Not-So Obvious Risks Linger in Leading Ethereum Tokens’ Code
In a Medium article entitled “What we learned from auditing the top 20 ERC20 token contracts,” Daniel Que of CryptoFin discusses some of the potential issues of popular Ethereum tokens after a review of twenty leading tokens’ contract codes.
Based on the open-source ERC20 standards, such tokens are deployed on the Ethereum network as “smart contracts” for a variety of current and planned applications from Ethereum-based cryptocurrencies to dividend payments to shares or voting rights in “decentralized autonomous organizations” or DAOs. ERC20 tokens are most famous—or perhaps infamous—for their use in lucrative ICOs (“initial coin offerings”), which have increasingly become a way to fund blockchain-related ventures from potentially revolutionary new dapp (“decentralized app” in blockchain parlance) platforms to outright scams to gain capital and/or distribute tokens.
With most Ethereum projects in the nascent stages of development, most tokens have little present utility in and of themselves but have generated a vast speculative economy of ICO investment and token trading. According to independent tracking sites such as tokendata.io and etherscan, thousands of ERC20 token contracts are currently deployed on the Ethereum network, with some larger projects’ tokens maintaining market caps in the millions and even billions of dollars in value.
Que’s Bskt dapp was designed to operate as a sort of token ETF, enabling users to deposit popular ERC20 tokens into one singular token (or “share,” in keeping with the ETF comparison) that can in itself be traded or redeemed back into its constituent other tokens. According to Que, “a single issue in a deeply nested dependency can break the functionality of the entire client contract,” so it is imperative to double-check the stability of the ERC20 tokens’ code to ensure that any small vulnerability in one could not affect Bskt functionality.
While “auditing” the top twenty ERC20 tokens for compatability with Bskt, (including EOS, Tron, VeChain, Icon, Populous, OmiseGO, Binance Coin, DigixDAO, 0x, Augur, Waltonchain, Bytom, Status, IOStoken, Zilliqa, Kyber Network, Basic Attention Token, Aelf, Qash, AdEx and Maker) the team discovered issues of concern in some of these tokens’ contracts.
According to the article, the top vulnerability discovered is that “nearly half of the top 20 projects can have their token transfers completely frozen by an owner,” a worrisome prospect antithetical to the spirit of decentralization ensuring the freedom and flexibility of developments on the Ethereum network. It’s also a large risk for users, given that at any time a centralized authority is able to “pause” a dapp/token’s operations, malicious actors can profit by doing the same if they gain control of the contract.
According to the article, these tokens include EOS, Tron, Icon, OmiseGo, Augur, Status, Aelf, Qash and Maker.
Additionally, the Bskt audit found that one token (Icon) did not post its source code, and that some do not fully comply with ERC20 standards (including, notably, Golem which doesn’t meet the ERC20 standards to the point usable by Bskt). A small host of other issues were discovered in the Bskt review, which concludes with the following recommendation for dapp developers:
For experienced software engineers new to Solidity, we encourage a different mindset more akin to a hardware engineer (where failure is costly and reprogramming is hard). This mindset requires you to understand all dependencies in-depth, as well as their interaction effects.