funds and the token holder sends the transaction to the mining pool for confirmation.
— At this time, Alice tracks the transaction and immediately sends the new one with higher price of gas: to withdraw 10 tokens approved by her. Since the gas price of the recipient’s transaction is higher, the priority of her action rises, and the funds are successfully withdrawn to her account before the amount of approved tokens was changed by Bob from 10 to 12.
— After the successful transaction confirmation to change the amount, Alice immidiately sends the transaction to withdraw 12 already approved tokens and withdraws tokens for the second time. In total, Alice has received 22 tokens.
This problem is not so critical. To to prevent such consequences, the tokens sender only needs to adhere to the following procedure: first, he changes the initial amount to 0, then after making sure that he is not going to be cheated, changes 0 to the required amount.
In addition, this problem can be solved by implementing a check for the original amount. In other words, to make settings that change of approved funds can be made only after confirmation that no one withdrew the funds before transaction.
Summarizing the above, it should be noted that all these problems are known to the crypto community from the very foundation of ERC20 standard and despite everything, the standard has become widespread and successfully performs all its functions.
Sincerely, Grox Solutions.