ERC20 Standard Main Issue
The lack of transaction handling mechanism is the main issue of ERC20 token standard.
Event handling is a standard practice in programming. It’s obvious that token transactions should be considered as an event and that it should be possible to handle the transaction events. The ERC20 token standard does not provide this mechanism at all, which leads to issues.
Another problem with ERC20 tokens standard is that there are two different ways to deposit ERC20 tokens:
- approve + transferFrom
With ERC20 tokens, it is not possible to execute a transaction that will be recognized by the recipient’s contract. If a user wants to transfer tokens to any contract, then he must approve this contract to withdraw the tokens from his wallet, and then call a contract that will call transferFrom to withdraw the tokens.
If the user call transfer function to deposit tokens to a contract then the recipient contract will not recognize the transaction. It is impossible to handle incoming transactions of ERC20 tokens for any contracts. Therefore, it is not possible to reject transactions that should be rejected.
Since the function for transferring tokens without handling by the recipient remains, it is possible that someone will use this function and lose tokens. These tokens would get stuck inside any contracts as the transaction was not recognized by the recipient (contract).
Alice has 10 ERC20 tokens and she wants to send 3 tokens to Bob.
An ordinary user may think that Alice has some tokens “on her account balance”, but the balance of the token is just a variable inside the token contract.
Alice initiates a transaction. Actually, every token transaction is a call to the token contract.
Alice asks the token contract to reduce her balance by 3 and to increase Bob’s balance by 3 at the same time.
Once the transaction has been mined, the internal variables of the ERC20 token contract will be modified. The recipient (Bob in this case) will not be informed that the transaction occurs!
This is fine for externally owned accounts (accounts owned by humans). Alice can tell Bob that she sent him tokens. Bob can check his balance and see that it has increased.
This is a critical issue for contracts and it is resulting in lost tokens. Contracts that are not designed to work with a token must reject incoming token transactions. Otherwise, each contract becomes a potential token trap due to the inability to reject improper token transfers.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!