😖Tutorial 44: Weird ERC20 Tokens
In this section, we explore various minimal examples of ERC20 tokens with behaviors that can be surprising or non-standard. These examples are inspired by real-world tokens, many of which have been used to exploit vulnerabilities in smart contract systems. By studying these cases, developers and auditors can better understand the potential risks and challenges when interacting with ERC20 tokens.
The ERC20 standard itself is loosely defined and, in practice, functions more as an interface declaration. Even the few requirements it imposes are frequently disregarded by token developers, leading to inconsistent implementations.
As a result, creating smart contracts that directly interact with ERC20 tokens can be quite challenging. To mitigate these risks, developers should adopt the following strategies when dealing with external tokens:
Implement an allowlist at the contract level to restrict interactions to trusted tokens.
Use dedicated wrapper contracts for token interactions at the boundaries of your system. This approach ensures that the core logic assumes consistent and reliable behavior from external tokens.
However, in some situations, such as in decentralized AMMs, it may not be practical to use an on-chain allowlist due to the need for centralization or complex governance mechanisms. In such cases, developers must proceed with extra caution and adopt defensive strategies. Although an on-chain allowlist might not be feasible, an off-chain allowlist within the official user interface can help safeguard users from unexpected token behavior, while preserving the permissionless nature of the system.
If you are designing a new token, it's strongly advised to avoid the problematic behaviors highlighted in this section to ensure smooth interactions with other smart contracts and prevent vulnerabilities.
Last updated