Sirwin
Sirwin

ERC-20 Standard – Callisto Network Security Department Statement

By Callisto Network | Callisto Network | 31 Jul 2023


 

Callisto Network Security Department is a security auditing organization that has performed more than 300 smart contract security audits since 2018. Not even a single contract we have approved as “secure” has been hacked afterwards.

From a security point of view, ERC-20 is a poor solution, and we recommend deprecating this standard and using newer ones for creating tokens on the Ethereum blockchain.

 

I. ERC-20 contains a well-known design shortcoming (lack of transaction handling) which is a critical security flaw.

Standardized critical severity security flaw is not acceptable for a standard of digital assets that should focus on the safety of users’ funds.

ERC-20 transfer function is non-handleable. It can result in permanent loss of funds for end users. According to OpenZeppelin bug bounty criteria, this is a critical severity security flaw.

 

II. ERC-20 has three interpretations.

ERC-20 specification is not strict enough. There are currently three types of tokens that pretend to be ERC-20 but behave differently:

  • Tokens that return true on successful transfer or transferFrom function execution but revert a transaction on failure. (Example: UNI token)
  • Tokens that return true on successful transfer or transferFrom function execution otherwise return false and never revert a transaction (Example: DAO token)
  • Tokens that do not return anything and revert a transaction on failure. (Example: USDTBNB tokens)

Technically, USDT and BNB are incompatible with the ERC-20 standard as the standard declares that transfer function must have a boolean return value.

 

III. approve & transferFrom is a pull transacting method. Pull transacting is not suitable for trustless systems.

Authorizing a contract to manage tokens on token holders’ behalf introduces security risks for the token holder. Authorizing a contract to spend any amount of funds (i.e., issuing an unlimited approval) is a pattern that must be avoided.

Read more about the applicability of push transaction vs pull transaction here.

Note for security auditors.

We encourage security auditing organizations and individual security auditors to highlight the known vulnerabilities of the ERC-20 standard in their security reports.

That’s how it is done in our reports. It is not legitimate to state that a contract is “secure” if it utilizes ERC-20 tokens without applying additional security restrictions. Such contracts are definitely not safe because end users will lose their funds.

Callisto Network has been a truly independent security auditor since 2018. We focus on promoting the best security practices to minimize the amount of funds that any crypto users may lose.

We believe that cryptocurrency adoption is impossible without fault-tolerant services such as those available in existing banking applications.

Read more about Callisto Network.

Request a security audit.


Follow Callisto Network on Twitter>>>

Join Callisto Network on Telegram>>>

Subscribe to Callisto Network YouTube Channel>>>

Join Callisto Network on Reddit>>>

Join Callisto Network on Discord>>>

Follow the Callistonians on Twitter>>>

How do you rate this article?

2


Callisto Network
Callisto Network

Founded by Dexaran, co-founder of Ethereum Classic, Callisto Network is a smart contract platform focusing on security.


Callisto Network
Callisto Network

Building a future where blockchain meets true decentralization. Be part of Callisto Network – a community-powered ecosystem. #DecentralizeEverything

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.