B012: Security Tidbits v3

Approval Nightmare

A well-known issue with integrating EIP-20 tokens in complex DeFi systems is the way the EIP-20 standard operates. As there is no single transfer-and-call action (although it exists as an ERC-677), users must either pre-approve a contract for a particular expenditure or code their own custom ways the token interacts with their ecosystem.

Example of Race Condition Exploit

EIP-20 Transfer Validation

The EIP-20 standard denotes that the smart contract implementations of the standard must return a bool variable indicating whether the execution of a transfer or transferFrom invocation has succeeded. This particular trait was introduced to allow smart contracts to code graceful error handling rather than completely halt execution.

Conclusion

Sometimes, over-engineered solutions to either protect or enhance the usability of software can cause inconsistency in the final products that are developed around the standard, even more so in an open ecosystem such as Ethereum.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store