Last week Ihodl.com told about tokens that are used by startups to conduct their ICOs and found out that the most frequently used token is the ERC-20 due to its simplicity and versatility. But more and more experts talk of its imperfections and mistakes. So today we are clearing up what’s wrong with ERC-20 token.
ERC-20 is the first and most widely accepted standard of tokens produced on the ethereum blockchain. This standard was first introduced back in 2015 and translates as: Ethereum Request for Comments.
ERC-20 standard code provides 6 functions:
- totalSupply function determines the total number of tokens;
- balance0f shows the balance of the account specified by the address_owner parameter, where _owner is the address;
- transfer implements the transfer of tokens from the primary address to the address of an individual user;
- transferFrom is used to transfer tokens from one user to another;
- approve checks whether the tokens remain in the smart contract and provides a withdrawal of funds from the account up to the maximum allowable amount, which is specified as a parameter of the function;
- allowance guarantees that there are enough tokens at the sender's wallet to transfer them to the recipient.
Also ERC-20 provides for two types of events:
- transfer - transfer event of tokens between accounts;
- approval - the event that becomes active upon the successful execution of the approve function.
These functions and events show how ERC-20 tokens are being sent between addresses and how their holders can get information about their tokens. They also serve as a guarantee that new tokens will fully function on the ethereum platform.
After the emergence of this token, the ICO market has grown very quickly as ERC-20 contains a list of specifications and rules that future tokens must comply with. This standard greatly facilitated the work of developers who previously had to develop standards for the compatibility of tokens with blockchain, wallets, exchanges and DApps.
But what happened to the token?
The ERC-20 standard is the first standard and as it turned out, not quite perfect. Back in 2017, news began to appear about funds getting lost during transactions. In February 2018, the developer with nickname Dexaran described the bug affecting ERC-20 and warned users on Github.
According to the developer the key problem was connected to the smart contracts. A transaction is considered as completed when a successful transfer of funds occurs. If an error occurs, the transfer of funds must be rejected. In case of ERC-20 tokens, a smart contract that doesn’t support this standard, the system doesn’t reject or accept the transaction and as a result tokens become frozen or lost.
It occurs in the moment when it’s necessary to use one of two functions for a transaction. The first is the transfer, which allows to send tokens to a specific address. The second one is used to make a deposit into a smart contract, for which it’s necessary to use the combination of functions approve and transferFrom. By using the approve function, the user gives permission to the smart contract to withdraw the funds, which is carried out by using the transferFrom function.
In cases when a user makes a deposit in a smart contract using the transfer function, the transaction will be considered as successful and the network will recognize it, but the smart contract itself won’t recognize this transaction and won’t count it. Because of this bug, ethereum’s ecosystem has already lost millions of dollars.
Domino Effect
Ethereum platform has had to deal with the security problems of its tokens before. Just remember the infamous hacking of the DAO project in 2016. To eliminate its consequences and return funds to the network a hardfork was carried out and as a result of which a new chain continued to exist under the name of ethereum and those opposing the decision retained the old chain, in so creating ethereum classic.
In April 2018, some crypto exchanges suspended the placement and withdrawal of ERC-20 tokens due to the batchOverflow bug.
OKEx crypto exchange suspended all deposits of ERC-20 tokens due to the batchOverflow bug.
We have completed the security check of all ERC-20 smart contracts, and all tokens are safe from the “BatchOverFlow” bug. We will resume the deposits of ERC-20 tokens gradually.
— OKEx (@OKEx_) May 1, 2018
Big thanks to @SlowMist_Team for their professional technical support! pic.twitter.com/cIIsNwbxoh
Using this bug hackers can assign a large number of tokens. As it was described by OKEx “by using an error attackers can generate a very large number of tokens and place them in ordinary addresses. This makes many of ERC-20 tokens vulnerable to price manipulations”.
Following OKEx, Poloniex has made a similar decision regarding all ERC-20 tokens.
We've temporarily suspended ERC-20 token deposits and withdrawals while we review all smart contracts for exposure to the reported batchOverflow bug. We take any reports of vulnerabilities very seriously to ensure that customer funds remain safe. Thank you for your patience!
— Poloniex Exchange (@Poloniex) April 25, 2018
HitBTC exchange initiated an internal audit, which took deposits and transmitted them into offline.
Due to a potential issue detected in ERC20 smart contracts, we initiated an internal inspection. All deposits and transfers on ERC20 tokens will be getting online in accordance with the results of the inspection. Please refer to the System Health page for online status.
— HitBTC (@hitbtc) April 25, 2018
So What Now?
ERC-20 tokens are actually efficient and easy-to-use smart contracts, but they have their own bugs and vulnerabilities that can lead to loss of funds. The ERC-20 protocol isn’t always sufficient for the goals that are pursued when tokens are created, and it doesn’t guarantee that the token will be useful, valuable or functional.
Additionally, one of the drawbacks of the ERC-20 standard is that it allows for the creation of tokens in a rather trivial matter which facilitates ICO’s to startup quickly. This leads to the abundance of similar tokens, significantly complicating lives for the investors. But despite all the fears, news and warnings, the number of ICOs that use ERC-20 is still growing, which suggests that it’s more important for startups to collect their money than to ensure the safety of their assets.
