Callisto Network Security Department is a security auditing organization that has performed more than 300 smart contract security audits since 2018. Not even a single contract we have approved as “secure” has been hacked afterwards.
From a security point of view, ERC-20 is a poor solution, and we recommend deprecating this standard and using newer ones for creating tokens on the Ethereum blockchain.
I. ERC-20 contains a well-known design shortcoming (lack of transaction handling) which is a critical security flaw.
Standardized critical severity security flaw is not acceptable for a standard of digital assets that should focus on the safety of users’ funds.
ERC-20 transfer function is non-handleable. It can result in permanent loss of funds for end users. According to OpenZeppelin bug bounty criteria, this is a critical severity security flaw.
II. ERC-20 has three interpretations.
ERC-20 specification is not strict enough. There are currently three types of tokens that pretend to be ERC-20 but behave differently:
- Tokens that return true on successful transfer or transferFrom function execution but revert a transaction on failure. (Example: UNI token)
- Tokens that return true on successful transfer or transferFrom function execution otherwise return false and never revert a transaction (Example: DAO token)
- Tokens that do not return anything and revert a transaction on failure. (Example: USDT, BNB tokens)
Technically, USDT and BNB are incompatible with the ERC-20 standard as the standard declares that transfer function must have a boolean return value.
III. approve & transferFrom is a pull transacting method. Pull transacting is not suitable for trustless systems.
Authorizing a contract to manage tokens on token holders’ behalf introduces security risks for the token holder. Authorizing a contract to spend any amount of funds (i.e., issuing an unlimited approval) is a pattern that must be avoided.
Read more about the applicability of push transaction vs pull transaction here.
Note for security auditors.
We encourage security auditing organizations and individual security auditors to highlight the known vulnerabilities of the ERC-20 standard in their security reports.
That’s how it is done in our reports. It is not legitimate to state that a contract is “secure” if it utilizes ERC-20 tokens without applying additional security restrictions. Such contracts are definitely not safe because end users will lose their funds.
[/bsf-info-box]
About Callisto Network
Founded by Dexaran, co-founder of Ethereum Classic, Callisto Network is a blockchain platform that prioritizes security. We’ve conducted over 330 smart contract audits across platforms like Ethereum, Ethereum Classic, and EOS. In addition to our audits, we’ve developed the ERC 223 token standard and CallistoNFT standard, enhancements over existing standards that address flaws and offer new capabilities, further establishing us as industry leaders in crypto-security.