ERC20 standard issues

Despite the widespread use, the standard of token ERC20 has its defects: the absence of a transaction processing mechanism (Event Handling) and the opportunity to perform a double-spending attack (Re-Approval Attack).

The absence of a transaction processing mechanism (Event Handling).

This problem is as follows: in any full-fledged currency, the incoming payment should create a so-called Event – this allows to receive information on the change in the holder’s balance in time and, if necessary, to process cash receipts.

Ethereum works in the same way, most of ERC20 tokens operate on its base.

However, standard ERC20 is featured by a complete absence of a transaction processing mechanism, because of smart contract’s structure, in other words, you are always able to send ERC20 tokens to any wallet and the recipient actually will not be able to refuse of accepting the payment. He will notice his changed balance only when he decides to check it again.

Many token standards were created in order to solve this problem, ERC223 and ERC777 can be called the most successful among them. Nevertheless, despite the promising start, the technical part of payment processing presented in these standards did not become a panacea and was not applied widely.

From the problem of EventHandling many others arise. For example, you cannot work with other smart contracts by using a regular Transfer with ERC20 tokens. For secure interaction, you need to implement ApproveAndCall function (read more HERE).

The opportunity to perform a double-spending attack (Re-Approval Attack).

The second problem relates to the same Approve tokens’ function. The thing is that if the token holder approves the withdrawal of a certain amount of funds to any address, the recipient will be able to withdraw more funds than it is supposed.

This can be done as follows:

— Let’s say Bob approved 10 tokens for Alice, but Alice is inactive and does not withdraw funds. Instead, she somehow convinces Bob to change the amount of approved tokens from 10 to 12. Assume that she manages to convince Bob in the second Approve funds and the token holder sends the transaction to the mining pool for confirmation.

— At this time, Alice tracks the transaction and immediately sends the new one with higher price of gas: to withdraw 10 tokens approved by her. Since the gas price of the recipient’s transaction is higher, the priority of her action rises, and the funds are successfully withdrawn to her account before the amount of approved tokens was changed by Bob from 10 to 12.

— After the successful transaction confirmation to change the amount, Alice immidiately sends the transaction to withdraw 12 already approved tokens and withdraws tokens for the second time. In total, Alice has received 22 tokens.

This problem is not so critical. To to prevent such consequences, the tokens sender only needs to adhere to the following procedure: first, he changes the initial amount to 0, then after making sure that he is not going to be cheated, changes 0 to the required amount.

In addition, this problem can be solved by implementing a check for the original amount. In other words, to make settings that change of approved funds can be made only after confirmation that no one withdrew the funds before transaction.

Summarizing the above, it should be noted that all these problems are known to the crypto community from the very foundation of ERC20 standard and despite everything, the standard has become widespread and successfully performs all its functions.

Sincerely, Grox Solutions.

Articles. Public audits

TronGuru AUDIT

Audit of the TronGuru Smart-Contract

Read more

Trony AUDIT

Audit of the Trony Smart-Contract

Read more

TRONies AUDIT

Security audit of the TRONies smart-contract

Read more

TronEx3 AUDIT

Security audit of the TronEx3 smart-contract

Read more

TronMatrix AUDIT

Security audit of the TronMatrix smart-contract

Read more

TRONPROM AUDIT

Security audit of the TRONPROM smart-contract

Read more

TRX-IN-BANK AUDIT

Security audit of the TRX-IN-BANK smart-contract

Read more

TRONex Audit

Security audit of the TRONex smart-contract

Read more

Tokens

Token is a certain unit of value in the blockchain...

Read more

ICO (CrowdSale)

ICO – Initial Coin Offering or initial coin placement, by...

Read more

ERC20 standard issues

Despite the widespread use, the standard of token ERC20 has...

Read more

ApproveAndCall function for ERC20

Due to one of the known problems of ERC20 EventHandling...

Read more

Example of Smart Contract operation

Since the idea of Smart Contracts was mostly spread in...

Read more

Application of Smart Contracts

Smart contract technologies are still new and it is possible...

Read more

Audit of «Neuromachine Eternal»

Public Audit of NRM Smart Contract

Read more
Load more
To close